Search Engine results redirecting

Everytime I do a search on a search engine (Yahoo, Google, Bing), when I click on the results, the computer is redirected to a different URL (additional search engine or advertising sites). I ran MBAM and SuperAntispyware scans, but the problem persists. I haven't noticed any other problems with the computer.

Hello please post your MABAM log.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Now run Drweb-cureit
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• Please be patient as this scan could take a long time to complete.
• When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
• Click Select All, then choose Cure > Move incurable.
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

I was able to download Dr. CureIt according to your posted instructions. However, I was unable to start my computer in Safe Mode (after several attempts). I kept getting the following error message:

"A problem has been detected and windows has been shut down to prevent damage to your computer."

Technical Information:
***STOP: 0x0000007E (0xC0000005, 0X80537009, 0XF78A6508, 0XF78A6204)

As I couldn't restart in Safe Mode, I didn't run Dr. CureIt.

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.43
Database version: 3459
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/30/2009 4:59:47 PM
mbam-log-2009-12-30 (16-59-47).txt

Scan type: Quick Scan
Objects scanned: 190779
Time elapsed: 34 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello... Try this first and then see if you have Safe mode for DrWeb.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

OR.. actually we can run both scans so run SAS and then try the "Repairs" after it.

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.

• Click the Repairs tab.
• Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
• You may be asked to reboot your computer for the changes to take effect.

Knock on wood - but I think I'm cured! My search results in Yahoo or Google are no longer being redirected, and I was able to boot the computer in Safe Mode again.

I ran TDSSKiller and it found (& cured) problems. I could not find a log file (TDSSKiller.txt) saved to my C: drive. I searched for all *.txt files saved to my computer today and still couldn't find anything. The program did identify a couple rootkit problems that it identified and cured.

I then ran a full scan with SuperAntiSpyware according to the instructions posted. Here's the log file:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2010 at 10:06 AM

Application Version : 4.31.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 2268

Scan type : Complete Scan
Total Scan Time : 01:44:14

Memory items scanned : 722
Memory threats detected : 0
Registry items scanned : 8438
Registry threats detected : 0
File items scanned : 115387
File threats detected : 78

Adware.Tracking Cookie
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@bridge1.admarketplace[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@adserver.adtechus[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ads.bridgetrack[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@at.atwola[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@webstat.pge[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@interclick[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@collective-media[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@bs.serving-sys[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@burstnet[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@overture[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@oasn03.247realmedia[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@bridgetrack[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@realmedia[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@media.adfrontiers[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ads.undertone[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@centralmediaserver[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@2o7[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@richmedia.yahoo[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@safeway.112.2o7[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@data.coremetrics[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@imrworldwide[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@feed.validclick[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@serving-sys[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@media6degrees[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@hitbox[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@revsci[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@statse.webtrendslive[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@zedo[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@tacoda[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@doubleclick[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ads.pointroll[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@trafficmp[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@apmebf[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@tribalfusion[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@media.expedia[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@jsonline.stats[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@atdmt[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@pointroll[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@content.yieldmanager[3].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@advertising[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ehg-socaledison.hitbox[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@a1.interclick[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@adbrite[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ehg-verizon.hitbox[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@invitemedia[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@mediaplex[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ad.yieldmanager[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@fastclick[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@adinterax[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@yieldmanager[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@polls.clickability[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@casalemedia[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@s.clickability[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ad.wsod[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@admarketplace[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@bestbuy.122.2o7[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@questionmarket[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@specificclick[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@insightexpressai[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@statcounter[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@trackalyzer[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ads.nba[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@sales.liveperson[4].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ehg-bestbuy.hitbox[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@traveladvertising[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@247realmedia[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@sales.liveperson[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ehg-kingstontechnology.hitbox[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@sales.liveperson[3].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@content.yieldmanager[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@rambler[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@webstats.broadcom[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@eb.adbureau[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@specificmedia[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ads.bleepingcomputer[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@ads.adap[2].txt
C:\Documents and Settings\dconsie.CAMS\Cookies\dconsie@advertising[2].txt


Do you suggest that I also run Dr. Web CureIt in Safe Mode as previously instructed, or should I just continue to monitor to see if more problems occur?

Thanks for all the help!!

Yes it is better to get it all out now.. DrWeb should run now. Note the Dr will be over an hour.


Also Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

I ran both the Dr. Web and MBAM scans.

I ran the Dr. Web scan in Safe Mode and rebooted following. Here's the log:

Juniper Model v6 - Draft.xls;C:\Documents and Settings\dconsie.CAMS\My Documents;Probably Office.Exploit;Incurable.Moved.;

I ran the MBAM scan in Normal Mode and also rebooted following. Here's the log:

Malwarebytes' Anti-Malware 1.43
Database version: 3501
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/6/2010 9:39:36 AM
mbam-log-2010-01-06 (09-39-36).txt

Scan type: Quick Scan
Objects scanned: 188591
Time elapsed: 29 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Computer seems to be working fine at the moment - no redirecting of search results in Yahoo or Google.

Thanks for all the help! This website is awesome - particularly for computer novices like myself!

You're welcome and thanks. {Probably Office.Exploit} Make sure any Office applications you have are updated and patched.
Let's check your JAVA too.
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

I've got Java 6 Update 5 and J2SE Runtime Environment 5.0 Update 6.

I also have Microsoft Office 2007 with the following updates:

KB973704
kb976884
KB974234
KB969559
KB973709
KB969604
KB969613
KB976416
972581
KB972363
KB957789
KB967642
SP2
KB973593

Thanks,we need to do this next.. :ooks like the hole for the exploit.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
• If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

I uninstalled Java 6 Update 5 and J2SE Runtime Environment 5.0 Update 6 - rebooted - and installed Java 6 Update 17 according to the posted instructions.

Earlier you suggested "make sure any Office applications you have are updated and patched." Can you guide me through this exercise?

Hi.. I think all you need to do is Click the Start button, click All Programs, and then click Windows Update.
http://www.update.microsoft.com/microsoftu...t.aspx?ln=en-us

Also see BC"s tutorials

Microsoft Windows Automatic Updates Explained

Automatic Update for Windows XP

Okay - I followed the link to Microsoft Updates and installed all the critical updates (including IE8). My computer seems to be running pretty good.

The introduction to IE8 recommended Microsoft Security Essentials as a free anti-virus program. Do you have any knowledge/experience with MSE? Is it as effective as Symantec or Norton or any of the other anti-virus programs available at a cost?

Thanks again for all the help!

Hi, do you have Norton installed now? Is it paid for?? Or what AV is on here.

Run one more scan here please.
I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

Edited by boopme, 08 January 2010 - 03:23 PM.

My computer is running Symantec Endpoint Protection. I asked about Microsoft Security Essentials as a AV for my wife's computer which is not currently protected by an AV program.

I ran the ESET scan below. Here's the log file:

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus

I believe the infected file is still on my computer. The directions for the ESET scan didn't instruct me to have the "remove infected items" box checked, so, right or wrong, I unchecked the box. Please let me know how I should go about removing the infected file.