Google redirect, spyware/malware problem

Status
Not open for further replies.
ive posted the logs. Should the TCP and LSP replaced the previous ones on the desktop? No new icons appeared. How do i do the other suggestion??
 
Opps MBAM found more run once more to confirm clean log.

Yes on log LSP.TXT!

Did you do a windows search as recommended by scriptordie for wdmaud.sys

Delete any found outside the windows\system32\drivers folder. That is the only place it should be.

After the MBAM run and the search and delete if needed reboot and retest for redirection!

Mike
 
MBAM found nothing. Im still having redirecting problems after deleting one of those files outside of system32/drivers
 
Geeze!

Do the following 2 operations before getting Drastic below.

Clean and update Java
Cleanup old Java and update to newest version this program will do it all for you.

Download JavaRa http://prm753.bchea.org/JavaRa.html

Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun from here: https://www.techspot.com/downloads/6463-java-se.html

After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

After that run Search for Updates again to confirm you are up to date.
After that run remove older versions again. This time the Log file should be empty.

Then..

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Repair Permissions
Reset networking
Reinstall Windows Firewall

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!

That don't work consider going Drastic!

--------------------------------------------------------------------------------------------------------
This is drastic but nothing else has worked on this issue tho we did fix a lot.

Download Norman Malware Cleaner http://www.majorgeeks.com/download5450.html

Download then boot to safe mode only and run.

Do this when you go to work or bed as it is very thorough and will take hours.

Running in safe mode allows removal of some things that would give problems in normal mode but running in safe mode is slower also so double slow.

I mean it this program may run 6-8 hours so do it while you are sleeping or work! It will leave a log on Desktop when finished.

Mike
 
Hey mike, sorry to keep bothering you with this issue. I appreciate all the help youve given me.
I did a scan with the Norman malware cleaner but it only took 55 minutes. Did i do what you suggested? The issue (unbeleivably) isnt resolved unfortunately. Also, a fresh symptom is that it will not let me on certain websites like myspace anymore (Internet explorer cannot display the webpage) aswell as not letting me on secure websites. I have enclosed the log in three parts as it was too large to upload as a whole. What are all of the webpages and things it has found - are they spyware?
 
OK, I hate to ask as many times as we have before but, every time something gets cleaned like in Norman it may break something else loose that can now be seen by the other scanners.

So run ComboFix again attach log

UPDATE MBAM and SAS and run again Quick Scan attach logs check logs and if clean no need to post!

Then get SmitFraud from here http://www.bleepingcomputer.com/forums/topic17258.html
The instructions to run are about 2-3 pages down. Attach log.

Mike
 
But where is the ComboFix that is the main one, but Quick scans with updated MBAM and SAS.

After the above a new HJT log.

Mike
 
yeah sorry about that. MBAM found nothing and i enclosed the SAS log in my last post. ive enclosed the new hijackthis and combofix logs
 
Okey dokie!

Finally we may have found it.

Go back and do post #13 again I have edited it to fix the below.
These 2"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\u_lehj]
ImagePath"="\??\c:\program files\Common Files\System\u_lehj32.dll"
Then run another ComboFix to confirm it has left the premises!

Then do the below I need to check your userinit.exe

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt.
Code:
@echo off
cd\
attrib /s userinit.exe >"%USERPROFILE%"\Desktop\userinit.txt
dir /s userinit.exe >>"%USERPROFILE%"\Desktop\userinit.txt
exit
exit

Now post the userinit.txt from the new icon on the desktop back to the thread.

Mike
 
I figured out why I was being redirected on google. It was because of their affiliations with a website called "doubleclick.net" which if you have the same problem as me (using mozilla) you'll see at the bottom of the screen that a certain website loads very quick as "ad4.doubleclicker.net" and apparently this adverstisement website group tries to redirect you to other sites they think you would like? So as I searched for solutions I found out you can opt out of this service by going to:

http://www.doubleclick.com/privacy/dart_adserving.aspx - and selecting the "add opt out cookie"

or the google opt out:

http://www.google.com/privacy_ads.html

I have yet to actually "opt out" of anything because it keeps saying that I don't have my cookies enabled, (of course I do, really think this might be some BS but it could be my firewall) so hopefully this will work for you guys who are having problems with google redirecting them to ad sites.
 
Do this!

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt.
Code:
@echo off
cd\
sc stop u_lehj
sc delete u_lehj
attrib -h -s -r /s u lehj32.dll >"%USERPROFILE%"\Desktop\lehj32.txt
del  /f /q /s u_lehj32.dll >>"%USERPROFILE%"\Desktop\lehj32.txt
exit
exit
Attach the lehj32.txt onthe deskto back to me. Then delete it.

Mike
 
Trying to be hard to remove!

Run MBAM then click More Tools then click Run tool.

Code:
C:\Program Files\Common Files\System\u_lehj32.dll

Copy and paste the line inside the box ito the File name: box and click ok to delete the file.

Reboot and do post #40 again post the text file again.

Mike
 
Geeze!

I don't give up!

So I will leave it up to you when to say uncle!

Autoruns/Runscanner cleanup

Make sure hidden files and folders are shown. Open Windows Explorer click Tools or View and then Folder Options-View.

Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

Download install and run AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

When you reach the bottom the go back to top and click the first entry under The Everything Tab (to begin the search from that point) and search again in case any were missed.

This is a bunch of old stuff that M$ thought you might or would need that no longer exist, or for computers that are assumed to have SCSI or AMD processors but do not, or that you have Intel but do not!

After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for anything you want, if needed.

Then look carefully through all the Everything entries and delete anything that you may have had but uninstalled and thought were gone. If you are sure delete these also.
---------------------------------------------------------------------------------------------------------------------------------
The above is a general cleanup but do this for your specific problem.

START: Go back to top and click the first entry under The Everything Tab (to begin the search from that point). Then click File at top and then Find.

Type in the find box u_lehj32 and hit enter and delete all lines that have this file name.

Now go back to START and do the same with the file name u_lehj.

Mike
 
Hey mike,
I really appreciate all of the help you have given me on this irritatingly persistent issue. If you dont know where to go from here thats cool. By the way, after carrying out post 40 the redirecting issue seemed to have gone. However when i closed the internet explorer window i was using and opened another one it had returned. I did what you asked in the last post and didnt find any lines with u_lehj32 or u_lehj to delete. If we cannot find the thing causing the issue is the next step to wipe the computer and reinstall IE? If so, could you tell me how to do this.
Thanks again mike
Gman
 
Lets do these 2 before that if you have the energy left.

Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

Enter folder double click RootRepeal.exe.
Click the Report tab, then click Scan

It will ask what to include in the scan.

Check the following
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Then click OK

It wil ask which drive to scan.

Check C: (or your windows drive, if not C)
Click OK
The scan will begin will take a while.

When scan completes, click Save Report .

Name the log RRepeal.txt save it to your Documents folder (it should default there). Post it back.

Then

Get Nod32

Download http://finalbuilds.edskes.net/nod32.htm

Boot to,Safe mode only to run. Do it when sleeping as it could take a while.

Mike
 
i forgot to tell you also, before i try what you have said, that Google redirects me on google.com and a drop down box also appears. However, i have no redirection issues on google.co.uk. Is this the normal problem? Therefore .com search engines and the expiring of secure pages and search pages are the issues i am having.
Cheers, Gman
 
Hey mike,
I think its worked!!!!!!! I scanned using the nod32 and it found 10 threats. I noticed that one of these was the u_lehj32 thing so i deleted it. The redrirecting and expiring of secure pages has gone. Should i have deleted the other 9? Also, as this appears to be the end of the issue could you tell me which of the programs i have installed should be deleted and advise me as to how to stop this happening in the future? Thankyou very very much, i really appreciate the help you have given me.
Gman
* I have enclosed the log you requested
 
Bout time!

I see RootRepeal found it also but we only told it to create a log file and not repair.

Can you get me the NOD log file I think it puts it on the desktop. NX something or other?

I think you should have removed all it found but after I see the log I will confirm.

My thread closing will cover the programs to uninstall.

Gone for an hour or more on errand!

Mike
 
Status
Not open for further replies.
Back