Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi-Jacked Google/Search Engines


  • This topic is locked This topic is locked
9 replies to this topic

#1 llj68

llj68

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 30 January 2009 - 10:19 PM

Hi There--

I believe (know) that I have been hi-jacked. After doing some research, I found your site and am realizing that this is happening to quite a few users.

Long story short... I use Mozilla/Firefox - the latest version. Sometime about 2 weeks ago, I started getting redirected to various (mostly sales or junk) website whenever I would do a google search. It also happens on any other search engine.

I have run McAfee Virus - full
Ad-Aware - full scan
Malwarebytes - quick scan

While these various scans found a few problems and have corrected/removed them, I am still having the same problems.

Here's my question. I got a brand new hard-drive about 6 weeks ago. After installation, my friend used Norton Ghost and ghosted the new drive. I updated it about a week later and reghosted (12/17). Would it be simpler to just restore my hard drive from the last ghost? When I ghosted it, I was not having any problems whatsoever. Back up data is not a concern as I use an external for all my photos, checkbook, etc.

Also, after reading some of the forums on your site--I'm concerned about the safety of bill paying, etc., online. I have bills that need to go--but don't want to go into my accounts until I'm sure it's safe.

Please advise.

Thanks so much!!!

Lisa

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 30 January 2009 - 10:29 PM

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format:
      mbam-log-2009-01-12(13-35-16).txt <- your dates will be different from this example
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
Please download GooredFix by jpshortstuff and save it to your Desktop.
  • Double-click Goored.exe to run it.
  • A DOS like window will open.
  • Select option 2. Fix Goored by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • Notepad will open with a log called Goored.txt.
  • Please post the contents of Goored.txt in your next reply (a copy of the log will also be saved to your desktop).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you when usiing GooredFix. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.

Edited by quietman7, 30 January 2009 - 10:31 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 30 January 2009 - 10:49 PM

OK, here is the goored log

GooredFix v1.83 by jpshortstuff
Log created at 22:50 on 30/01/2009 running Option #2 (Lisa)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"


Here is the MBAM log:

Malwarebytes' Anti-Malware 1.33
Database version: 1710
Windows 5.1.2600 Service Pack 2

1/30/2009 8:49:59 PM
mbam-log-2009-01-30 (20-49-59).txt

Scan type: Quick Scan
Objects scanned: 66125
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.


Thanks!!

Lisa

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 30 January 2009 - 11:19 PM

Now rescan again with MBAM but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Then lets do another scan to see if we find anything else that MBAM may have missed.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform the above instructions in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 31 January 2009 - 05:14 PM

OK--I've followed the instructions above. This is my MBAM log

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 2

1/31/2009 2:54:09 PM
mbam-log-2009-01-31 (14-54-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 118804
Time elapsed: 41 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



And here is my SASS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2009 at 04:59 PM

Application Version : 4.25.1012

Core Rules Database Version : 3738
Trace Rules Database Version: 1707

Scan type : Complete Scan
Total Scan Time : 01:49:45

Memory items scanned : 274
Memory threats detected : 0
Registry items scanned : 6075
Registry threats detected : 0
File items scanned : 85148
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Lisa\Cookies\lisa@msnportal.112.2o7[1].txt
C:\Documents and Settings\Lisa\Cookies\lisa@208.122.40[1].txt
C:\Documents and Settings\Lisa\Cookies\lisa@2o7[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@questionmarket[2].txt
C:\Documents and Settings\Lisa\Cookies\lisa@specificclick[2].txt


I also ran the AFT Cleaner as instructed. After competing the instructions, I tried yahoo, google & MSN searches and am sill having the same problem. The information that comes up "looks" OK until you look at the link where I keep getting sent to searchexplorer, toseeka.com, moxiesearch, monstermarketplace, hotjobs, find-more-here and sites like that.

Do we have a next step? (Also, did I mention that I'm relative computer illiterate and have no idea what I'm doing?) Please advise when you have a moment and thank you so much for your help thus far.

Lisa

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 31 January 2009 - 05:27 PM

Please perform an online scan with Kaspersky WebScanner.

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste the scan results in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 31 January 2009 - 09:35 PM

I ran the Kaspersky scan.

Nothing came up.

Any other ideas?

Lisa

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 01 February 2009 - 07:51 AM

This issue will require further investigation. Before that can be done you will need you to create and post a DDS/HijackThis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 llj68

llj68
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 01 February 2009 - 11:46 AM

OK, thanks.

I'm bummed we couldn't just fix it quickly but sincerely appreciate all your help. I'll let you know what happens.

Again, thanks!

Lisa

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 01 February 2009 - 01:10 PM

Your DDS/HijackThis log is posted here.

After posting a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users