Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search being Hi-jacked


  • Please log in to reply
19 replies to this topic

#1 Jimr101

Jimr101

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 08 December 2009 - 02:52 PM

Hi Folks needing some help, when seaching the internet I keep getting redirected to sites I have not search for. Previously had a problem with Antivirus SystemPro that was removed with Avira Antivir & Malwarebyte, is this re-direct part of the same problem or something new I got?

Please Help if possible

Jim

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 PM

Posted 08 December 2009 - 04:21 PM

Hello let's take a look and see..
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 08 December 2009 - 06:51 PM

Hi Boopme
Started to follow your instructions
Scanned with MalwareBytes, no threats found see log

Malwarebytes' Anti-Malware 1.42
Database version: 3319
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2180

08/12/2009 23:10:19
mbam-log-2009-12-08 (23-10-19).txt

Scan type: Quick Scan
Objects scanned: 150309
Time elapsed: 13 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=========================

Then downloaded ATF Cleaner & Superware as intructed
Then tried to reboot in safe mode, where i had a problem, blue screen appears saying a problem has been detected

Technical info was as follows STOP: 0x0000007L (0xC0000005,0x80537009,0xF79E4508,0xf79E4204)

Any ideas

#4 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 08 December 2009 - 07:46 PM

Boopme
Found these files in a folder C:Windows/temp/NDP1.1sp1-KB953297-X86

Files named as follows:- NDP1.1sp1-KB953297-X86-msi.0 & NDP1.1sp1-KB953297-X86-wrapper
Are they legit, do you recognise the files, dont worry aint done anything with them

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 PM

Posted 08 December 2009 - 09:53 PM

Hello,they may be related to a windows update that may have failed. See this MSFT post.
http://www.microsoft.com/communities/newsg...p;sloc=&p=1


Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 09 December 2009 - 05:56 AM

Hi Boopme
following your instructions, at the loading jotti page & selecting browse, need a explaination of how i navigate for ,filepath.suspect.file

Cheers
Jim

#7 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 09 December 2009 - 07:17 AM

hi
checked the two files in post 4 with jotti, nothing found (could not see a report log, here is the RootRepeal log you asked me to run

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/09 11:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9A828000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_5lp2zqpk2qrghyp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_f9q2cg2ktezmnbp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_fju6hlpfdfpjugq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ccbkdjlb5buawqr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_tdjsg1znxviucxh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_kncpki5ihpgnliz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_etumnplmdivlmch
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_mwo4pgck1rk29co
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_goineggzucymlpq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_hfijschiklno9d0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_hktbkyksabxg0dc
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa28cf0b0

==EOF==

Sorry to distract you from Post 3 where I cannot start in safe mode

Jim

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 PM

Posted 09 December 2009 - 10:46 AM

Not a problem.

C:Windows/temp/NDP1.1sp1-KB953297-X86

Open ...My Computer
Double click C: drive
scroll to ... Windows double click it to expand
scroll to ... temp double click it to expand
look for this file.... NDP1.1sp1-KB953297-X86 to send to Jotti
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 09 December 2009 - 11:09 AM

Ok
Managed that prior to your reply, posted results in post 7.

Ref your post 2 & my post 3 still have not been able to start pc in safe mode, what i do now?

jim

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 PM

Posted 09 December 2009 - 11:25 AM

We need to run a repair install NOT a a full to fix safe mode. You need your install CD.

Michael Stevens Tech
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 10 December 2009 - 12:41 PM

Boopme
I have my Window XP Reinstallation CD & have back up my files
Can you explain in detail the steps i take from switching the computer on

Thanks

Jim

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 PM

Posted 10 December 2009 - 02:30 PM

1/Boot the computer using the XP CD.

2/When you see the "Welcome To Setup" screen, you will see the options below
This portion of the Setup program prepares Microsoft
Windows XP to run on your computer:

To setup Windows XP now, press ENTER.

To repair a Windows XP installation using Recovery Console, press R.

To quit Setup without installing Windows XP, press F3.

3/Press Enter to start the Windows Setup. You DO NOT want the Recovery Console option

4/ Accept the License Agreement

5/ Select the XP installation you want to repair from the list and press R to start the repair. If Repair is not one of the options, END setup.

6/ Setup will copy the necessary files to the hard drive and reboot.
Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.

7/ Reapply updates or service packs applied since initial Windows XP installation.

For help with these.. Click HERE.
Click .. •Skip to Repair Install
Follow from step 7.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 10 December 2009 - 02:41 PM

Boopme
How do i boot using the xp disk, that the thing i dont know how to do

Cheers

Jim

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 PM

Posted 10 December 2009 - 08:22 PM

The boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot sequence, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computer’s BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to Changing Your Computers Boot Order.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Jimr101

Jimr101
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 11 December 2009 - 12:28 PM

Boopme
OK done that now, a whole list of files under E:\I386 would not copy from windows dics, so i had to cancel them to continue.

File extension were .dl .ex
do i carry on from earlier problem i had when trying to boot in same mode (so as to run ATF cleaner & Superanrispyware),
what needs done next?

Cheers

Jim

P.S. tell me we are progressing LOL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users