1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive search hijacked or dns poisined

Discussion in 'Malware and Virus Removal Archive' started by TonyT, 2008/09/23.

  1. 2008/09/23
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    [Inactive] search hijacked or dns poisined

    I have an issue I've never encountered before. If I do a search from google home page, the search results show the correct clickable titles but the urls for the results are find.com, find-more-here.com, etc. Just the first page of results is affected. There's a noticable delay after clicking the search button, like something is intercepting the query.

    A client's system has the same issue.

    I ran every tool known to God, did manual searchrs on system, no malicious files detected and no new files have been created/modified per combofix reports.

    This is very puzzling, I then though that my isp dns xaxhe may be poisoned, so I changed my dns servers to opendns ips. Same search results.

    Here's a HjT log:

    (for those wondering, I have the old MS IE developer tools installed and the last item winpcap is for a network scanner)

    Logfile of HijackThis v1.99.1
    Scan saved at 10:00:46 PM, on 9/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HijackThis\HijackThis.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
    O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
    O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
    O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
    O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
    O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
    O15 - Trusted Zone: http://*.turbotax.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CS2\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 208.67.222.222,208.67.220.220
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    What I've done so far:
    1. combofix nothing found.
    2. no cool web stuff.
    3. changed dns servers.
    4. spybot, adaware, superantispware...nothing found.
     
    Last edited: 2008/09/23
    TonyT,
    #1
  2. 2008/09/23
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/09/24
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Yeah, I remember that report.
    Yes, it happens with any search, not specific items.

    Interesting thing is that if I click the search button again, after first search completes, using the same keyword(s) the correct results show up.

    Here's what the results look like:
    http://members.cox.net/tonyt/results.jpg
     
    TonyT,
    #3
  5. 2008/09/24
    Whiskeyman Lifetime Subscription

    Whiskeyman Inactive Alumni

    Joined:
    2005/09/10
    Messages:
    1,772
    Likes Received:
    37
    When changing to OpenDNS did you flush the DNS cache?
     
    Whiskeyman,
    #4
  6. 2008/09/24
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Yes. (I always flush!)
     
    TonyT,
    #5
  7. 2008/09/24
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Today, another odd thing occurred. I booted the comp, and after typing my pw, I got a prompt from XP telling me it could not load my profile and a second prompt telling me that any changes made would not be saved. It then logged me onto a profile at c:/docs & settings/Temp, a standard first logon desktop. I browsed around, logged off, and at login I was returned to my original profile and the Temp profile was gone. Never saw that one before.
     
    TonyT,
    #6
  8. 2008/09/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Lets rule out rootkits too Tony. Download GMER

    Right click and extract it to it's own folder on the desktop.

    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
    Click on Scan.
    When the scan has completed, click Copy and paste the results (if any) into this topic.
     
    noahdfear,
    #7
  9. 2008/09/25
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Will do that later today.
    But isn't gmer included in combofix?

    Also, Autoruns does not show any unusual drivers or new entries.

    I suspect that a Windows file has been overwritten and retained the old modified date or given an old creation-modified date. Because the issue occurs in firefox too. When I sort files by modified date there's nothing new showing up in key directories (windows, system32, drivers, inf, msagent, etc.

    I upgraded the box from IE6 to IE7 and the issue persists. I don't want to put on SP3 until it's sorted out.

    IE7 seems to add 2 unnamed BHOs and even if I disable them the issue persists.
     
    TonyT,
    #8
  10. 2008/09/25
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    1st scan: ran gmer rootkit scan...no results, empty.
    2nd time while IE running:

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-09-25 21:09:42
    Windows 5.1.2600 Service Pack 2


    ---- User code sections - GMER 1.0.14 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 10002970; RET
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] ws2_32.dll!send 71AB428A 6 Bytes PUSH 1000269C; RET
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] ws2_32.dll!WSARecv 71AB4318 6 Bytes PUSH 10002504; RET
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] ws2_32.dll!recv 71AB615A 6 Bytes PUSH 100024C4; RET
    .text C:\Program Files\Internet Explorer\iexplore.exe[1116] ws2_32.dll!WSASend 71AB6233 6 Bytes PUSH 10002924; RET

    ---- EOF - GMER 1.0.14 ----


    for giggles, a new HjT log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 9:28:13 PM, on 9/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\devldr32.exe
    D:\apps\Anti Spyware\HijackThis\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O15 - Trusted Zone: http://*.turbotax.com
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 192.168.1.1
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

    --
    End of file - 3335 bytes


    I could easily restore using a ghost omage but I need to figure this out so I can then clean my client's system of same issue.
     
    Last edited: 2008/09/25
    TonyT,
    #9
  11. 2008/09/25
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    gmer log is fine. No, gmer is not wrapped with ComboFix ....... catchme is.

    Why are you still using HijackThis beta? :p

    Have a look at this.

    http://www.f-prot.com/virusinfo/descriptions/qhost_a.html

    From your HJT log.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
     
    noahdfear,
    #10
  12. 2008/09/26
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    I just used a copy of HjT I had on a thumb drive, didn't bother to check versioning...oops.

    new log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:41:35 AM, on 9/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O15 - Trusted Zone: http://*.turbotax.com
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{07D675E5-D4CE-4F89-9E86-05A410B5477D}: NameServer = 192.168.1.1
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    --
    End of file - 3368 bytes


    Progress!
    That trojan did not exist, nor are there any dirs or files w/ HOSTS in the name. And the reg values mentioned in the f-prot article did not exist as such.

    This is what I did:

    1. search registry for "google" and "gogl ". (gogl DID exists prior to installing IE7)
    2. delete all google values except Home Page.
    3. reran HjT and removed all R0's and R1's except Start page.

    I now get correct results seaching from google form on start page BUT if use the search box atop IE7 I still get previous malicious results.

    Next:
    1. uninstalled IE7.
    2. did 1, 2 & 3 above.
    3. problem persists in IE6....hmm
     
    Last edited: 2008/09/26
    TonyT,
    #11
  13. 2008/09/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    noahdfear,
    #12
  14. 2008/09/26
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    That's been gone, still have the issue.
    Anyway, that entry came from google.reg, which I've used on almost al;l systems I setup:
    http://www.google.com/options/defaults.html
    Code:
    REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 "Use Search Asst "= "no "
 "Search Page "= "[URL]http://www.google.com[/URL] "
 "Search Bar "= "[URL]http://www.google.com/ie[/URL] "
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
" "= "[URL]http://www.google.com/keyword/%s[/URL] "
 "provider "= "gogl "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
 "SearchAssistant "= "[URL]http://www.google.com/ie "[/URL]
     
    TonyT,
    #13
  15. 2008/09/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Thanks for the google reg info. Kinda conflicts with the write-up info, heh? :rolleyes:

    • Download RSIT by random/random and save it to your desktop.
    • Double click RSIT.exe to start the tool.
    • At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
    • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
    • Please post the contents of log.txt here.
     
    noahdfear,
    #14
  16. 2008/09/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I've been thinking about this, and though you say it's gone, there it is in your log. I also understand that it's a google reg tweak, but that doesn't rule it out as a cause. The fact that you do it on almost all systems you set up, and others are experiencing this same behavior suggests a connection. You noted that you removed all those references in IE7 and the problem went away, then rolled back to 6 and the problem was again prevalent. Perhaps those settings rolled back as well?
     
    noahdfear,
    #15
  17. 2008/09/28
    TonyT

    TonyT SuperGeek Staff Thread Starter

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Only one other system has a similar issue, a client of mine. But he also has other known malware that I didn't get a chance to remove yet. I'll be heading there today.

    The problem went away "halfway" in IE7 after removing those references. Searching from the form input at google.com was restored, but searching from the search box atop IE7 was foul. Thus, IE7 must have migrated some other "hidden settings" from IE6.

    When reverting to IE6 the problem returned, searching from form input at google.com was afoul.

    I scoured my system manually, inspecting hundreds of files and dirs and found nothing amiss. I am certain that there must have been some reg keys/values that remained after perhaps one of my kids or kid's friends used my comp, noticed an issue thought they'd fixed the issue using my anti-malware utils. My daughter is quite savvy and would have tried to resolve prior to informing me.

    I gave up as I ran out of time. I restored the partition w/ a ghost image and all is well. I did this because I know I won't get stumped fixing my client's system because his issue is caused by known hijackers and trojans. I had already inspected his system but at that time he had to leave and I couldn't stay there & fix things.

    I regret that I didn't ghost the partition while the issue existed because then I could put it back later to dig deeper into what caused the problem.

    For now, consider this thread dead.

    Thanks for all anyway.
     
    TonyT,
    #16

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...