Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect (click.livesearchnow.com)


  • Please log in to reply
6 replies to this topic

#1 Dr Hands

Dr Hands

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 28 November 2012 - 08:55 PM

I have an issue with my browser redirecting for the last couple weeks. It happens maybe once out of every dozen or so links I try to follow on Google and most of the time I can back out and reselect the link, and it won't be redirected. When it is redirected it first reads along the lines of "click.livesearchnow.com" in the url bar then goes to a web search engine, "scour," where the address starts w/ what appears to be an IP address.

I run Windows 7... use Firefox 99% of the time, issue persists in IE and Chrome.

I have:
Cleared cookies... no avail
Checked LAN settings... settings as should be
Checked all the processes running in the Windows Task Manager and looked at my list of installed programs... nothing suspicious as far as I know
Checked host file... as should be
Ran Malwarebytes Anti-Malware, SUPERAntiSpyware, TDSKiller, and HitmanPro... no avail

I know this is an issue that can vary in solution for everyone. If anyone could assist me in solving this problem, I would be very grateful then if anyone could suggest how to avoid contracting this type of "virus," or whatever it may be termed, I would appreciate that as well as this is not the first time it has happened but the first time I can't remedy it. I'll run whatever tests and post results ASAP.

Thanks so much!

BC AdBot (Login to Remove)

 


#2 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:10:06 PM

Posted 28 November 2012 - 08:57 PM

Let's try an ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications (If given the option, choose "Quarantine" instead of delete.)
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please download AdwCleaner by Xplode to your desktop.
  • Make sure all programs are closed
  • Doubleclick adwcleaner.exe
  • Click Delete
  • Press OK when prompted
  • Restart your computer when asked
  • Copy and paste the contents of the text files that opens after your computer restarts to a reply to this thread. (The log is also saved to C:\AdwCleaner[S1].txt)

Please include the following in your reply
ESET log
ADWCleaner log
Any questions/comments you may have

#3 Dr Hands

Dr Hands
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 29 November 2012 - 07:28 AM

ESET.............

C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\6E54.tmp.vir Win64/Olmarik.AO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\6E55.tmp.vir Win64/Olmarik.AO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Aric\0.6194163036156758.exe.vir a variant of Win32/Kryptik.AOHM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Aric\AppData\Local\CrashDumps\Conduit\befzpfb.dll.vir Win32/TrojanDownloader.Tracur.W.Gen trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{a748d94a-01ec-860b-fe96-c6d44bbde011}\U\00000004.@.vir Win64/Conedex.C trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.11.2012_07.55.48\mbr0000\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.11.2012_07.55.48\mbr0000\tdlfs0000\tsk0001.dta a variant of Win64/Olmarik.AM trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.11.2012_07.55.48\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.11.2012_07.55.48\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.11.2012_07.55.48\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.11.2012_19.57.49\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.11.2012_19.57.49\tdlfs0000\tsk0001.dta a variant of Win64/Olmarik.AM trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.11.2012_19.57.49\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.11.2012_19.57.49\tdlfs0000\tsk0003.dta Win64/Olmarik.AN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.11.2012_19.57.49\tdlfs0000\tsk0007.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.11.2012_19.57.49\tdlfs0000\tsk0008.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\329ed4d0-362f1f98 multiple threats deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\442a115-172ef784 Java/Exploit.Agent.NBS trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\d50c015-1faf0a0a Java/Agent.BV trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\43396a9a-3a76855b multiple threats deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2f31845f-719b95c8 Java/Agent.BV trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\68b74c9f-451250ea probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-7046dcd4 Java/TrojanDownloader.Agent.ME trojan cleaned by deleting - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\209f30a4-7cea9050 multiple threats deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\6f03b164-47543297 Java/Exploit.CVE-2011-3544.I trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6b4d836b-294869cc Java/Agent.BV trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\72a066eb-3a1b5ca4 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\a82b8f1-43044f6d a variant of Java/Exploit.CVE-2010-0094.O trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\469f7ebd-5d0309b0 a variant of Java/Agent.BR trojan deleted - quarantined
C:\Users\Aric\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\30ba363e-53dafc80 Java/Exploit.CVE-2011-3544.AN trojan deleted - quarantined
C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\8xt6ra3a.default\extensions\wdbmwwnzda@wdbmwwnzda.org.xpi JS/Redirector.NCI trojan deleted - quarantined

-----------
ADWCLEANER..........

# AdwCleaner v2.009 - Logfile created 11/29/2012 at 07:21:35
# Updated 24/11/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Aric - ARIC-PC
# Boot Mode : Normal
# Running from : C:\Users\Aric\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla FireFox\searchplugins\Search_Results.xml
File Deleted : C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\8xt6ra3a.default\searchplugins\Conduit.xml
File Deleted : C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\8xt6ra3a.default\searchplugins\Search_Results.xml
File Deleted : C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\8xt6ra3a.default\searchplugins\search-here.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Aric\AppData\Local\Conduit
Folder Deleted : C:\Users\Aric\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Aric\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Aric\AppData\LocalLow\searchquband
Folder Deleted : C:\Users\Aric\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3198785
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\8xt6ra3a.default\prefs.js

C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\8xt6ra3a.default\user.js ... Deleted !

Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=1[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://dts.search-results.com/sr?src=ffb&appid=0[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3198785");

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Aric\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2985 octets] - [29/11/2012 07:21:35]

########## EOF - C:\AdwCleaner[S1].txt - [3045 octets] ##########

#4 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:10:06 PM

Posted 29 November 2012 - 10:28 AM

Are you still getting redirects?

#5 Dr Hands

Dr Hands
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 29 November 2012 - 10:56 AM

Doesn't appear so and I see ESET pulled some nasty sounding things out so I'm pretty satisfied.

Thanks for your help

Edited by Dr Hands, 29 November 2012 - 10:56 AM.


#6 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:10:06 PM

Posted 29 November 2012 - 11:07 AM

Hi, if all looks good, you should create a new restore point and delete your old restore points. Malware can hide in old restore points and reinfect you if you restore back to that point in time.

To create a new restore point
  • Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
  • In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Click the System Protection tab, and then click Create.
  • In the System Protection dialog box, type a description, and then click Create.
------------------------------------------------------------
To delete all but the most recent restore points
  • Open Disk Cleanup by clicking the Start button . In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
  • If prompted, select the drive that you want to clean up, and then click OK.
  • In the Disk Cleanup for (drive letter) dialog box, click Clean up system files. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • If prompted, select the drive that you want to clean up, and then click OK.
  • Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
  • In the Disk Cleanup dialog box, click Delete.
  • Click Delete Files, and then click OK.

Edited by Sightless, 29 November 2012 - 11:10 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:06 PM

Posted 30 November 2012 - 02:33 PM

When you ran ComboFix did it delete anything?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users