TechSpot

Google seach engine getting redirected

By lho
Jun 24, 2010
  1. Hi, this is my first time posting my computer problem so I don't really know what to do. Anyway, recently my computer been getting redirected from so I suspect it is some kind of malware. I ran a few software scans such as spybot, avast, super-antispyware, and malwarebytes and deleted all the infected files but the problem still persist. Please help
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The following will guide you through what you need to do to help us help you:

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. lho

    lho TS Rookie Topic Starter Posts: 46

    I am not done the steps yet but after I did the TFC and restarted my computer, my firefox stopped working! Is it suppose to do that? I'll get back to you on the log ASAP

    edit: nevermind i fixed the firefox problem, i'll get right on the logs
     
  4. lho

    lho TS Rookie Topic Starter Posts: 46

    logs

    Well here are the logs, for some reason my gmer logs is extremely big so I put it on mediafire, I hope i did it right, just let me know if you need me to redo any of them

    gmer log: http://www.mediafire.com/?mjmjritdozt
     

    Attached Files:

  5. lho

    lho TS Rookie Topic Starter Posts: 46

    I see that many others are having the same problem as me, but my gmer log is very big compared to all of theirs. I hope nothing is wrong with my computer and it won't hinder in your ability to fix the computer. I'll wait for further instruction.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, first of all, I don't go around collecting logs from other places. You can include the log here. And don't compare you logs to those of others- they are all different. There is a line at the end of GMER which you might not have seen:
    Warning ! Please, do not select the "Show all" checkbox during the scan.

    There is some problem with your DDS log however, at least the Attach.txt section. There is no information:
    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================


    ==== Event Viewer Messages From Past Week ========

    ==== End Of File ===========================

    Please run the following so I can get some idea of what's happening- and bring the GMER log over here:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  7. lho

    lho TS Rookie Topic Starter Posts: 46

    Here you go, I think this was the log I was suppose to make. Let me know if you need anything else. Regarding the restore point, I turned off the system restore because someone told me I had a virus in my restore point so it was needed to delete all the old stuff. This was before posting here and I'm apologize if that made things worse.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Many people don't understand about malware in restore points. In fact, there was one member here who thought every time the computer was booted that it booted from a system restore point! Not so!. If malware only shows that it is 'System Volume' (restore points) it means it's no longer active in the system. But if an infected restore point happened to be chosen to do a System Restore, it could reinfect the system.

    We have you drop all the old restore points when the system is clean and set a new, clean restore point. But sometimes the only way to get back in to a system is through a restore point-infected or not-we keep them on hand til the cleaning is complete.

    Run this script first:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\Administrator\Application Data\BitComet
    c:\windows\system32\ShellManager10E2D762.dll
    
    Folder::
    c:\documents and settings\All Users\Application Data\McAfee
    Driver::
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys 
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please run DDS again. (You can delete the original 2 logs) If you followed the directions, you will have deleted it after running, so follow this:
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.

    Please note: You may have to disable any script protection running if the scan fails to run.

    Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

    When done, DDS will open two (2) logs:
    DDS.txt
    Attach.txt


    Please attach both in your next reply.
    =========================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    I recommend that you uninstall Bit Torrent. In addition tot he program itself, there is data and the firewall has been set to allow Bit Torrent through several different ports. This is a vulnerability to the system.
     
  9. lho

    lho TS Rookie Topic Starter Posts: 46

    Okay, here are the logs

    by the way, the first time I saw the post, the combofix instruction wasn't there so I did the DDS and the online scan first, and then your combofix instruction. I hope that's alright.

    Question: How come my programs are all starting to act funky, like my bitcomet and adobe been getting all these weird errors. I kinda suspect something changed in my app data folder, what do you think???
     

    Attached Files:

  10. lho

    lho TS Rookie Topic Starter Posts: 46

    bump...sorry
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why are you bumping the thread? I am helping a lot of others who began before you started. And most of your time was spent asking you to run the programs and get the logs out!

    Your programs are getting 'funky'- what does that mean?
    And you getting 'all these weird errors'- what are they?

    Eset found one entry> it's in the Qoobox which is where Combofix puts the quarantined files.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Registry::
    Driver::
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys 
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      viaagp.*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please Describe any remaining malware- related problems.

    .
     
  12. lho

    lho TS Rookie Topic Starter Posts: 46

    Right, sorry about the bump, here are the logs

    These are the errors I been getting, never used to get them before.
    One is an Adobe error
    "Microsoft Visual C++ Runtime Library
    Runtime Error!
    Program: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

    This application has requested the Runtime to terminate it in an unusual way.
    Please contact the application's support team for more information."

    Another one is from Bitcomet
    "Bitcomet"
    Failed to save task list!
    (C:\Documents and Settings\Administrator\Application Data\BitComet\Downloads.xml)

    Steam - the program for left for dead or call of duty
    "Connection Error"
    Could not connect to the Steam network.
    It appears that you are not currently connected to the internet, or that your internet connection is not configured correctly for steam.
    (my internet works fine)

    Well I don't know if these are caused by malware, but I hope its not. Let me know what you think, good luck
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Adobe:
    Reader 9.0 AcroRd32.exe caused Microsoft Visual C++ Runtime Library error
    http://forums.adobe.com/thread/391738
    http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
    http://kb2.adobe.com/cps/500/cpsid_50026.html

    BitCommet:
    The only file sharing help I give is to suggest you uninstall it.

    Steam:
    Consider that it could be the servers for Steam that can't complete the connection. Try again, different times.

    These aren't malware problems. and Google is your firend. Malware problem has been handled.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  14. lho

    lho TS Rookie Topic Starter Posts: 46

    Yo thanks alot man, you're a life-saver.
    does this mean my computer is 100% clean?

    Oh, the steam still to be working fine now and people suffering the same error from Adobe didn't really help much.
    Anyway, for the bitcomet problem it say:
    If it's not then recheck the %appdata% permissions -- often you need to check all the permissions for the entire tree and every node in it. The account you usually run BitComet under - normally your own - should own the directory and files, and have full control of both.

    Any idea how to do this?
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome.

    Please understand when I say the only help I give with files sharing programs is to suggest you remove them. Since the malware problem has been resolved, I'll close this thread. If you need help for system problems, you can post in the Windows OS forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...