Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect problem


  • Please log in to reply
17 replies to this topic

#1 hypergolic

hypergolic

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 23 August 2009 - 07:19 AM

Hi,
I'm new to the forum and a relative novice at this sort of thing. I've recently suffered quite a few virus problems which seem to have been sorted by scans from various spyware applications. But I'm now experiencing a search engine problem. Every time I try and search for something using Google or Yahoo (etc) the list of results comes up as normal but when I click to go to a link I get redirected to a random search engine (such as Britannia or Skooble etc) and I can't access the links that I want.
If I type the website I want directly into the address bar then I go to the site without a problem so it seems to be an issue linked directly to my use of search engines. I know from reading through a few other posts that other people seem to be suffering the same problem.

I've run virus / malware scans with McAfee, Spyware Doctor, Ad-Aware, Spybot:Search & Destroy but none of these can find a problem or any suspicious files.

Someone suggested running Combofix - which I did before finding the recomendation in this forum not to run it unless you're a professional - It doesn't seem to have done any obvious damage but I wish I'd come to this forum before running it!! :flowers:

I do have Hijack This - but am not posting a log here (unless requested) as I've read the directions that ask not to post them in this section of the forum.

I'm running Windows XP and Internet Explorer 8.

Can anyone help?? This is driving me insane!! :thumbsup:

Thank-you in advance.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 23 August 2009 - 05:57 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 hypergolic

hypergolic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 24 August 2009 - 03:03 PM

Hi Computer Pro,
Thank-you for coming to my aid!!
I've downloaded and run mbam - the scan didn't find any malicious files. Here's all that came up on the scan log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

24/08/2009 20:58:31
mbam-log-2009-08-24 (20-58-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192745
Time elapsed: 1 hour(s), 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 24 August 2009 - 05:25 PM

Ok, lets run a rootkit scan:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#5 hypergolic

hypergolic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 25 August 2009 - 11:52 AM

Hi,
Here's the report from the rootrepeal scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 17:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_mkc2udnhejkkbvo
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_qwhd8bnwnnt7k6d
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_rqtmbgc23nazpbx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_vwfanndi8gtjbc3
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_vzardns674ivujg
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_cnrnnouwzgk08he
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_e0wohg0gvnnbak7
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_qnwflqtnjgqaqyw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\amy shutler\local settings\temp\_recordpad_rl
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\amy shutler\local settings\temp\~dfa625.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 25 August 2009 - 04:42 PM

Ok, lets try another AntiRootkit Scan.

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

Click Start scan.
Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
After reboot, a dialog box displays the files you selected for removal and the action taken.
Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Computer Pro

#7 hypergolic

hypergolic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 26 August 2009 - 02:07 PM

Hi,
I've run the anti rootkit scan as directed. It picked up 16 hidden files - I wasn't able to fix any of them as they were all listed as removeable but removal not recommended.

Scan log pasted below:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 26/08/2009 at 19:08:27
User "Amy Shutler" on computer "LAPTOP"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\IAAAAAAAIAAwAAAAAAnQ12SyMBAAAAAAAAAGM2ZjUwZTEyLTkwODUtMTFkZS05OGMyLTAwMWIyNGJlNWIxYQAAAAAAAAA=,,http%3A%2F%2Fmy.deviantart[1].com%2Fmessages%2F,;ord=1251101511
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\IAAAAAAAIAAwAAAAAAtKADTiMBAAAAAAAAADgxMzZkZDg4LTkwZTktMTFkZS1iNTdiLTAwMzA0OGQ3MjZiYQAAAAAAAAA=,,http%3A%2F%2Fmy.deviantart[1].com%2Fmessages%2F,;ord=1251144343
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\RRZM5FMG\IAAAAAAAIAAwAAAAAAm4N8UiMBAAAAAAAAADMzNTYzYjY4LTkxOTgtMTFkZS05OGMxLTAwMWU2ODQ5ZjJlNQAAAAAAAAA=,,http%3A%2F%2Fmy.deviantart[1].com%2Fmessages%2F,;ord=1251219375
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\IAAAAAAAIAAwAAAAAAUYJ9UiMBAAAAAAAAADVhMzNjY2I0LTkxOTgtMTFkZS1iMmI0LTAwMWU2ODU3MzlmOQAAAAAAAAA=,,http%3A%2F%2Fmy.deviantart[1].com%2Fmessages%2F,;ord=1251219440
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\=300x250;u=ea313f6e030b46439a3bfb974bab7541;ord=17HZK8EY2NNY1ZN0HXRX;s=82;s=36;s=129;s=25;s=k170;s=k82;s=k132;s=k104;s=k133;s=m4;s=m1;z=903;z=896;tile=1[1].htm
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\CAD0WD0H\z=728x90;u=f30578eaa17c41b0a981587c81df1d08;ord=17HZK8EY2NNY1ZN0HXRX;s=82;s=36;s=129;s=25;s=k170;s=k82;s=k132;s=k104;s=k133;s=m1;s=m4;z=903;z=896;tile=2[1].htm
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\CAD0WD0H\sz=300x250;u=9ec4db5418df48fc9b4c3790b87f730f;ord=0EQWA9PCH5K5C57GXXDN;s=82;s=36;s=129;s=25;s=k138;s=k33;s=k82;s=k81;s=k130;s=m4;s=m1;z=916;z=896;tile=1[1].htm
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\;sz=728x90;u=33c346d4ccab46a88e9019c45ababa65;ord=0EQWA9PCH5K5C57GXXDN;s=82;s=36;s=129;s=25;s=k138;s=k33;s=k82;s=k81;s=k130;s=m1;s=m4;z=916;z=896;tile=2[1].htm
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\NQYKAQNQ\8;kpu=BBCWorldwide;khd=0;kt=K;ko=p;kpid=18;kga=-1;kr=F;u=YxNGds4HoZ8_18;kgg=-1;kcr=gb;afv=1;ref=fvwp;dc_dedup=1;shortform=1;pos=pre;tile=1;ord=727001872[1].asx
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\RRZM5FMG\;khd=0;kt=K;ko=p;kpid=18;kga=-1;kr=F;u=YxNGds4HoZ8_18;kgg=-1;kcr=gb;afv=1;ref=fvwp;dc_dedup=1;shortform=1;pos=pre;dc_seed=217181456;tile=1;ord=876323325[1].htm
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\Worldwide;khd=0;kt=K;ko=p;kpid=18;kga=-1;kr=F;u=YxNGds4HoZ8_18;kgg=-1;kcr=gb;afv=1;ref=fvwp;dc_dedup=1;shortform=1;dc_seed=217181456;tile=1;ord=28997610[1].asx
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\RRZM5FMG\et=1;v=1;pid=19311725;aid=217181456;ko=6;cid=32925397;rid=32943274;rv=1;&timestamp=1251233961390;eid1=12;ecn1=1;etm1=7;eid2=11;ecn2=1;etm2=0;&_dc_ck=try[1].gif
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\JZFS1S56\et=1;v=1;pid=19311725;aid=217181456;ko=6;cid=32925397;rid=32943274;rv=1;&timestamp=1251233968953;eid1=18;ecn1=1;etm1=0;eid2=12;ecn2=0;etm2=7;&_dc_ck=try[1].gif
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\NQYKAQNQ\activity;src=2306793;met=1;v=1;pid=19311725;aid=217181456;ko=6;cid=32925397;rid=32943274;rv=1;&timestamp=1251233976578;eid2=12;ecn2=0;etm2=7;&_dc_ck=try[1].gif
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\NQYKAQNQ\et=1;v=1;pid=19311725;aid=217181456;ko=6;cid=32925397;rid=32943274;rv=1;&timestamp=1251233985640;eid1=13;ecn1=1;etm1=0;eid3=12;ecn3=0;etm3=8;&_dc_ck=try[1].gif
Hidden: file C:\Documents and Settings\Amy Shutler\Local Settings\Temporary Internet Files\Content.IE5\RRZM5FMG\IAAAAAAAIAAwAAAAAARFPBVyMBAAAAAAAAADAzNDYwMDYwLTkyNjYtMTFkZS1hMDQxLTAwMzA0ODYzMmFhZQAAAAAAAAA=,,http%3A%2F%2Fmy.deviantart[1].com%2Fmessages%2F,;ord=1251307770
Stopped logging on 26/08/2009 at 19:39:42

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 26 August 2009 - 04:28 PM

And you are still getting redirected correct?
Computer Pro

#9 hypergolic

hypergolic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 27 August 2009 - 01:39 AM

Hi Computer Pro,
Yes, I'm still having poblems when I use search engines.
Search engines such as Google bring up a list of possible sites based on my keywords but when I click on any of the links I'm redirected to another random search engine site displaying links linked tenuously to my original search but not what I'm looking for.
The site that I seem to be redirected through most commonly is something called skooble. The page seems to go to skooble for a second or so and is then redirected to something else. I caught a brief look at the address bar which started with http:\\102.skooble.com followed by a long address which I didn't catch (I've tried to copy the whole thing but I'm not quick enough to catch it before it redirects to another site)

I've just tried a search on google for skooble and ended up at a blinkx video site for G Force the video game. (now ordinarily dancing guinea pigs would make me smile but not when I'm searching for something completely different - darn guinea pigs) :thumbsup:

Other sites I'm being redirected to are search.pro, info.com, easyinquire.com, purequery.com, whenever I search for anything to do with antivirus info I get redirected to a stopzilla site amongst others.

I'm being redirected on google no matter what google search I'm using, so image search, news search and web searches are all being redirected.

Sorry this is being a pain - I really do appreciate your help!!!

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 27 August 2009 - 05:16 PM

Ok, lets try SmitFraud Fix:

Please download SmitFraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Computer Pro

#11 hypergolic

hypergolic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 28 August 2009 - 01:33 AM

Hi,
Have scanned with SmitFraudFix, log of results pasted below:

SmitFraudFix v2.423

Scan done at 7:27:00.40, 28/08/2009
Run from C:\Documents and Settings\Amy Shutler\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Amy Shutler\Desktop\SmitfraudFix\Policies.exe
C:\Documents and Settings\Amy Shutler\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Amy Shutler


C:\DOCUME~1\AMYSHU~1\LOCALS~1\Temp


C:\Documents and Settings\Amy Shutler\Application Data


Start Menu


C:\DOCUME~1\AMYSHU~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB19AB70-F6E5-4751-93D8-8615953BDD9F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB19AB70-F6E5-4751-93D8-8615953BDD9F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BB19AB70-F6E5-4751-93D8-8615953BDD9F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 29 August 2009 - 05:39 PM

Well this one has just about stumped me. Anyone else have any ideas?
Computer Pro

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 30 August 2009 - 01:04 PM

?
Computer Pro

#14 hypergolic

hypergolic
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 31 August 2009 - 02:41 PM

Oh well, it looks like this has stumped pretty much everyone. I guess I'll keep trying virus scans on this to see if they can pick anything up. If nothing turns up then it might end up that I'll just have to format the hard drive and start from scratch.
The situation seems to have got a bit worse today as I've just been redirected from a page that wasn't a search engine.
Thanks for helping out Computer Pro - I really appreciate it!!
If I find out what's been causing this problem then I'll make sure I update this thread.

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 01 September 2009 - 05:20 PM

Ok, and please be sure to let me know.

But, sometimes reformatting is the best decision because the infection has got so bad, that its just best to start over. But its all down to your choice.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users