Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • Please log in to reply
28 replies to this topic

#1 webber

webber

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 February 2009 - 10:31 AM

I search in Google and search brings up topics but associated website links are totally unrelated to topic search. I have run Malwarebyets and AdAware programs to try and clear up but to no avail. I downloaded HiJack This and ran but am not familiar with the log and what I should be looking for. Any assistance would be greatly appreciated. Thank you.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,467 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 09 February 2009 - 01:02 PM

DDS/HijackThis logs are not permitted in this forum. The HJT Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. However, we may be able to assist you here and resolve this issue without having to post a log so lets try that first.

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format:
      mbam-log-2009-01-12(13-35-16).txt <- your dates will be different from this example
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform the above instructions in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 February 2009 - 02:05 PM

MBAM LOG BELOW:

Malwarebytes' Anti-Malware 1.32
Database version: 1618
Windows 5.1.2600 Service Pack 3

2/4/2009 5:49:21 PM
mbam-log-2009-02-04 (17-49-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126987
Time elapsed: 56 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,467 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 09 February 2009 - 02:07 PM

Your MBAM log indicates you are using an older version of MBAM with an outdated database. Please download and install the most current version (1.33) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Afterwards, please update the database through the program's interface ((preferable way)) or manually download the updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

alternate rules.ref download link 1.
alternate rules.ref download link 2.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current definitions is to update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

Edited by quietman7, 09 February 2009 - 02:10 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 February 2009 - 04:08 PM

Contents of MBAM log updated:

Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 5.1.2600 Service Pack 3

2/9/2009 4:07:59 PM
mbam-log-2009-02-09 (16-07-59).txt

Scan type: Quick Scan
Objects scanned: 70104
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 February 2009 - 07:21 AM

After running MalawareByte again I am still experiencing the same redirect in Google...

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,467 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 10 February 2009 - 09:37 AM

Did the SUPERAntiSpyware scan find anything?

Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
-- Post the log in your next reply and let us know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 February 2009 - 11:55 AM

I downloaded Dr. Web CureIt to the desktop but when I reboot in Safe Mode the icon does not appear. How do I find the icon to launch the program?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,467 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 10 February 2009 - 11:58 AM

After rebooting into safe mode, when you are at the logon prompt, make sure you log in as the same user account which you used to download/save/install the file. If not, you may not be able to find it file on your desktop. If your still having problems finding the file, go back to normal mode and move it to the root of the system drive (usually C:\) where you will be able to easily locate it when going into safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 February 2009 - 04:17 PM

I ran the Dr. Web CureIt program and it found no virus files and subsequently, did not print out a log for me to include in this posting. I rebooted in normal mode and did a search on google.com for "bleeping computer" and the website link it brought up was www.hpshopping.com.

#11 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 February 2009 - 05:25 PM

Super Anti-Spyware log below. Did not find anything in the scan yesterday.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2009 at 03:55 PM

Application Version : 4.25.1012

Core Rules Database Version : 3747
Trace Rules Database Version: 1714

Scan type : Quick Scan
Total Scan Time : 00:14:15

Memory items scanned : 464
Memory threats detected : 0
Registry items scanned : 472
Registry threats detected : 0
File items scanned : 12421
File threats detected : 0

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 AM

Posted 10 February 2009 - 05:26 PM

Hello.

Sorry for jumping in here Quietman7.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt


How to Restore from the ERUNT Backup
Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    If exist "C:\looking.txt" Del /q /s "C:\looking.txt"
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\looking.txt
    Notepad C:\looking.txt

    Exit

    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

Post back with looking.txt log please. Next post we will remove the active infection, just need to see something first. This batch will not remove anything, it only looks at a key.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,467 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 11 February 2009 - 08:41 AM

Not a problem extremeboy. Its a team effort here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 webber

webber
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 11 February 2009 - 08:56 AM

To confirm and clarify your directions before I perform ERUNT download this is how I am interpretting your directions:

I will be dowloading and installing the ERUNT program. I will be running the ERUNT program. I will be creating and running a batch script and posting back with log file.

If problems occur I should follow the How To Restore from the ERUNT Backup instructions. I will need the Windows XP CD from installation to perform some of these functions.

Is this correct? Thanks in advance.

Webber

#15 tcgtechnician

tcgtechnician

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 11 February 2009 - 09:16 AM

Webber, before you go through the long process of the ERUNT, try installing spybot S&D 1.6.2, in numerous cases this has found things that super antispyware and ad-aware have not. Make sure it is fully updated, then run a scan in normal mode. If this does not find anything, try once more in safe mode. Then, if this does not help fix the issue then default back to the ERUNT.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users