I've been trying to fix a malware problem on a PC and haven't been having any luck. The main problem is that search engine results are often getting redirected to totally different URLs. In short, I've run several antivirus/antimalware/antispyware apps, but the problem remains.

In detail:

Say I'll search for something on Yahoo, click a search result for Wikipedia (or some other site I recognize) and instead get sent to a totally different URL. Sometime these sites get blocked by an ISP site filter, sometimes not. I usually hit Back quick enough before the actual page loads. There are a number of different domains it gets redirected to (but they all appear to have the same site icon). It doesn't happen every time I click a search result. I can usually get the redirect, back out, click the same search result, and then it works. Or click another result, and may not get redirected. Not my PC, so I don't know exactly what triggered it. Shouldn't have been an e-mail attachment, or intentionally installing a suspicious application.

The PC is running AVG. I've scanned with AVG, Malware Bytes, Spybot, Super Antispyware, and Panda's online scan. They've found and removed some things, but the problem persists. Trying Spyware Doctor next, but not expecting a fix. I've checked the hosts file, but the only entries there are from Spybot (redirecting a list of 'bad' urls to localhost).

At one point, the PC was having even worse problems (couldn't open task manager or msconfig, couldn't boot into safe mode), so I did a system restore to a couple days back, and those issues went away. This may have been caused by getting a malicious site after a redirect; the redirect problem was there before this other stuff happened, and is still there. As far as I know, none of these problems were there before last week. Before all this happened, the system was up to date, except for running IE7. And it had AVG 8.5.x, though I didn't upgrade it to 9.0.x (released a few months back) until after I started trying to fix it.

I could try doing a system restore to a point earlier this month. I'd like to just do a reformat and start fresh, but this is an eMachines, and I don't know where the Operating System Recovery disc is. I have a copy of XP Home OEM that I could use, but it is still being used (infrequently) on an older system.

I've searched online a bit, but haven't found any one specific name or solution for this problem.

Any suggestions?

Guess spyware doctor doesn't fix anything for free.

Willing to consider a paid app, if it would actually fix the issue.

First of all, go get Hijackthis. It scans your registry/startup for unverified entries and also gives you a relatively detailed task monitor. Run a scan with that thing and check to see if you can spot an unrecognized startup program or a BHO (browser helper object) in there. Post the scan results here using the code tags if you're unsure, I'll try my best to discern.

I had a search hijacking problem because one of the extensions I used in Firefox added in their own custom search, even though it was a page translation extension. At first you could just go into the settings and disable it but the most recent update forced it, and the webpage to change the settings would no longer accept any changes.

That probably won't help, but maybe check stuff that you've recently installed?

Thanks, I'll have to run hijackthis tomorrow. (I've known about it, but haven't tried it yet.) I didn't notice anything in msconfig or IE's addons list, at least.

That probably won't help, but maybe check stuff that you've recently installed?
It happens in IE and firefox, so shouldn't be a browser-specific addon.

Might try looking into autoruns, it lists almost everything that is loaded during boot up and has an option to disable almost all of them.

Okay...My computer died just after getting this little lovely. I don't know if that's what caused it, but it was pretty horrendous.
Here's this:

http://help.lockergnome.com/general/Search-Engine-Redirect-caused-virus-plz-help--ftopict56667.html

Hope it helps, man.

Okay...My computer died just after getting this little lovely. I don't know if that's what caused it, but it was pretty horrendous.
Here's this:

http://help.lockergnome.com/general/Search-Engine-Redirect-caused-virus-plz-help--ftopict56667.html

Hope it helps, man.What happened that ended up killing it?

The system I'm trying to fix is still working, as far as I can tell (apart from the redirects, and the other issues I mentioned that I fixed by doing a system restore).

I'll see if I get some of the same entries listed in that thread after I run Hijackthis.

It was a dual problem. I got the virus from a bad PDF, which took advantage of the big leaky holes in Adobe Acrobat and some of its functions, and this was one of the icky things that ended up on the machine.

*sigh*

Now, I double bag my machine. :D

Ya I second hijackthis. It can look like one scary ass bitch when you first see what it jets out. But many people use it with amazing results.

That sucks man. We have all been there. If malewarebytes and perhaps Combofix(Great working thing there) don't fix it, hijackthis may not be enough to allow others to help you fix it either. But run it and see.

Haven't tried combofix yet. Should I run that before hijackthis? (I scanned w/ hijackthis, but haven't gotten to posting it yet. I can rescan again after combofix.)

So here's the Hijackthis log. Looking over the entries, the only one I definitely know is not legit is this one:

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - http://coolsavings.coupons.smartsource.com/download/cscmv5X.cab

But the only symptom for coolsavings is supposed to be popup ads, which I'm not seeing. Symantec (http://www.symantec.com/security_response/writeup.jsp?docid=2005-110315-1439-99)

Haven't removed anything just yet. Recommendations on what to remove are appreciated.

Full log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:01 PM, on 10/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?ade1139332c548f48d05d74ce746ae57
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?ade1139332c548f48d05d74ce746ae57
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - http://coolsavings.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate1c9f8286f369c40) (gupdate1c9f8286f369c40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9880 bytes

Get rid of the coolsavings entry anyway. You need to check your startup, too.

Registry editor -> Local machine/Software/Microsoft/Windows/Currentversion/Run (and Runonce)

Check all the entries there, too... aside from HJT's own startup items list.

Get rid of the coolsavings entry anyway. You need to check your startup, too.

Registry editor -> Local machine/Software/Microsoft/Windows/Currentversion/Run (and Runonce)

Check all the entries there, too... aside from HJT's own startup items list.Nothing suspicious there...


AVG9 tray
Malwarebytes
PDUiP6600DMon - Canon printer memory card utility
Quicktime Task (should take that out of msconfig yet again)
Recguard (related to the recovery partition)
SoundMan (volume)
SunKistEM - c:\Program Files\Digital Media Reader\shwiconem.exe - for the multi card reader.


Then just a few simple flags under Run>OptionalComponents>IMAIL, MAPI, MSFS. Nothing under RunOnce or RunOnceEx.

Removed coolsavings from Hijackthis list. Going to look into Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) next.

I think ComboFix's done it.

I ran a scan. It said detected rootkit activity, prompted for restart. Ran the scan after rebooting. I can post the whole log, if anyone wants to check it for other items it didn't catch, but here's the Deletions section:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2328519134-2310778436-453668164-1003
c:\recycler\S-1-5-21-3694346189-3127876365-4146251934-1003
c:\windows\Downloaded Program Files\CpnMgr.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
After ComboFix finished, I tried a few search results and haven't seen it redirect yet. That infected atapi.sys must have been it. I see atapi.sys at that location, dated 4/13/08, so I guess ComboFix fixed it?

I know I've seen CpnMgr.dll mentioned by another app, but thought it was fixed. Wasn't able to actually see the file in that directory (even with system files/hidden files shown in view settings). Not sure what the items in \recycler\ were. I'd just emptied the recycle bin before the scan. D:\Autorun.inf was probably harmless. D is the emachines recovery partition, and I think that autorun just blocks you from exploring the contents of the partition. (At least right-clicking D: drive, Explore didn't show you anything before. Now it does.)

So I'll cross my fingers and hope it's all gone, make sure the behavior doesn't return. Thanks for the help, suggestions everyone.

Glad it worked out for you. You might wanna use this opportunity to back up your data and start with a clean slate again.

Nothing suspicious there...


AVG9 tray
Malwarebytes
PDUiP6600DMon - Canon printer memory card utility
Quicktime Task (should take that out of msconfig yet again)
Recguard (related to the recovery partition)
SoundMan (volume)
SunKistEM - c:\Program Files\Digital Media Reader\shwiconem.exe - for the multi card reader.


Then just a few simple flags under Run>OptionalComponents>IMAIL, MAPI, MSFS. Nothing under RunOnce or RunOnceEx.

Removed coolsavings from Hijackthis list. Going to look into Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) next.

I had a feeling combofix would work.

I am not sure about all the things it does. The company is pretty secret. The only thing I have heard is that they have a couple hackers on their actual staff that wrote the thing.
True/Untrue I am not sure. Just what I heard.

But I know running it randomly can F up your system.
Usually they talk about exact times you want to run it. This time would be one of those times:)

Combofix sounds like chemotherapy for computers.