Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected Internet Searches... Tried Everything...


  • Please log in to reply
30 replies to this topic

#1 Cynthia3333

Cynthia3333

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 12:28 AM

Hi Everyone. It appears that I am having a similar issue to other folks out there, but I cannot seem to remove mine. My issue is that whenever I type in a search term, all the websites that pop up in the search results, have the right website name and description, but a bad URL. Currently I am getting URL's like toseeka.com; shopica.com; security-antivirus.com and many, many more. I have been working on trying to fix the issue since yesterday and I believe I have installed every tool suggested. I have Symantec Anti Virus, which detected nothing and Adaware, which detected nothing. I also cleared all my cookies and browsing history. Today I downloaded (based on recommendations on multiple websites) - Dr. Web Cure It; SuperAntiSpyware; Malwarebytes Anti-Malware 1.31; and did a eset.com online scan. I also checked all of my processes names out on the web and they all seem ok. This is also hard because my only computer is infected, so I have to go to a friends to do the search and then go back to my computer....

Since it seems like most of your posts want the Malwarebytes report, here mine is:

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 2

1/2/2009 4:12:28 PM
mbam-log-2009-01-02 (16-12-28).txt

Scan type: Quick Scan
Objects scanned: 59102
Time elapsed: 22 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Please help. I am a student and I need my computer to work on my thesis and the time I am wasting is hurting me... Thank you so much!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:28 PM

Posted 03 January 2009 - 06:19 AM

It would be better if we could have documented the cleanup and therefore had a few more clues than one log towards the end of the process

I am assuming Norton's hasn't changed much since my last bout with it and it's still interfering with malware removal

http://www.bleepingcomputer.com/forums/ind...t&p=1072590

Read this link carefully and follow the directions exactly for running atfcleaner and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#3 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 09:27 PM

Hi Chewy,

Thanks for your response. I will try to detail everything I have done...

The internet searches started redirecting me about late Thursday night, early Friday morning (about 12:30 am). I deleted all my internet history, cookies and files. That did not work so I ran Symantec AntiVirus at 12:49am for a Quick Scan and at 1:47 for the complete scan. Both found nothing. I then did an Adaware scan. Which I have the quarantine log for. That did nothing and I went to bed. In the morning I used a friends computer and started looking up the issue. I turned off System Restore (and it is still off) based off of what other people with similar problems have had. I also downloaded the Malwarebytes Anti Malware and SuperAntiSpyware and ran them both. The log for the Malware bytes is above. I will post the SAS log after this post. I also did a scan from www.eset.com/online scan, which came back clear and a scan from freedrweb.com/cureit which came back clean. I redid the SAS and Malware Scans today. I will also post those reports after this post. I did download atfcleaner and followed the directions for it. I made sure all of my windows updates were complete as well. Still no luck. Any advice would be welcome. Thank you! Cynthia

#4 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 09:31 PM

alwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 3

1/3/2009 6:40:34 PM
mbam-log-2009-01-03 (18-40-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 114520
Time elapsed: 5 hour(s), 35 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:28 PM

Posted 03 January 2009 - 09:40 PM

Have you checked your lan settings for a proxy server in connections in internet properties?

Have your reset your router and given it a strong password to protect from infections(dns server change)?

I would wait on a HJT log as that forum is very backed up, if needed we can refer this thread to a trained expert but keep it here

Edited by DaChew, 03 January 2009 - 09:41 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 09:42 PM

No - how do I do that?

#7 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 09:47 PM

The Proxy Server is not checked... I tried to do a print screen, but i cannot paste it.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:28 PM

Posted 03 January 2009 - 09:49 PM

let's call the calvary, in the meantime what type of router do you have?

have you looked in tools/internet options(IE)/connections/lan settings?
Chewy

No. Try not. Do... or do not. There is no try.

#9 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 09:54 PM

I am on an ethernet connection in the Apartment complex at my University. I have to log in through Cisco Clean Access to access the internet. And my LAN setting is on Automatically Detect

Edited by Cynthia3333, 03 January 2009 - 09:54 PM.


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:28 PM

Posted 03 January 2009 - 10:00 PM

So the last ATFCleaner and SAS from safe mode found nothing of significance?
Chewy

No. Try not. Do... or do not. There is no try.

#11 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 10:06 PM

ATF said it cleared out 78 MB of files I believe, but did not provide a log. My SAS reports are below, but I have deleted my name which is in all the file paths, now listed at CS and C_S

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/02/2009 at 04:24 PM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type : Complete Scan
Total Scan Time : 01:34:13

Memory items scanned : 549
Memory threats detected : 0
Registry items scanned : 6202
Registry threats detected : 0
File items scanned : 18662
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\CS\Cookies\C_S@ehg-eset.hitbox[1].txt
C:\Documents and Settings\CS\Cookies\C_S@doubleclick[1].txt
C:\Documents and Settings\CS\Cookies\C_S@msnportal.112.2o7[1].txt
C:\Documents and Settings\CS\Cookies\C_S@hitbox[2].txt


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/03/2009 at 06:03 PM

Application Version : 4.24.1004

Core Rules Database Version : 3694
Trace Rules Database Version: 1670

Scan type : Complete Scan
Total Scan Time : 05:02:55

Memory items scanned : 173
Memory threats detected : 0
Registry items scanned : 6453
Registry threats detected : 0
File items scanned : 21962
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\CS\Cookies\C_S@rambler[1].txt
C:\Documents and Settings\CS\Cookies\C_S@ehg-eset.hitbox[1].txt
C:\Documents and Settings\CS\Cookies\C_S@doubleclick[1].txt
C:\Documents and Settings\CS\Cookies\C_S@ads.bleepingcomputer[1].txt
C:\Documents and Settings\CS\Cookies\C_S@msnportal.112.2o7[1].txt
C:\Documents and Settings\CS\Cookies\C_S@specificclick[2].txt
C:\Documents and Settings\CS\Cookies\C_S@advertising[2].txt
C:\Documents and Settings\CS\Cookies\C_S@hitbox[2].txt
C:\Documents and Settings\CS\Cookies\C_S@zedo[2].txt
C:\Documents and Settings\CS\Cookies\C_S@atdmt[2].txt
C:\Documents and Settings\CS\Cookies\C_S@apmebf[1].txt
C:\Documents and Settings\CS\Cookies\C_S@collective-media[1].txt
C:\Documents and Settings\CS\Cookies\C_S@ad.yieldmanager[2].txt

Edited by Cynthia3333, 03 January 2009 - 10:06 PM.


#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:28 PM

Posted 03 January 2009 - 10:16 PM

Is there anything suspicous in your enabled addons under tools for IE?
Chewy

No. Try not. Do... or do not. There is no try.

#13 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 10:20 PM

Sorry I am not very good at this computer stuff. It all looks suspicios to me. Anything I should be looking for. I cannot cut and paste the list, but I will start typing it out. Might take me a bit...

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:28 PM

Posted 03 January 2009 - 10:40 PM

Hi, Are you noticing anything like Google searches being redirected through google.goored (or also zfsearch)??

Let's also run SDFix...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 03 January 2009 - 10:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Cynthia3333

Cynthia3333
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 January 2009 - 10:40 PM

File Name

AcroIEHelper.dll
AcroPDF.dll
AUTHZAX.DLL (there are 2 of these files)
AxMetaStream_03050000D.dll
CCAWEB-1.OCX
Dhtmled.OCX
DLASHX_W.DLL
Flash0f.ocx
Googletoolbar4.dll (there are 3 of these files)
Hpswp_framework.dll
Hswp_printenhancer.dll
Icardie.dll
IEAWSDC.DLL
IETAG.DLL
ITDetector.ocx
KHost.exe
MSGSC8-1.DLL
Mshtmled.dll
Msnmsgr.exe
MsnPUld.dll
Msxml3.dll (there are 8 of these files)
Msxml4.dll (there are 4 of these files)
MSXML5,dll
Msxml6.dll (there are 5 of these files)
Muweb.dll
Npjpi150_04.dll (there are 2 of these files)
OGACheckControl.Dll
Oisctrl.dll
Online-1.ocx
OWSCLT.dll (there are 18 of these files)
OWSSUPP.dll (there are 7 of these files)
QTPlugin.ocx (there are 3 of these files(
PCPitstop.dll
Qsp2ie071101000055.dll (there are 4 of these files)
QTplugin.ocx (there are 2 of these files)
QuickTimeCheck.ocx
Rmoc3260.dll
Scrrun.dll
Shdocvw.dll
SnapfishActivia1000.ocx
SPRTCT-1.dll
SPRTCT-2.dll
SPRTCT-3.dll
Ssrc.exe
STSUPLD.dll (there are 2 of these files)
SymAData.dll
Swg.dll
SymAData.dll
SymXPep2.dll
Tdc.ocx
Tgctlsi.dll
Tgctlsr.dll
Tgctlss.dll
Uploader_uni.ocx
Vgx.dll
WindowsLiveLogin.dll (there are 2 of these files)
Wmp.dll (there are 2 of these files)
Wmpdxm.dll
ZIntro.ocx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users