Somehow I got this one too. It's a rootkit of some sort. Pretty sure this is what I used to remove it: http://www.combofix.org/
Malwarebytes, Symantec, MRT none of those picked it up. Search results looked normal, but when you clicked a link it redirected somewhere. For me it was right after Firefox downloaded an update, so I am wondering if that is where it came from. -----Original Message----- From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Tuesday, July 21, 2009 19:20 To: NT System Admin Issues Subject: RE: Searches being hijacked to show results from "search.pro" That (customer miffed at being billed for a cleanup that wasn't successful) is why I won't even offer the cleanup option any more. You want it cleaned, get somebody else. It takes the same amount of time to nuke and pave as it does to clean. Carl -----Original Message----- From: Gene Giannamore [mailto:gene.giannam...@abideinternational.com] Sent: Tuesday, July 21, 2009 6:34 PM To: NT System Admin Issues Subject: RE: Searches being hijacked to show results from "search.pro" Luckily I do not do that anymore, too many ugly situations, now I am a junior admin again, at a small company, only this time, no exchange server (yeah!). I can tell you no fun telling the customer the bad news, no matter how nicely I worded it, and kept it simple. Plus we lost maybe 3 work hours each time it happened (imagine billing the customer 5 hours of labor for this, 2 to 3 for cleanup, plus 2 to 3 for backup/wipe/retore). Gene Giannamore Abide International Inc. Technical Support 561 1st Street West Sonoma,Ca.95476 (707) 935-1577 Office (707) 935-9387 Fax (707) 766-4185 Cell gene.giannam...@abideinternational.com www.abideinternational.com -----Original Message----- From: Steven Peck [mailto:sep...@gmail.com] Sent: Tuesday, July 21, 2009 1:08 PM To: NT System Admin Issues Subject: Re: Searches being hijacked to show results from "search.pro" Tried those, failed. Pulled data and rebuilt. It was some nasty stuff. If she would have had to go to a tech and paid for it, it would have been ugly. :) On Tue, Jul 21, 2009 at 12:20 PM, Gene Giannamore<gene.giannam...@abideinternational.com> wrote: > Sometimes, a tech cannot wipe (even though we always should be able to). Because of that, we had to clean in 2 steps; > 1) ubcd4win (installed and updated on a clean system), ran at least 1 cleaner and 1 antivirus, plus manually checked the usual startup locations in the registry > 2) safe mode, installed spybot, antivir, ad-aware, etc., and ran those. Times change, not sure which current ones can be installed in safe mode. > > Sometimes the bootcd cleaners will remove an infection that hooked into the registry (win32 subsystem usually), and we would need to manually repair that section of the registry (just use the clean computer to find the correct text in the registry, or export and import). > Worst part was having to tell customer windows install completely broken, even after a repair install. Some things cannot be fixed. We would do about 10 computer cleanings a day, between 3 techs (only had 7 locations we could work at). > > > > Gene Giannamore > Abide International Inc. > Technical Support > 561 1st Street West > Sonoma,Ca.95476 > (707) 935-1577 Office > (707) 935-9387 Fax > (707) 766-4185 Cell > gene.giannam...@abideinternational.com > www.abideinternational.com > > > > -----Original Message----- > From: Carl Houseman [mailto:c.house...@gmail.com] > Sent: Tuesday, July 21, 2009 9:48 AM > To: NT System Admin Issues > Subject: RE: Searches being hijacked to show results from "search.pro" > > Nuke and pave is the way to go if you want full confidence that your > personal info is secure. No cleaning tool is 100% guaranteed to get > everything, every time. > > Carl > > -----Original Message----- > From: Steven Peck [mailto:sep...@gmail.com] > Sent: Tuesday, July 21, 2009 12:35 PM > To: NT System Admin Issues > Subject: Re: Searches being hijacked to show results from "search.pro" > > Oh I wish I'd known about that link before I gave up and wiped a > laptop (good friend of wife, I didn't have plans of course I'd be > happy to help her out dear) Sunday. > > Nasty little piece of work would disable AV and lock me out of the > file system path. So I eventually just nuked the system and built it > properly, probably for the best. > > Steven > > On Tue, Jul 21, 2009 at 8:31 AM, Alex > Eckelberry<al...@sunbelt-software.com> wrote: >> Or run the free VIPRE tools: >> >> http://live.sunbeltsoftware.com/ >> Or >> http://www.vipreantivirus.com/ >> >> All free. >> >> >> >> Also check your host file to see if it's been modified as well as your > local >> DNS settings... >> >> >> >> Alex >> >> >> From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] >> Sent: Tuesday, July 21, 2009 10:26 AM >> To: NT System Admin Issues >> Subject: RE: Searches being hijacked to show results from "search.pro" >> >> >> >> I would also recommend scanning with a copy of MalwareBytes from >> www.malwarebytes.com. It's a free anti-malware app that has found stuff > that >> our antivirus/anti-spyware app overlooked. >> >> >> From: James Rankin [mailto:kz2...@googlemail.com] >> Sent: Tuesday, July 21, 2009 10:03 AM >> To: NT System Admin Issues >> Subject: Re: Searches being hijacked to show results from "search.pro" >> >> >> >> Try HijackThis or similar. Looks like something has sneaked right under > your >> radar >> >> 2009/7/21 Bill Monicher <bmacd5...@gmail.com> >> >> Has anyone seen this before? >> >> When I do a search using Google or Yahoo, I'm presented with the usual >> list of links matching the search terms. >> >> When I click on one, I am very briefly presented with a page with a >> beige rectangle in the centre and an arrow. >> The legends says "Skip this page" and "Your request is loading" >> When it completes I am at www.search.pro, not the seach choice I wanted. >> >> I'm using Firefox. >> AVG w/ all of the latest updates >> >> I looked in the usual places -- add-ons, extensions etc but to no avail. >> The URL on the "redirect" page seems to change several time before it >> shows the list of choices. >> shopica.com is often there, tho I've seen others. >> the URL of the destination is www.search.pro >> >> Has anyone seen this? >> It appears new -- there is little on google about it, but then >> searching on "search" or "pro" is hardly going to narrow the field >> much. >> >> My surfing habits make this sort of thing very rare, so I've no idea >> how I got it. It has only shown up over the past week or so. >> >> --BM ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~