Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicking on search results takes me to different websites.


  • This topic is locked This topic is locked
23 replies to this topic

#1 shrinks

shrinks

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 04:55 PM

Hi,
I have windows vista home edition with me. I have zone alarm pro installed on my computer for spyware protection.
Now here it is whats happening.
When I use google search in firefox it gives me correct results, but when i click on any of the links it redirects me to some Automobile sites or some video site.
Also when I use the program control option in zone alarm pro and set it to medium or low, none of the browser work. although my net is working fine since I can use gtalk or yahoo messenger easily. The moment I turn of the program controller my net works fine on all of the browsers but the redirecting problems remains...

Can anybody please help me.. let me know if u need some more information.

thanks
Shrinks

BC AdBot (Login to Remove)

 


#2 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 05:06 PM

PLEASEEEEE help me guyss... i donno what to do.. i dont want to format my laptop.. which is the only thing i know to do in such a situation :thumbsup:

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 AM

Posted 20 November 2008 - 05:11 PM

Lets get an MBAM scan and see what we have,
If you cannot get to the site you may have to copy it to a CD or Flash drive then run it on this PC,

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Edited by boopme, 20 November 2008 - 05:13 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 05:12 PM

ok i will do it and get back..
thanks..

#5 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 05:39 PM

Hello,
I performed all the steps mentioned by you, and got the log file. Here it is. Also one weired thing happened,after restart my desktop wallpaper was gone, its all blacj desktop. Also I cannot see any thumbnails icons but I can see the picture by opening it. Just wanted to let you know.



Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1

11/20/2008 4:24:57 PM
mbam-log-2008-11-20 (16-24-57).txt

Scan type: Quick Scan
Objects scanned: 58847
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb145b3e-9925-4d67-a3e2-116c1e201413}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bb145b3e-9925-4d67-a3e2-116c1e201413}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bb145b3e-9925-4d67-a3e2-116c1e201413}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Shrinivas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\homeview\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\homeview\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#6 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 06:53 PM

waiting for your reply sir... :flowers: ... Alteast my browser is not redirecting me to a different site.. :thumbsup:

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 AM

Posted 20 November 2008 - 07:59 PM

Great lets see if something is left..

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 10:18 PM

I downloaded the SmitfraudFix and ran it... at first when some widows pops up.. it shows "Access denied" several times... Next when the actual software window comes, i selected option no.1. After that also it says Access denied several times.. and then the window closes automatically...
I have McaFee antivrus and Zone alarm pro.. shall I stop them before executing the file?..

#9 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 November 2008 - 10:47 PM

Also as I said previously after running MBAM and after restart my desktop wallpaper was gone, its all black desktop. Also I cannot see any thumbnails icons but I can see the picture by opening it. I cannot put any wallpaper on it.. is it any kind of problem due to spyware???

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 AM

Posted 21 November 2008 - 10:51 AM

Ok ,do these steps now.
Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").

These are some common malware related entries you may see:
Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall


If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 November 2008 - 02:05 PM

Hello
I went to control panel, but didnt find any display option over there. I am using Windows Vista Basic. Can it be somewhere else? I explored the control panel but didnt find anything like u said.

#12 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 November 2008 - 09:19 PM

Hello,
Waiting for your reply sir..
thanks..

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:47 AM

Posted 22 November 2008 - 09:52 AM

Hello, be sure you Run As Administrator
Then run part 1 from above,follow with part 2.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 22 November 2008 - 04:46 PM

I followed the steps form first with MBAM. It found some of the infections and fixed it. Also the I ran the next fix and ran clean up in safe mode. this was the report generated also I lost my desktop wallpaper

SmitFraudFix v2.376

Scan done at 15:33:14.70, Sat 11/22/2008
Run from C:\Users\Shrinivas\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3EA25C47-41F8-4525-96D0-BE469681ECE9}: DhcpNameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3EA25C47-41F8-4525-96D0-BE469681ECE9}: NameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB145B3E-9925-4D67-A3E2-116C1E201413}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB145B3E-9925-4D67-A3E2-116C1E201413}: NameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3EA25C47-41F8-4525-96D0-BE469681ECE9}: DhcpNameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3EA25C47-41F8-4525-96D0-BE469681ECE9}: NameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB145B3E-9925-4D67-A3E2-116C1E201413}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB145B3E-9925-4D67-A3E2-116C1E201413}: NameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3EA25C47-41F8-4525-96D0-BE469681ECE9}: DhcpNameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3EA25C47-41F8-4525-96D0-BE469681ECE9}: NameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BB145B3E-9925-4D67-A3E2-116C1E201413}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BB145B3E-9925-4D67-A3E2-116C1E201413}: NameServer=85.255.112.106;85.255.112.152
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#15 shrinks

shrinks
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 22 November 2008 - 08:26 PM

HERE IS THE LOG FOR MBAM AND ABOVE IS THE LOG FOR SMITHFRAUDFIX

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1

11/22/2008 15:17:29
mbam-log-2008-11-22 (15-17-29).txt

Scan type: Quick Scan
Objects scanned: 59826
Time elapsed: 10 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb145b3e-9925-4d67-a3e2-116c1e201413}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bb145b3e-9925-4d67-a3e2-116c1e201413}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3ea25c47-41f8-4525-96d0-be469681ece9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bb145b3e-9925-4d67-a3e2-116c1e201413}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.106;85.255.112.152 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by shrinks, 22 November 2008 - 08:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users