Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have the Google Search problem.


  • Please log in to reply
18 replies to this topic

#1 ArchibaldIronfist

ArchibaldIronfist

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 06 January 2009 - 04:48 PM

Hi,

I have been lurking a little while and I notice that there have been several people who are experiencing the same problem as I am with bad Urls on the Google Search Results page. [post="http://www.bleepingcomputer.com/forums/t/191667/redirected-internet-searches-tried-everything/"][/post]

After I read this:

Hello Cynthia.

A reformat and clean install is always the best option.

Some experts believe that, once a computer is compromised, it can't be fully trusted again.


...I was thinking that maybe that's what I should do. So, two questions if someone could help me out here:

1) should I do this (will my PC ever 'get better')?

2) if I do this, is it as simple as copying My Docs and my email folders onto an external Hard Drive and then putting the Windows XP disc in and pressing 'Go'?(would the bad stuff follow through, hidden in my document files).

To be honest, I don't mind spending the time beating this thing - if it's actually going to be beaten. If the smart thing to do is to just wipe it all clean and go with a backup copy, I'd rather do that. When I work from home I really, really need my PC or I'm stuffed (UK term for scr***d). Therefore, it'd be better for me to bite the bullet now and go through the pain of setting everything up while I'm on leave than waiting to do that until I'm back at work next week.

I know, I know, impossible question, length of a piece of string etc but thoughts are welcome.

Archibald Ironfist

BC AdBot (Login to Remove)

 


#2 Tehsplink

Tehsplink

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Near London
  • Local time:05:49 PM

Posted 06 January 2009 - 05:09 PM

Generally you should leave reformatting your PC till the last resort.

Please follow the instructions below to remove the infection.



Please download MalwareBytes Anti-Malware to your desktop.
  • Ensure that your computer is connected to the internet and your software firewall is disabled until instructed to re-enable it.
  • Double click on the mbam-setup.exe to begin the installation process.
  • When the installation begins, please do not change any of the settings and follow the prompts.
  • Please make sure that when you finish the installation, these options remain checked;
    *Update MalwareBytes' Anti-Malware
    *Launch MalwareBytes' Anti-Malware
  • You may now click finish...
  • When MBAM launches, you will be prompted to update before running a scan. If an update is found, MBAM will automatically download and apply the updates and you can then click 'OK' button to close the box and continue. You may now re-enable your firewall
  • Please ensure that while you are on the scanner tab the 'Perform Quick Scan' option is selected, then click the 'Scan' button.
  • If you are asked which drives to scan, please leave all of them ticked, and click 'Start Scan'.
  • The scan will now begin and you will see Scan in progress at the top; It may take a while to complete so please be patient.
  • When the scan completes, you will see The scan completed successfully. Click 'Show Results' to display all objects found'
  • Click the 'OK' button to close the box and continue with the removal process.
  • Back on the main scanner screen, click 'Show Results' to see a list of any found Malware.
  • Ensure that all items are checked and then click the 'Remove Selected' button.
  • When the removal process is complete, a log will open in notepad; this log will be automatically saved and you can view it in the logs section of the program.
  • Copy and paste the contents of the log file that is open into your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the Malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Edited by Tehsplink, 06 January 2009 - 05:13 PM.

Please PM me if i have been assisting you and do not reply for 24 hours!

#3 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 07 January 2009 - 04:06 PM

Thank you TehSplink, panic attack over!

I obtained MalwareBytes Anti-Malware (and also SuperAnti-Spyware and Ad-Aware as well). I figured more info is better. I obtained the latest updates for each one before running them.

Looking at your instructions I actually ran a Full Scan instead of just a Quick Scan. But only on my C Drive. It produced no threats and that log is reproduced below. Re-reading your instructions I thought I ought to scan All Drives so I am now repeating that process. I will add that log as soon as MBAM is finished.

The SuperAntiSpyware Log showed nothing either (that too is below in my second message) - BUT the Ad-Aware log showed two threats (MRU threats?). They are below in the third message. I put them in separate messages to avoid size problems.

Is this okay?

Thank you for helping me out here by the way.

Archibald Ironfist

MBAM LOG
Malwarebytes' Anti-Malware 1.32
Database version: 1628
Windows 5.1.2600 Service Pack 3

07/01/2009 19:37:34
mbam-log-2009-01-07 (19-37-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144691
Time elapsed: 1 hour(s), 0 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 07 January 2009 - 04:07 PM

SuperAnti-Spyware LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2009 at 08:09 PM

Application Version : 4.24.1004

Core Rules Database Version : 3699
Trace Rules Database Version: 1675

Scan type : Complete Scan
Total Scan Time : 00:23:07

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 5440
Registry threats detected : 0
File items scanned : 30321
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@server.cpmstar[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt

#5 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 07 January 2009 - 04:11 PM

Ad Aware LOG (minus the Processes part which is 30 pages long - I can post it if you need it).

Ad-Aware 2008 Free Edition
Log File Created on:
2009-01-0720:43:25
Using Definitions File:
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\core.aawdef
Computer name:
DAVE
Name of user performing scan:
SYSTEM
Name of user ordering scan:
Owner
Scan completed successfully
System Information
File Version Information
Ad-Aware 2008 Settings
Extended Ad-Aware 2008 Settings
Database Information
Scan Statistics
Scan Detailed Statistics
Infections Found
Listing of running processes
System Information
Number of processors:
2
Processor type:
Intel® Core™2 Duo CPU E6750 @ 2.66GHz
Memory Available:
60%
Total Physical Memory:
2146676736 Bytes
Available Physical Memory:
1287200768 Bytes
Total Page File Size:
4135526400 Bytes
Available On Page File:
3390947328 Bytes
Total Virtual Memory:
2147352576 Bytes
Available Virtual Memory:
1774653440 Bytes
OS:
Microsoft Windows XP 5.1 (Build 2600)
[to top]
File Verion Information
File Version
CEAPI.dll 7,1,0,12
aawservice.exe 7,1,0,12
Ad-Aware.exe 7.1.0.11
[to top]
Ad-Aware 2008 Settings
Skipping files larger than:
1048576 Bytes
Ignoring infections with lower TAI than:
3
Safe Mode:
False
[to top]
Extended Ad-Aware 2008 Settings
Unload malicious processes and modules
Unload Modules
Let Windows remove files at Start-Up
Deactivate Ad-Watch
Re-analyze Scan Result
Delete Restored Items
Write Protect System Files
Create Log file
Include basic settings
Include advanced settings
Include user and computer name
Environment information
Running processes
Running processes and modules
Include info about ignored objects in log file
[to top]
Database Info
Version number:
143
Build Number:
10
Build Date and Time:
2009/01/0514:24:30
[to top]
Scan Statistics
Method:
Smart

Items Scanned:
150246
Infections Detected:
2
Infections Removed:
0
Infections Quarantined:
0
Infections Ignored:
0
[to top]
Scan Detailed Statistics
Type Critical Total
Process Scan 0 0
Registry Scan 0 0
Registry PE Scan 0 0
Hosts Scan 0 0
File Scan 0 0
Folder Scan 0 0
LSP Scan 0 0
ADS Scan 0 0
Cookie Scan 1 1
File Hash Scan 0 0
[to top]
Infections Found
Family Id Name Category TAI
725 Tracking Cookie DataMiner 3
[408785] Browser: Internet Explorer Cookie: C:\Documents and Settings\Owner\Cookies\index.dat tribalfusion.com ANON_ID /
9999 MRU Object MRU Object 0
[1] MRU Path: C:\Documents and Settings\Owner\Recent Count: 4
Quarantined Objects
Family Id Name Category TAI
Removed Objects
Family Id Name Category TAI

#6 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 07 January 2009 - 05:59 PM

Latest MABM LOG (all drives - Full Scan)

Malwarebytes' Anti-Malware 1.32
Database version: 1628
Windows 5.1.2600 Service Pack 3

07/01/2009 22:57:38
mbam-log-2009-01-07 (22-57-38).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 145205
Time elapsed: 1 hour(s), 1 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And again, thanks for helping me out.

#7 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 10 January 2009 - 03:13 PM

Hi,

I know you guys are all busy and it can take time to get around to helpless people like me (!), so I am just waiting happily. Just letting you know that the problem is still there, so I'd still appreciate the help when you can. Thanks.

Also I was just wondering whether this kind of thing is anything other than a pain in the rear? Is it masking some deeper, more insidious problem like my computer transmitting all kinds of personal and financial details etc?

Archibald Ironfist

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 10 January 2009 - 03:35 PM

Not much of anything showing up in your logs. What browser are you using? Have you performed a full scan with your anti-virus in "Safe Mode"?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 10 January 2009 - 06:41 PM

Hi Quietman7,

I'm using Internet Explorer 7 as a Web Browser.

I haven't tried running a Virus Scan in Safe Mode. I didn't realise that this might have a different effect. Shall I try this then and come back?


Thanks again,

Archibald Ironfist

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 11 January 2009 - 12:00 AM

Yes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 12 January 2009 - 02:43 PM

Okay. I ran Norton Antivirus in Safe Mode when I got home last night. Just looked at the results and it says it found nothing.

I've just updated SuperantiSpyware and am going to use Bootsafe to run a scan now. I'll try and post results in a couple of hours (otherwise first thing tomorrow a.m. GMT).

Thanks,

Archibald Ironfist

Edited by ArchibaldIronfist, 12 January 2009 - 02:44 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 12 January 2009 - 03:20 PM

BootSafe works similar to the MSConfig SAFE BOOT option in that the Safeboot option modifies the Boot.ini file. After you select the Safe Mode option and scan your computer, you must run BootSafe again and select the option to boot into Normal mode or your computer will continue to boot into Safe Mode. That means you have to go to C:\Program Files\SUPERAntiSpyware and choose the BootSafe program from there.

Keep in mind that using MSConfig to access (force) safe mode when there is malware on your system could have disastrous results and render your computer unbootable. Some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot fully into safe mode or back to normal mode. The Safeboot option modifies the Boot.ini file and you may be locked in a continuous reboot loop afterwards where you cannot get back to MSConfig and undo your selection. The same thing can occur with BootSafe as you may not be able to get back to Normal mode and undo your selection. See "Booting into Safe Mode safely".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 13 January 2009 - 04:08 PM

GULP! I didn't read the above until after I'd used Bootsafe for my SuperAntiSpyware Virus Scan! Luckily, it's okay, but I've printed off your advice to save for future reference, so thank you, Quietman7.

My latest virus scan (as I've just mentioned) concluded that I have no viruses. I've just checked google though and I still have the problem. Worse, Norton brought up a little dialog box when I tried to click on one saying that an attempt to attack my computer was blocked. I brought up View Details and it said it was a Fake Scan Webpage!

What shall I do next? BTW, I saw in a different thread about a user who has the same google problem that someone asked him to check under:
System Info - Device Manager and check the Hidden Devices option under the View Tab.
Then look for 'non plug and play devices'. I did that and there was a listing for 'Cardex'. It has an exclamation Mark next to it. (spooky!)
The (right click) Properties reveals 3 Tabs: The Driver Tab says that the startup is 'Demand'. The Details Tab says "ROOT\LEGACY_CARDEX\0000"

Is that a virus or one of those Rootkits that I;ve been hearing about?

Thanks again for your help and time.

#14 ArchibaldIronfist

ArchibaldIronfist
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:49 PM

Posted 15 January 2009 - 06:04 PM

If it's any help the link from that previous post is this one I think: [post="http://www.bleepingcomputer.com/forums/t/194162/google-hijack/"]http://www.bleepingcomputer.com/forums/t/194162/google-hijack/[/post]

And the following info was on the Device Manager box tabs:
NonPlug & Play Device
CARDEX
Has Exclamation mark by it!
This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

Drivers
Device stopped
On demand

Device Instance Id

Details
ROOT\LEGACY_CARDEX\0000

Sorry if this is a red herring. I'll just await your guidance on what to do next.

Archibald Ironfist

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:49 PM

Posted 16 January 2009 - 09:24 AM

Cardex Windows Drivers are related to the system's graphic card.

If there is a problem indicated in Device Manager as you describe, check for any updates that may be available for your drivers. Driver issues are a known source of conflicts that can cause stop errors and BSODs. If you need to update a driver, a convenient place to start is at DriverGuide.com or MrDriver.com. If you're not sure how to update a driver, please read How to update a Windows hardware driver and How to manage devices in Windows XP.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users