Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine (Yahoo, Google, and Bing) Redirection to nonrelated sites


  • This topic is locked This topic is locked
38 replies to this topic

#1 tommiebob11

tommiebob11

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 12:17 PM

I'm having problems with Google, Yahoo, and Bing searches directing me to nonrelated sites. This just started yesterday afternoon, probably after trying to download an update to Flash Player HD (?). Also some websites are loading really slow.

I have Windows XP home edition and run IE8.


1st I tried System Restore, but it just stops after I pick a date to restore too.

2nd I downloaded GMER and ran it. It showed 4 areas with possible rootkit problems, but didn't highlight them in red and I couldn't fix them.

3rd I downloaded Sophos Anti-Rootkit software and ran it. The check took 41 minutes and came up with 16 files, but didn't recommend fixing any of those.

4th I downloaded HiJackThis from Trend Micro, Inc. and ran the scan. Trend sent me to this forum for help.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 12:20 PM

Hello and welcome to Bleeping Computer

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 12:36 PM

Tried clicking on your Malware link, didn't work and got the following message:

Internet Explorer cannot display the webpage

BTW, Thanks for the welcome and the help.

#4 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 12:38 PM

BTW, Thanks for the welcome and for your help.

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 12:58 PM

Your welcome, i'm sorry but the link that I posted is down. Please download from here: Malwarebytes


Make sure to download the free version and then follow my same directions above from there.

Edited by Computer Pro, 17 July 2009 - 01:01 PM.

Computer Pro

#6 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 01:05 PM

Won't let me into that page either. Same message.

Internet Explorer cannot display the webpage

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 01:10 PM

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Computer Pro

#8 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 01:24 PM

When I click on the exe file I get:

could not read boot sector. try adjusting disk access level in the options dialogue


After I hit the ok button five times, it gives me this:

could not find module file on disk


Then it runs and give me this report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/17 11:16
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF712E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8E22000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3233000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULuxrlxfuxnsksvynkridqxphixhhwromv.dll]
Process: svchost.exe (PID: 688) Address: 0x10000000 Address: 57344

Object: Hidden Module [Name: ESQULlphewdmaxmqpmjrqjpiqlrdymetkuydi.dll]
Process: iexplore.exe (PID: 3220) Address: 0x10000000 Address: 237568

Object: Hidden Module [Name: ESQULlphewdmaxmqpmjrqjpiqlrdymetkuydi.dll]
Process: iexplore.exe (PID: 3300) Address: 0x10000000 Address: 237568

Object: Hidden Module [Name: ESQULlphewdmaxmqpmjrqjpiqlrdymetkuydi.dll]
Process: iexplore.exe (PID: 2072) Address: 0x10000000 Address: 237568

==EOF==

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 01:34 PM

Please open RootRepeal, then click Options. Then settings. Please slide the Slider under the General Tab to the lowest that it can go (High Level), then go back to the report tab, and scan again with the same directions.
Computer Pro

#10 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 01:43 PM

Changes the options settings to High Level, report tab, scan.

After the scan it gave me an error message of:

could not read system registry! please contact the author

Then it spit out the report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/17 11:40
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF712E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8E22000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2A78000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULuxrlxfuxnsksvynkridqxphixhhwromv.dll]
Process: svchost.exe (PID: 688) Address: 0x10000000 Address: 57344

Object: Hidden Module [Name: ESQULlphewdmaxmqpmjrqjpiqlrdymetkuydi.dll]
Process: iexplore.exe (PID: 3220) Address: 0x10000000 Address: 237568

Object: Hidden Module [Name: ESQULlphewdmaxmqpmjrqjpiqlrdymetkuydi.dll]
Process: iexplore.exe (PID: 3300) Address: 0x10000000 Address: 237568

Object: Hidden Module [Name: ESQULlphewdmaxmqpmjrqjpiqlrdymetkuydi.dll]
Process: iexplore.exe (PID: 2072) Address: 0x10000000 Address: 237568

==EOF==

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 01:46 PM

Ok, is there a way that you could transfer over the Malwarebytes setup file from a clean computer to this one via USB stick, CD, or any other device?
Computer Pro

#12 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 01:49 PM

I don't have another computer here at home. I could probably find a neighbor that I could access the site from and then put in on a UBS stick.

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 01:56 PM

Ok, please do that. But before you save it to your thumb drive from the clean computer, please rename the file to ZZtoy.exe and then save it. Then follow Malwarebytes instructions
Computer Pro

#14 tommiebob11

tommiebob11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 17 July 2009 - 03:21 PM

Well it's lunch time here in Oregon, and I can't get a hold of anybody. I'll get the file sooner or later and then post the results. Maybe take a little while. Thanks for the help.

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 17 July 2009 - 03:27 PM

Your welcome.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users