Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirect to ad pages


  • This topic is locked This topic is locked
21 replies to this topic

#1 psych1610

psych1610

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 19 December 2009 - 11:35 AM

Hi there, I'd appreciate any help that can be provided. Recently (as of 3-4 days ago) my fathers computer started acting up. Any search results through any search engine spread across Internet Explorer and Firefox would redirect toward ad pages, for instance, hxxp://newserversearch.com

Firefox informs me that it can't load the page, however. Other redirects are also possible, the above is just one example.

Through internet explorer I can choose to diagnose network connections when the above redirect link appears, and it will take me to the intended page.

Occasionally searches work on the first try, but if repeated will take you to the above listed redirect. Sometimes they don't even work on the first try.

Whatever this thing is got right past nod32. I scanned using malware bytes, Windows Defender, Ad Aware, and spybot search and destroy, removing everything they found. The problem still occurs.

Upon looking through Whats Running: http://www.whatsrunning.net/ I discovered that a program called zagrebland was running with a process called c.exe and was set to startup every time the computer did. I removed the entries for this through What's Running. I'm sure there is an entry for it in the registry (I found it in fact), but I'd rather not go through deleting things from the registry all willy nilly.

I found an article here at bleeping computer relating to zagrebland.exe: www.bleepingcomputer.com/startups/b.exe-25366.html

An interesting fact, all searches, etc, work normal in safe mode still which means to me that something is still running even though I can't see c.exe, b.exe, or zagrebland anymore.

Operating System is Windows XP SP3, all updates. Affected browsers are Firefox v 3.5.6 and Internet Explorer 8. A reinstall of firefox did not solve the problem.

I'd really appreciate any help with this matter since I'd like to get something figured out without a format.

Thank you very much for your time with this. I'll be more than happy to provide any extra details you need.

Edited by Orange Blossom, 27 December 2009 - 12:50 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:06:24 PM

Posted 19 December 2009 - 11:46 AM

Install avast Anti Virus and allow it to perform a on boot scan , let us know if after the scan it finds anything or if the issue is fixed
Microsoft Certified Desktop Support Technician

#3 psych1610

psych1610
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 19 December 2009 - 01:15 PM

Hi, thanks for the speedy reply. I did as you suggested and nothing was found. Problem still exists.

12/19/2009 12:45
Scan of all local drives

Number of searched folders: 3649
Number of tested files: 21921
Number of infected files: 0

#4 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:06:24 PM

Posted 20 December 2009 - 04:16 PM

i wud suggest combo fix but it is unavailable atm
Microsoft Certified Desktop Support Technician

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 20 December 2009 - 06:35 PM

Hello and welcome to Bleeping Computer. Regarding ComboFix, please read the warning at the top of this thread:

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.



Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.


Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#6 psych1610

psych1610
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 21 December 2009 - 09:02 PM

Hi, thanks a lot for the reply. I did as you instructed in your directions. The following is a copy of the log:

pskill.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.;
A0009686.exe;C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP4;Tool.Prockill;Incurable.Moved.;

I accidentally deleted the first entry found during the express scan you mentioned in the first part of the directions. The last one, as you can see, was moved.

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 21 December 2009 - 10:04 PM

Can you please post your Malwarebytes log? It can be found under the "Logs" tab of the program.
Computer Pro

#8 psych1610

psych1610
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 22 December 2009 - 12:03 PM

Hi, thanks again for the reply. The following is the most recent log from Malwarebytes:

Malwarebytes' Anti-Malware 1.42
Database version: 3408
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/22/2009 12:00:03 PM
mbam-log-2009-12-22 (11-59-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116724
Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP1\A0001024.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP5\A0009743.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP5\A0009744.sys (Rootkit.Agent) -> No action taken.

Are these system restore files? If so, I remember turning System Restore off a while back when this started so shouldn't the PC have removed those on its own?

Edited by psych1610, 22 December 2009 - 12:05 PM.


#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 22 December 2009 - 12:10 PM

Those are restore files but I wouldn't worry about them, we'll take care of those later. Now could you please update Malwarebytes by going to the "Update" tab, and then run a Full scan in Normal Mode.
Computer Pro

#10 russianspy1234

russianspy1234

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 22 December 2009 - 12:22 PM

I recently fixed a similar problem on a computer, and in a few other cases I've noticed that redirects are usually due to a bad Hosts file. Check out this site for instructions on how to get a new one that should not only fix your problem, but prevent a few future ones.

http://www.mvps.org/winhelp2002/hosts.htm

You should rename your HOSTS files instead of deleting it in case that isn't what the problem is and you need to get it back.

#11 psych1610

psych1610
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 22 December 2009 - 03:36 PM

Those are restore files but I wouldn't worry about them, we'll take care of those later. Now could you please update Malwarebytes by going to the "Update" tab, and then run a Full scan in Normal Mode.


Hey, here are the logs from Malware Bytes run in normal mode in XP, rather than safe mode.

Malwarebytes' Anti-Malware 1.42
Database version: 3408
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/22/2009 3:32:08 PM
mbam-log-2009-12-22 (15-31-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117817
Time elapsed: 44 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP1\A0001024.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP5\A0009743.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{E9312970-0706-4E7F-9BA4-7098817D3D40}\RP5\A0009744.sys (Rootkit.Agent) -> No action taken.


I recently fixed a similar problem on a computer, and in a few other cases I've noticed that redirects are usually due to a bad Hosts file. Check out this site for instructions on how to get a new one that should not only fix your problem, but prevent a few future ones.

http://www.mvps.org/winhelp2002/hosts.htm

You should rename your HOSTS files instead of deleting it in case that isn't what the problem is and you need to get it back.


Thanks a lot, however, checking the hosts file was one of the first things I did. There's nothing there except for the standard text serving as an example.

I might give it a try on my laptop though since I see it's already populated with ad sites, etc. Pretty nifty.

Edited by psych1610, 22 December 2009 - 03:38 PM.


#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 22 December 2009 - 09:40 PM

Let's run Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#13 psych1610

psych1610
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 23 December 2009 - 07:05 PM

Included is the log for Dr.web you requested That is all that it found I did both scans as you suggested. We were also in contact with Eset and on the phone with them for about two hours, they even took over the PC in trying to figure this problem out. They gave up and wished us luck. I hope that you have better idea as to what to do next. I sincerely Thank You in trying to help.

Again Thank You very much and HAPPY HOLIDAYS
Dave



The_Comedian.exe;C:\Documents and Settings\Administrator\My Documents\Downloads;Probably Trojan.Packed.859;Moved.;

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 23 December 2009 - 07:28 PM

Happy Holidays to you too.

We are going to run a Kaspersky scan. This can take a very long time.

Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Computer Pro

#15 psych1610

psych1610
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 23 December 2009 - 10:34 PM

Per your instructions, view kaspersky log. Thanks again

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, December 24, 2009 01:48:27
Records in database: 3405848
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 23071
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:09:11

No threats found. Scanned area is clean.

Selected area has been scanned.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users