Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo hijacked. Boo


  • This topic is locked This topic is locked
11 replies to this topic

#1 berighteous

berighteous

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 27 May 2010 - 09:26 PM

hi! I picked up something that has hijacked my yahoo and google searches and redirecting them to various non related sites.

I've tried malwarebytes scan and removed whatever it found and I ran microsofts malicious software removal tool which came back negative. I have avg but it didn't stop me from getting what I got. Boo.

What do I need to do?

I'm running XP pro 64 bit SP2


Thanx
Michael

EDIT: Moved from XP to more appropriate Am I Infected forum ~ Hamluis.

Edited by hamluis, 27 May 2010 - 09:45 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 31 May 2010 - 02:01 AM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 berighteous

berighteous
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 01 June 2010 - 01:17 AM

This is all it gave me
I just noticed my printer isn't printing now. grrrr

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-31 23:14:02
Windows 5.2.3790 Service Pack 2
Running: tw987cp5.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 842

---- EOF - GMER 1.0.15 ----

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 01 June 2010 - 01:20 AM

Try this and see if it stops the redirecting:

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 berighteous

berighteous
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 01 June 2010 - 01:31 AM

nope still redirecting. This time it went to TravelAlberta.com Boo.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 01 June 2010 - 01:32 AM

Try running the GMER scan in Safe Mode to see if you get a longer log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 berighteous

berighteous
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 01 June 2010 - 03:06 AM

I ran it in safe mode. Took a long time and gave me a message saying it found nothing.

I just did a google search (in firefox) for Sharon Stone, and clicked on a link to her imdb entry and it sat there for 25 seconds and ended up at the yellowbook.com entry for some contractor. Whenever I click on a google or yahoo link it sits there saying "waiting for " whatever for like 15 seconds or more and then redirects to who knows where.
If I right click on the link and copy and paste the link into the browser it takes me right where it's supposed to go.

Clicking on this same link from a google search page:
[url=http://www.imdb.com/name/nm0000232/]http://www.imdb.com/name/nm0000232/[/url]

has taken me to:
[url=http://www.aawaterjet.com/]http://www.aawaterjet.com/[/url]
[url=http://www.upliftsearch.com/?keyword=stone&aid=1893&cid=1692&subid=38628]http://www.upliftsearch.com/?keyword=stone...amp;subid=38628[/url]
[url=http://search.us.b00kmarks.com/view.php?q=what%20is%20health&f=613&affiliate=50406-38450]http://search.us.b00kmarks.com/view.php?q=...ate=50406-38450[/url]
[url=http://www.superpages.com/bp/Pine-Bush-NY/David-J-Gros-Contracting-L2114561024.htm?lbp=1&PGID=midas112.8083.1275379860242.2099268102&bidType=CLIK&TR=1]http://www.superpages.com/bp/Pine-Bush-NY/...e=CLIK&TR=1[/url]
[url=http://tridentityshield.com/products/free-trial.php?utm_source=LookSmart&utm_medium=plm&utm_campaign=Credit+Reporting&utm_extra=dim1/Credit+Reporting//dim2/Exact&utm_term=credit+bureaus]http://tridentityshield.com/products/free-...=credit+bureaus[/url]

Edited by Orange Blossom, 04 June 2010 - 04:07 PM.
Deactivate links. ~ OB


#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 01 June 2010 - 03:20 AM

Do the redirects occur in both Firefox and IE?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 berighteous

berighteous
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 01 June 2010 - 10:52 AM

yes. It redirects both yahoo searches and google searches in Firefox and in Internet Explorer.

I just checked Google Chrome and Apple Safari and it doesn't seem to redirect in those browsers. (but I don't use those browsers much)

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 01 June 2010 - 04:20 PM

This is going to need a more in depth look. Please follow these instructions to create a new topic (start at step 6):

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 berighteous

berighteous
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 01 June 2010 - 08:18 PM

dds said "this tool does not support your operating system." Again, I'm running Windows XP pro 64-bit.

when I ran gmer berfore (and now) the
system
sections
IAT/EAT
Devices
Modules
Processes
Threads
Libraries
are grayed out and unchecked.

Posted Image

Edited by berighteous, 01 June 2010 - 08:27 PM.


#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 04 June 2010 - 12:20 AM

Sorry I didn't get back to you sooner but I was out of town.

I see you have started a new topic in the logs forum. Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users