Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

results55.google.com redirect problem


  • This topic is locked This topic is locked
12 replies to this topic

#1 farmersdaughter08

farmersdaughter08

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 04 September 2010 - 08:09 PM

Earlier today I was on google, I than went to amazon.com and shortly after that fake page of "your computer is infected.. download such and such now" I did not even remember what the name of it was because I was trying so quickly to close my browser to stop it. However, my attempt did not work! This happend about 3-4 hours ago, I did not notice the effects right away, so I thought everything was ok. I have different problems now, I will explain them the best I can. 1.) Everytime I go to google and search, I click on a result and it redirects to results55.google.com or in firefox it redirects to google analytics. The result that is suppose to show up, does not show up at all. 2.) Trying to type here was a mess, every time I pressed a key it would skip some letters, so I am typeing this in WordPad and then copy and pasteing it over. This is only happening in Internet Explorer, typeing in Messenger and WordPad my keyboard works just fine. 3.) My computer has really slowed, it takes a few seconds for my homepage to show up when my browser is first opened. It is a plain white page until it finally loads.

I can search on Windows Live Search without any problems at all, so I did for a solution. All the solutions said was it was something to do with the DNS cache. So I followed the few steps since they seemed not to be harmful. I reset my modem and flushed my dns cache from my computer. Those two things seemed to help a lot of people, but not me! My Malbytes will not update, I did scan and it found nothing, however now that I think of it I should uninstall it and try to reinstall. I ran my anti-virus and it too found only a supicious cookie that it removed, I use Trend Micro Antivirus, in 5-6 years I have not had one single problem, until now. I did look around this site, but I see scan results were shown and I figured what worked for someones computer may not work for mine.

I will be willing to try anything to get this off. I attend college online, and I really need this fixed so my browser will run like it used to. Thank you in advance.

Edited by Orange Blossom, 04 September 2010 - 08:28 PM.
Move from Web Browsing to Am I Infected. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 04 September 2010 - 09:00 PM

Hello, the infection is in the router.

Download and update MBAM (below) Do not run yet. {Full instructions below if needed.
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine..

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
><><><>

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you donít know the router's default password, you can look it up HERE.

However, if there are other infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site HERE for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router.


>><><><>><
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 04 September 2010 - 09:37 PM

Erasing this post as I answered my own question, just don't know how to remove a post. So, this will work.

Edited by farmersdaughter08, 04 September 2010 - 09:44 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 04 September 2010 - 10:02 PM

You have stopped the Redirect? I will close this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 05 September 2010 - 05:39 AM

I am sorry about my previous reply, I had posted you a question in reply to your original answer, but I had figured that one out.

After a nice chat with my ISP provider last night on how to check my dns servers, which sure enough had been changed, and we changed them back. I finally was able to update and install malbytes which found 22 infected files! The log is below, but I think I got it fixed, time will tell!

The only question I have is you said to change the password on the router, now the lady from ISP support was very hard to understand, and she couldn't see why I needed to check those address'. I did not ask her about changing the password you mentioned. I can access my modems site where I change everything, I can change the Admin User Name and Admin password, is this the one I want to set by the website you posted? The other password option is for when others use my wireless connection and it asks for tat password. I was unsure of which one.



MBAM LOG

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4546

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

9/5/2010 5:30:46 AM
mbam-log-2010-09-05 (05-30-46).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 351123
Time elapsed: 3 hour(s), 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\owner\AppData\Local\ekarigafeyuzub.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\timesink, inc. (AdWare.TimeSink) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bvubekajomowapu (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhiqe (Trojan.Agent.U) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.74,93.188.161.7 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\owner\AppData\Local\ekarigafeyuzub.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\owner\AppData\Local\Temp\4.5009342539823264E8.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\Temp\8583.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\Temp\Zwldzdgajm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\Temp\0.3769899358217612.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\Temp\expand32xp.dll (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\Temp\YMRgpDBlMn.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Windows\Temp\0.8845531575255321.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Windows\Temp\4.3119835567443514E8.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\Temp\0.29205110555190494.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\0.4352255620917398.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\owner\AppData\Local\haldbi.dll (Trojan.Agent.U) -> Delete on reboot.

Edited by farmersdaughter08, 05 September 2010 - 05:43 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 05 September 2010 - 11:01 AM

No,problem. I asked as I knew this was difficult to remove.
First you needed to reboot the {PC after that scan. If you haven't please do that first.

The only question I have is you said to change the password on the router, now the lady from ISP support was very hard to understand, and she couldn't see why I needed to check those address'. I did not ask her about changing the password you mentioned. I can access my modems site where I change everything, I can change the Admin User Name and Admin password, is this the one I want to set by the website you posted? The other password option is for when others use my wireless connection and it asks for tat password. I was unsure of which one.

Let me ask ... Do you use a Router and a Modem,if not things are her way.

Router Images

Modems

Possible setup


Let's get an online scan done:
ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 05 September 2010 - 05:13 PM

After the MBAM scan, I did reboot my computer, right after I posted the results. I left for work early this morning and the computer was working fine, I tried google and live search engines and they were working. I came home from work and I went to hotmail and yahoo mail, that was it, I was also on chat in Yahoo Messenger, I went to google typed in my zip code and then weather, I have done this numorus times. An now again it redirects however this time it shows "JUMP".

In your first reply, I went through your directions in the order they were listed. I tried first to update MBAM, it would not allow me to do so. I went to the website you posted and I clicked to update and it told me page could not be found. I tried to install MBAM from the last thing you told me to do, and again it redirected me to "page can not be found". So I went ahead and called the internet company. Here is exactly what she had me do: Start > Control Panel > Network and Sharing Center > Manage Network Connections (on the left panel) > Local Area Connection > Properties > clicked on Internet Protocol Version 4 > Properties > I told her that the second set of options was "Use the Following DNS Server Address". She asked me to tell her the address' and I did she said they were not correct. So she told me to select "Obtain DNS Server address automatically." So that is what I did and that is still how it is set up. That sounded kind of odd to me, she didn't even ask me to go through the modem website like with most problems, I was not about to question her though because it was hard enough to understand her. (No offence to anyone whom may not be fluent in english) Please if this does not sound right, let me know and I will question it. MBAM updated and downloaded for me just fine after that, an as seen it ran. My box says it is a ActionTec DSL Modem with Wireless Gateway GT701-WG.

I tried running the ESET Scan, and it froze, in internet explorer, I can not access it, it shuts down the browser. So I went into FireFox, and it worked for awhile. The timer kept going but the progress bar and the area/file being scanned did not move for at least 10 minutes. I went ahead and stopped the scan. I have a screen shot of where it froze, however I see I need to upload that to a site in order to link to it. If it's needed i'm sure I can use photo bucket. What little of the scan results I have from what it did do are below:
C:\Program Files\PlaySushi\PSText.dll Win32/Adware.Gamevance application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\RetrogamerEI\Installr\1.bin\k7EIPlug.dll a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\Trend Micro\Internet Security\TmpxTmp\htt1444.tmp a variant of Win32/Adware.Gamevance.AK application cleaned by deleting - quarantined
C:\ProgramData\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\Users\owner\AppData\Local\Temp\NODAA1B.tmp Win32/Adware.Gamevance application cleaned by deleting (after the next restart) - quarantined
C:\Users\owner\AppData\Local\Temp\xxlRaEVbPR.exe a variant of Win32/Kryptik.GOF trojan cleaned by deleting - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\2fe55068-64e98fce Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\23354cf3-677308bb Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined
C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\413eec86-7520f8ea Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined

I will reboot my computer right now as well.

I really do appreciate all of your help, thank you.

#8 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 05 September 2010 - 05:16 PM

I forgot to add that I have been trying to get rid of that Play Sushi thing for months now, and to no available. I know it showed up in the scanner, but if it is a low threat or low risk I am not worried about it. I have also deleted my WII internet connection, and the only other connection to my modem is a laptop, it is not here at the moment and it has not been used since this has happend.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 05 September 2010 - 08:02 PM

Hi, I think we are dealig witha new Malware here and we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 05 September 2010 - 08:06 PM

I will do as you asked, just a bit of a update I again tried running the ESET scan and again it is stopped at the same exact point. It trys to scan D:\i386\Apps\App000060\wtpatch.exe It does not list any files infected up to this point. But, it is still redirecting.

It finally started to scan again, thankfully. I will stop replying and just do as you ask. Sorry.

Edited by farmersdaughter08, 05 September 2010 - 08:11 PM.


#11 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 06 September 2010 - 02:17 PM

The first time you told me to reset my router, and I called to check the DNS Server address, put it to where it was suppose to be, my computer seemed to be fixed for awhile. It then went back to redirecting. I called an asked them to check again for me, and we changed it from "change IP automatically" to putting in a IP address.

Trend Micro Scan Log: (I had to type it I don't know how to get the log to copy and paste)

Cookie_DoubleClick Cookie deleted
Infected File: Threat Name: (ALL OF THE FOLLOWING WERE FOUND IN FILE LOCATION: dev\s)
AdgredY.class TROJ_JAVA.AS (ALL OF THESE WERE DELETED)
DyesyasZ.class TROJ_JAVADL.A
LoaderX.class TROJ_JAVA.BN
ADGREDY.class TROJ_JAVA.AS
DyesyasZ.class TROJ_JAVADL.A
LoaderX.class TROJ_JAVA.BN
AdgredY.class TROJ.JAVA.AS
DyesyasZ.class TROJ_JAVADL.A
LoaderX.class TROJ.JAVA.BN

Compressed File Infected file: 5707c08a-1d80f3c7 Folder Path: C:\Users\owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\
Compressed file Infected file: 22f1ade8-379c252f Folder Path: c:\User\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\
Compressed file Infected file: 5707c08a-66cdc157 Folder Path: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\

I have un-installed Java, do you have any ideas on how to get this off my system completly? I have no more ideas.

#12 farmersdaughter08

farmersdaughter08
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 06 September 2010 - 02:22 PM

Would a new modem maybe fix this problem? However if I don't get rid of the virus before a new modem is used then I am just going to infect that one.

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:28 PM

Posted 06 September 2010 - 06:18 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic345431.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users