85 replies to this topic

[coastalbuck]

I didn't have much time but I checked a few things and this is what I found. If I google Yankees, and hover on the obvious Yankees.mlb.com link it says that at the bottom but when I click it, it redirects to malware-online-scaner.org (yes it was spelled wrongly) which drew a pop up from AVG and blocked it. The Yankees link that led to a NY times article led to Allgive.com, some stupid search engine. A google for Campbells soup produced the normal links, when hovering over the main company site it reads right but when clicked goes to info.com. Campbellkitchen.com another legitimate site when clicked leads me to btran.com, search engine again. Most of the time if you back arrow from the rogue site you will get another crazy link but sometimes it goes back to google. If you search for something odd, like moron, all seems to be normal, you can click Wiki, or anything else that comes up normally. Really annoying, funny, but still annoying.

[Noviciate]

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download Dr Web Cureit from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Double click drweb-cureit.exe to begin - the program takes a few seconds to open so give it time.

• Click Start.
• When a new window appears, click OK to start the express scan - this will only take a short while.
• If anything is found, click Yes when you are asked if you want to Cure?
• Once the express scan has finished, click the Select drives button on the left - this will place a red dot over all of your hard drives.
• Click the green arrow on the right and the main scan will begin.
• If you see a pop-up informing you of an infected file and asking if you want to Cure? or Move?, click Yes to All.
• Now all you can do is wait while the scan completes as it needs no further action on your part.
• Once the scan has completed, you may see a list of infected files appear.
  
  • If so, there will be a button to the left of them that resembles a pile of papers with a red tick on top - click it.
  • A green dot will appear over each of the file icons and also light up four more buttons.
  • You need to click the second one down that resembles a green cup and select Move incurable from the menu that appears.
• Then from the main menu (top left), click File > Save report list.
• You will need to change the filename from DrWeb to "DrWeb.txt" - it is important that you include the quotation marks.
• Click Save and the report will be saved by default to My Documents although you can save it elsewhere if you wish.
• Close DrWeb Cureit.

2) Reboot your PC.

Post a fresh HJT log, the contents of DrWeb.txt AND a description of how your PC is running.

[coastalbuck]

I ran the Dr. Web. It found nothing and wouldn't let me save a log. I'll check searches tomorrow and post back. Anything else you want me to do let me know before then. Working on it a little this morning. Google is still a misdirecting mess, even when you click a google sponsored search link in a web page. Machine is working ok, quite sluggish online and while running applications. I was scanning some documents yesterday and it was really slow.

Edited by coastalbuck, 07 November 2009 - 05:40 AM.

[Noviciate]

Have your AV run a full system scan and let me know what it finds.

[coastalbuck]

Ran full AVG last night. Scan "Scan whole computer" was finished. No infection was found during this scan Folders selected for scanning:;"Scan whole computer" Scan started:;"Saturday, November 07, 2009, 8:08:20 PM" Scan finished:;"Saturday, November 07, 2009, 11:32:08 PM (3 hour(s) 23 minute(s) 47 second(s))" Total object scanned:;"417230" User who launched the scan:;"Owner" Warnings File;"Infection";"Result" C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt;"Found Tracking cookie.Advertising";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt:\advertising.com.1820df7a;"Found Tracking cookie.Advertising";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt:\advertising.com.203aa218;"Found Tracking cookie.Advertising";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt:\advertising.com.b624fa46;"Found Tracking cookie.Advertising";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt:\advertising.com.f62113d5;"Found Tracking cookie.Advertising";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt;"Found Tracking cookie.Pointroll";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt:\pointroll.com.72c0abc9;"Found Tracking cookie.Pointroll";"Moved to Virus Vault" C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt:\pointroll.com.f2d5a6f6;"Found Tracking cookie.Pointroll";"Moved to Virus Vault"

[Noviciate]

You have an entry in your log that points to a file on your PC that I would like to have checked - if it is still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following file and then click on Submit:

C:\Windows\System32\drivers\atapi.sys

When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done. *

[coastalbuck]

Nothing there. [ArcaVir] 2009-11-06 Found nothing [G DATA] 2009-11-07 Found nothing [A-Squared] 2009-11-07 Found nothing [Ikarus] 2009-11-06 Found nothing [Avast! antivirus] 2009-11-06 Found nothing [Kaspersky Anti-Virus] 2009-11-06 Found nothing [Grisoft AVG Anti-Virus] 2009-11-06 Found nothing [ESET NOD32] 2009-11-06 Found nothing [Avira AntiVir] 2009-11-06 Found nothing [Norman Virus Control] 2009-11-06 Found nothing [Softwin BitDefender] 2009-11-06 Found nothing [Panda Antivirus] 2009-11-06 Found nothing [ClamAV] 2009-11-06 Found nothing [Quick Heal] 2009-11-06 Found nothing [CPsecure] 2009-11-06 Found nothing [Sophos] 2009-11-07 Found nothing [Dr.Web] 2009-11-07 Found nothing [VirusBlokAda VBA32] 2009-11-06 Found nothing [Frisk F-Prot Antivirus] 2009-11-06 Found nothing [VirusBuster] 2009-11-06 Found nothing [F-Secure Anti-Virus] 2009-11-06 Found nothing This was also on the report screen. File size: 96512 bytes Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit MD5: 9f3a2f5aa6875c72bf062c712cfa2674 SHA1: a719156e8ad67456556a02c34e762944234e7a44 Packer (Kaspersky): PE_Patch

[Noviciate]

I'll be completely honest, I have absolutely NO IDEA what is causing your redirection issues. I'll see if somebody else can take a peek and see if they can see what I can't and i'll let you know what, if anything, turns up as soon as I know more.

[Noviciate]

OK, the suggestions are starting to roll in, and not one has been obscenely biological yet - always a good sign! Will you clarify something first: Are the redirects only occurring when you use Google and no other search engines and are they occurring in just Firefox or in other browsers too?

[coastalbuck]

The problem just seems to be with Google, not yahoo or any others. As far as IE, I avoid it like the plague so I don't really know. I can check later today when I get back to the machine if you want. One other strange thing is the redirects happen when you click. If you hover over a link, the bottom bar reads it correctly, when you click, it changes to some other address, maybe this is the norm but it just seemed strange to me. I do use Gmail frequently, possibly something is getting in with that

[Noviciate]

I'd like to know whether the problem is browser-wide or just with the 'Fox.
I'd also like you to do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  eapsvc32.dll
  eapsvc.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[coastalbuck]

It does not seem to happen in IE. I tried a few searches and all seemed ok. Went back to firefox and did a search for Onkyo, all seemed fine. I followed that up with a Yankees search and the redirects kicked in again, was sent to a bunch of search engines on every click. Here is the check you asked for. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 19:23 on 10/11/2009 by Owner (Administrator - Elevation successful) ========== filefind ========== Searching for "eapsvc32.dll" No files found. Searching for "eapsvc.dll" C:\WINDOWS\ServicePackFiles\i386\eapsvc.dll ------ 33792 bytes [15:21 24/09/2008] [00:11 14/04/2008] 2187855A7703ADEF0CEF9EE4285182CC C:\WINDOWS\system32\dllcache\eapsvc.dll --a--c 33792 bytes [15:21 24/09/2008] [21:23 18/10/2009] 2187855A7703ADEF0CEF9EE4285182CC C:\WINDOWS\system32\eapsvc.dll --a--- 33792 bytes [15:21 24/09/2008] [21:23 18/10/2009] 2187855A7703ADEF0CEF9EE4285182CC -=End Of File=- I'll keep trying search for a while to see what happens.

[Noviciate]

I'd like you to read back through my posts and run GMER as before, but boot into Safe Mode first - this may show up more than previously.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

[coastalbuck]

I ran gmer twice, once in safe mode, once normally. The two logs follow respectively.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-14 06:07:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\awxoqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----





GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-14 10:15:13
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\awxoqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I don't think it found anything, or, I'm not doing it right. It seemed to scan files, so maybe I did it correctly. The redirects remain, and the machine is quite slow and not very responsive. Start up takes forever as well, as does opening firefox or any other program for that matter.

[Noviciate]

Unfortunately whatever you have is just trying very hard not to be noticed. I'll get back to you when the cavalry arrives.