Search engine results redirect malware

14 posts in this topic

Hi all,

I've tried what feels like everything trying to beat my daughters search engine redirect issue - she's not sure how it happend (i'm betting it was with one of the free youtube video downloaders she downloaded!)

I've run mbam, all the usual bits and pieces to try and rid the machine of this infection - formatting isn't really an option because the serial number sticker for windows has rubbed off the bottom of the laptop.

Ok attached are the log files requested,

Really hoping we can beat this one !

Thanks for any help you might be able to provide - it's really appreciated as she has coursework to be getting on with and we're worried it might be stealing personal information and so on!

All the best




Share this post

Link to post
Share on other sites


we're worried it might be stealing personal information and so on!
There is always a real risk of that happening with this type of infection, so as a precaution, don't use this computer for any banking or other personal transactions until the machine is clean:

This type of infection could possibly allow hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
    • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.


Please download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Delete is selected
    • Then click Continue > Reboot now

    [*]Copy and paste the log in your next reply

    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


I see comboFix has been run on this machine, was it recently? If so please post the log which is located at C:\ComboFix.txt

Share this post

Link to post
Share on other sites

Hi, thanks for your help so far!

Right we have a problem with aswMBR.exe crashing after it's been scanning for a while, it's done it every time i've run it - and once i turned around (not been watching it the whole time) and it was rebooting, when Windows came back up it said Windows has recovered from a serious error - details showed that it was a 'Blue screen'..

Ok just ran it again and it seems to crash when scanning:

C:\Users\This one works\Desktop\HEIDIIXD\HEIDIIXD\Documents\Hardware...

Can't see the rest of the path because it pops up saying:

"avast! Antirootkit has stopped working..."

"Close program".

Ok so closed it, ran it again, before it had a chance to crash i saved this log .. this contains the only 2 red lines that come up prior to it crashing:

(But does look to find something?)


aswMBR version Copyright© 2011 AVAST Software

Run date: 2012-04-27 09:11:57


09:11:57.742 OS Version: Windows x64 6.1.7600

09:11:57.742 Number of processors: 2 586 0x170A

09:11:57.742 ComputerName: HEIDII-PC UserName:

09:11:58.491 Initialize success

09:12:03.187 AVAST engine defs: 12042601

09:12:13.186 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

09:12:13.186 Disk 0 Vendor: WDC_WD2500BEKT-60V5T1 12.01A12 Size: 238475MB BusType: 11

09:12:13.202 Disk 0 MBR read successfully

09:12:13.202 Disk 0 MBR scan

09:12:13.202 Disk 0 unknown MBR code

09:12:13.217 Disk 0 MBR hidden

09:12:13.217 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 199 MB offset 2048

09:12:13.233 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 225499 MB offset 409600

09:12:13.264 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12775 MB offset 462231552

09:12:13.280 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 1 MB offset 488394752

09:12:13.280 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]

09:12:13.327 Disk 0 scanning C:\Windows\system32\drivers

09:12:25.791 Service scanning

09:12:45.338 Modules scanning

09:12:45.338 Disk 0 trace - called modules:

09:12:45.385 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800339c334]<<ataport.SYS PCIIDEX.SYS hal.dll msahci.sys

09:12:45.400 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800334c060]

09:12:45.400 3 CLASSPNP.SYS[fffff8800113643f] -> nt!IofCallDriver -> [0xfffffa8002f0b520]

09:12:45.416 5 ACPI.sys[fffff88000f6e781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002e96680]

09:12:45.416 \Driver\atapi[0xfffffa8002e92060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800339c334

09:12:46.305 AVAST engine scan C:\Windows

09:12:51.047 AVAST engine scan C:\Windows\system32

09:12:55.228 Disk 0 MBR has been saved successfully to "C:\Users\This one works\Desktop\MBR.dat"

09:12:55.244 The log file has been saved successfully to "C:\Users\This one works\Desktop\aswMBR-HALF.txt"

I then ran: TDSSKiller.exe..

Which said it found tdss and some other crap so i did as you said and cured / deleted as appropriate.

TDSS log:

I'm attaching as it says my post is too long :)

> I am also attaching the zipped .dat file you requested.

I then rebooted.

I thought it might be a good idea to RE-RUN aswMBR to see if I can get a complete log... perhaps something was stopping it that has been removed already?

Crashes in the same place (as above).

So i took a bit of initiative and found the folder in question, called:


I deleted the whole folder and re-ran aswMBR again!.. actually ran all the way through this time.



aswMBR version Copyright© 2011 AVAST Software

Run date: 2012-04-27 09:51:28


09:51:28.944 OS Version: Windows x64 6.1.7600

09:51:28.944 Number of processors: 2 586 0x170A

09:51:28.944 ComputerName: HEIDII-PC UserName:

09:51:31.939 Initialize success

09:51:36.650 AVAST engine defs: 12042601

09:51:37.493 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

09:51:37.508 Disk 0 Vendor: WDC_WD2500BEKT-60V5T1 12.01A12 Size: 238475MB BusType: 11

09:51:37.524 Disk 0 MBR read successfully

09:51:37.539 Disk 0 MBR scan

09:51:37.539 Disk 0 unknown MBR code

09:51:37.571 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048

09:51:37.586 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 225499 MB offset 409600

09:51:37.617 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12775 MB offset 462231552

09:51:37.664 Disk 0 scanning C:\Windows\system32\drivers

09:51:47.305 Service scanning

09:52:06.805 Modules scanning

09:52:06.805 Disk 0 trace - called modules:

09:52:06.852 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys

09:52:06.852 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800333a660]

09:52:06.868 3 CLASSPNP.SYS[fffff8800108943f] -> nt!IofCallDriver -> [0xfffffa8002e95370]

09:52:06.868 5 ACPI.sys[fffff88000f83781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002efe060]

09:52:07.866 AVAST engine scan C:\Windows

09:52:10.378 AVAST engine scan C:\Windows\system32

09:54:42.547 AVAST engine scan C:\Windows\system32\drivers

09:54:53.374 AVAST engine scan C:\Users\This one works

10:13:24.074 AVAST engine scan C:\ProgramData

10:16:02.525 Scan finished successfully

10:17:15.936 Disk 0 MBR has been saved successfully to "G:\MBR.dat"

10:17:15.951 The log file has been saved successfully to "G:\aswMBR.txt"

ComboFix was run a long time ago (a couple of weeks at least) so I've re-run it and here is the log:

Attaching this one too as says post is too long :(

Hopefully we're doing some good!

Really REALLY appreciate your help :)





Share this post

Link to post
Share on other sites

You had a hidden malware partition on your system, but it looks as though TDSSKiller has removed it, but I would like to make sure, please run the following:

Please download Listparts64

Run the tool,

check the "list BCD" box

click "Scan" and post the log (Result.txt) it makes.


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Share this post

Link to post
Share on other sites

Hi CatByte,

Please find attached the three logs as requested..

ESET Scanner found a few trojans, from the log a few appear to be in a tdss killer quarantine area?

Just to let you know i've tried googling and the results seem to be working ok now - not sure if that means im clean or not?

Thanks again for your speedy help :)


mbam-log-2012-04-28 (18-37-08).txt


Share this post

Link to post
Share on other sites

P.S just to let you know i had a USB stick plugged in that ive been copying the log files to (for uploading from main PC),

Only ran the ESET tool online and a hand-full of google searches on the (infected) laptop so as to make sure to minimise web traffic as you pointed out.

all the best

Share this post

Link to post
Share on other sites


You can navigate to and delete the installer files if you don't need them any more

C:\Program Files (x86)\FLVPlayer\FLVPlayer.exe

C:\Program Files (x86)\FLVPlayer\Uninstall\Uninstall.exe

C:\Users\This one works\AppData\Local\Temp\is-BOFB4.tmp\OCSetupHlp.dll

C:\Users\This one works\Desktop\KeyFinderInstaller.exe

C:\Users\This one works\Downloads\VideoPlayerSetup.exe

the rest of the logs look good, appears as though TDSSKiller did it's job, please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)

Having the latest updates ensures there are no security vulnerabilities in your system.


javaicon.jpgYour Java is out of date.

Java™ 6 Update 29 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.

An update should begin; > follow the prompts.

Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked

    • Applications and Applets
      Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.


Please run a fresh DDS Log and advise if there are any outstanding issues

Share this post

Link to post
Share on other sites


Ran DDS again and did the updates as you recommended..

Attached is the log DDS and i've attached the attach.txt as a zip again!

Looking good though - are we clean now? :)

Thanks so much



Share this post

Link to post
Share on other sites

yes, the logs look good, there is one more thing that I would like to check before we clean up our tools though

please do the following:

Press the WinKey + R to open a run box, copy/paste the following bolded text into the Run box and click OK:


A report should pop open for you. Please post the contents in your next reply.


Share this post

Link to post
Share on other sites

2012-04-13 19:42:28 . 2012-04-13 19:42:28 3,880 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}.reg.dat

2012-04-13 19:40:02 . 2012-04-13 19:40:02 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat

2012-04-13 19:39:49 . 2012-04-27 09:31:56 236 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:39:42 . 2012-04-27 09:31:56 236 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:39:35 . 2012-04-27 09:31:56 236 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:39:28 . 2012-04-27 09:31:56 236 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:39:17 . 2012-04-27 09:31:55 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat

2012-04-13 19:39:09 . 2012-04-27 09:31:55 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC}.reg.dat

2012-04-13 19:31:00 . 2012-04-13 19:31:01 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:30:53 . 2012-04-13 19:30:54 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:30:45 . 2012-04-13 19:30:46 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}.reg.dat

2012-04-13 19:30:29 . 2012-04-27 09:31:33 394 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat

2012-04-13 19:08:11 . 2012-04-27 09:25:13 21,452 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2012-04-13 18:27:53 . 2012-04-27 09:17:49 153 ----a-w- C:\Qoobox\Quarantine\catchme.log

2012-01-10 11:17:57 . 2012-03-18 13:37:22 5,771 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\NOTEPAD.EXE-x.txt.vir

2012-01-10 11:17:54 . 2012-03-18 13:37:00 2,482 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\RUNDLL32.EXE-x.txt.vir

2010-08-23 22:52:30 . 2012-04-13 17:14:49 824 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\etc\hosts.txt.vir

Share this post

Link to post
Share on other sites


Looks good,

Just some housekeeping to do now,

Please do the following:

You can delete the aswMBR,DDS and TDSSKiller logs and programs from your desktop.


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.


If there are any logs/tools remaining on your desktop > right click and delete them.


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:

    PC Safety and Security--What Do I Need?.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Share this post

Link to post
Share on other sites

Thanks for your excellent help! Have followed your advice and had a word with her re: recommendations

Can't thank you enough

Share this post

Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.