8 Step search result hijack help

By EMS0525
Dec 10, 2009
Topic Status:
Not open for further replies.
  1. My search results are hijacked here are the two log files, im running the malware now...
  2. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    looking at the other threads i downloaded and ran combofix and here is that log and the malware log too.
  3. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    i did read the sticky about combofix. Now the search results seem to be working, but i would still greatly appreciate someone looking into the logs. Thank you.
  4. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Its messed up still... still not working.
  5. AnonymousSurfer

    AnonymousSurfer TechSpot Enthusiast Posts: 304   +8

    Describe what's not working, and if you read the combofix topic, you would know NOT to have run it with out having someone advise you. Let me analyze your HijackThis logs, please be patient.
  6. AnonymousSurfer

    AnonymousSurfer TechSpot Enthusiast Posts: 304   +8

    Here are the nasty files you should delete using HijackThis:
    • O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
      [*]O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
      [*]O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      [*]O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
      [*]O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dllExtra Protocols
  7. snowchick7669

    snowchick7669 TechSpot Maniac Posts: 698

    Just curious as to how you came to the conclusion that O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe was a nasty file.

    According to my research
  8. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Sorry. I deleted those files using the hijack this. Is there something else i need to do now? Run all them again? Thank you so much. I really appreciate it.

    new hijack this log:
  9. AnonymousSurfer

    AnonymousSurfer TechSpot Enthusiast Posts: 304   +8

    Are your search results still getting Hijacked?
  10. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Disable (or uninstall) Spybot S&D
    Open HJT Scan Only and place a tick in the following entry box
    Close all Internet browsers and select FIX


    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /uninstall in the runbox and click OK
    • Any popup errors about Antivirus just ok or close
    Note: 1 space after ComboFix in that uninstall command



    Uninstall SUPERAntispyware
    Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall



    Update Java and remove older Java versions
    Run JavaRa
    This will remove all your old Java stuff (that is not required)
    It will also help you check for new Java updates Runtime updates
    Or just go here and auto check: http://java.com/en/download/installed.jsp?detect=jre&try=1



    Download and run TFC http://oldtimer.geekstogo.com/TFC.exe
    Your computer may need to Restart



    Clear & Reset System Restore's Cache
    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


    Restart, and let me know how its performing
  11. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    You may want to update to a more secure Hosts file
    There's lots of important info on that here: http://www.mvps.org/winhelp2002/hosts.htm
    As it's difficult to see the actual download, here it is: http://www.mvps.org/winhelp2002/hosts.zip
    Important! Windows Vista requires special instructions: http://www.mvps.org/winhelp2002/hostsvista.htm

    Simply download the hosts.zip file, extract, then run mvps.bat, then restart

    Then restart, and test browsing the Internet again :)
  13. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    now when i click on a link it goes to the same page...

    http://kc.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=52593&x=rkWBmPxg29RROV:Z0mjf66fFBAMGWfjOgUWuXSgJCVXB5UfoRSg3mByvnfDOkmsR4P0zIkMxQ8WxnSjU4ffQ8QkV990jFG7mLSXCWuibNBMhhGDItGJF3an3xk7KEc35KYXOMfsoImRTpVyjjtxl36QS2Axa15;ZK6xwdGl8HPMCE3kHpPZDxmfX4MWX7wZ:awWWg5u$n
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Try this ;)


    Download Combofix again

    Combofix:
    • Download [​IMG]Combofix to your desktop.
    • Disable your Antivirus (as Combofix will remove any found malwares)
    • Double click ComboFix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here
    Also restart and provide a fresh HJT Scan log
  15. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    HJT log still not working.... man id love to get my hands on who ever comes up with this stuff. this is before combofix...
  16. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    There are no issues in your HJT log

    You could remove all these, note: they are authentic entries, but do not need to be starting with Windows:
    Run HJT Scan Only, Close all Internet Browsers
    Select all of the following and then select FIX, then Restart
  17. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    here is the newest hjt log and combofix log
  18. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    The HJT log is not complete, something went wrong? Note you are following what I ask, to restart, so forth?

    Also, were all these disabled before running all of the above?
    • SpywareGuard
    • Spybot Search & Destroy
    • Windows Defender
    As per the 8 Step Guide (Disable real time protection of other programs)
    Personally I'd say uninstall those 3, as they haven't helped you anyway!
    Actually you may as well uninstall SUPERAntispyware, whilst you are at it

    I think after restart, you should startup Malwarebytes; update it again and run a quick scan
    If anything is found, please remove it at the end of the scan (and also provide the log)
    Then Restart (I know, but Windows requires a Restart all the time!)
    Then run a fresh HJT Scan log, and provide the attachment again
  20. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    malwarebytes didnt find anything....
  21. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  22. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Why can there be one program that scans and finds everything... why is there a dozen things you have to scan with?

    So far the eset found 3: win32/bagle.gen.zip.worm
  23. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    lol :)

    Good point

    If I made a Malware scanner, I'd be making one that does everything
    It might take 4 hours to scan, but who cares !!!
  24. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Well it went all night and cleaned 4 items.
  25. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    ok, next step? Still not fixed. This is ridiculous...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.