TechSpot

Hijacker? Google image search turns up random pages

By ambushedbaby
Nov 19, 2007
  1. Hello, oh great tech gurus. Been a long while since I've been here due to the excellent advice I received quite a while ago.

    However, children have been using my machine (no longer) and I have a bug. Rather than the image I'm searching for, google images returns random, unrelated pages. I can get around it by using just google, locating pages with the images I want and accessing them that way, but it's a pain and I hate knowing I have a bug. It has to go.

    Ran a HJT log yesterday and my machine was BLOATED. Five pages!

    Ran CCleaner last night. Got rid of a ton of junk and the machine is back up to speed.

    I read the 'Prelim removal instructions'. Yes, i think it will be adequate to 'fix' on this machine. I disabled Cybersitter, SS&D, AdAware, AVG and AVG anti-spyware and SpywareBlaster.

    I completed the Trend Micro scan and it found the following:
    1 ADWARE_GHOT_E-VENTURES
    1 ADWARE_BHOT_IMYONBAR
    4 HTTP cookies

    When I hit 'clean' a message came up stating they were selected for deletion and a warning:
    "For some infections, "Delete" was selected to remove the infection. This will delete the infected file from the system. Important data may be lost."

    Should I do it? The page is loaded and ready to go in IE and I am posting here via Firefox.

    Please advise, oh masters of all things techie.
     
  2. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Assistance please?

    Reached step 12 and downloaded Combofix.exe, but it tells me that copy (from the link in the instructions) is expired, then it uninstalls. How do I get the most recent version?

    Progress so far:
    Got all the updated versions of software up to step 9.
    Ran Ccleaner until there were 0 problems. Took 3 tries.
    Could run tool 2 and 3 in step 9, but got a command prompt for tool 1 and don't know what to do with it.
    Step 11 - no rootkits found.

    But I'm stuck at step 12. Any advice appreciated.

    Shari
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Combofix is presently having problems.

    Please skip it and continue with the rest of the instructions.

    In place of Combofix, please do the following.

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

    Close all other windows before proceeding.

    This means TURN OFF ALL other security programmes.
    Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

    Double-click on dss.exe and follow the prompts.
    When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

    Re-enable your security programmes and reconnect to the net.

    That now means I require four log files.

    HJT/AVG Antispyware/The two Dekard System Scanner logs, as well as the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Thanks Howard. Reports attached.
    Panda said no rootkits found.

    Oddly enough no virus was found in AVG scan, not even cookies in SS&D, only a few in AVG spyware...

    What is up with that?

    aaaaaaaaaccccckkk!

    OK. now I can't use Google either! even when i click on a searched page it redirects me to random sites.

    WAY over my head, here, :blackeye:
    The report from the kids is that their computer is now doing it, too. We have 5 networked machines in the house. Haven't checked the others yet.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you deliberately install the CyberSitter software? If you didn`t, uninstall it.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click on the processes tab and end process for(if there).

    PowerReg Scheduler V3.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

    O4 - Startup: PowerReg Scheduler V3.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\PROGRA~1\COMMON~1\Real
    C:\WINDOWS\d3dx.dat
    C:\WINDOWS\mozver.dat
    C:\Program Files\Viewpoint
    PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh Main.txt and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Thanks Howard,
    my normal user account is an administrator account. should i use a non admin account?
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, use your normal account name as instructed. the fact it already has admin status if even better.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    'Fixed' these:
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

    This didn't show up on the HJT:
    O4 - Startup: PowerReg Scheduler V3.exe

    Found and removed these:
    C:\PROGRA~1\COMMON~1\Real
    C:\WINDOWS\d3dx.dat
    C:\WINDOWS\mozver.dat
    C:\Program Files\Viewpoint

    This - PowerReg Scheduler V3.exe didn't show up in the HJT even though I'd set the do not hide folders option in My Computer. When I ran the search in Explorer it found it and I deleted it.

    Main2.txt is attached.

    System is now functioning normally for general Google Searching. Clicking on listed sites takes me to that site.

    Searching through Google Images (either directly, through the google search option, or by clicking on a page and selecting the image search option) sends me into the ether in random directions.

    For instance, clicking Image Search with no parameters brings me to:
    Club Tuki
    Smithsonian - www.si.edu
    PC Magazine -www.pcmag.com
    America's Most Wanted - www.amw.com

    Image search for 'thanksgiving' gave me:
    www.missingkids.com
    www.sossites.com/zombiespy.htm - which has a lovely (urg) black box saying, "This ain't hype, this is a real threat."

    Now what? I'm at a loss. I use the image search function frequently (or, I used to...).

    This is some kind of hijacker, isn't it?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`ll ask you again since you didn`t answer: Did you deliberately install the CyberSitter software?

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techspot.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.loaches.com

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

    O4 - Startup: OpenOffice.org 2.3.lnk.disabled

    O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://74.0.208.149/program/SonySncRz25View.cab

    Click on the fix checked button.

    Close HJT and reboot your system.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Thanks, Howard,
    Yes we installed Cybersitter about 5 years ago. We have teenagers. ;-)
    Been running it without incident since then and it's proven useful on several occasions. Can it be part of the problem? We can remove it, if necessary.

    Will Del015 create a new home page?

    How about if I simply uninstall Open Office? It was interesting, but I'm not really using it currently.

    I'll follow your instructions this evening.
    Have a nice Thanksgiving (if that applies). :wave:

    Thanks again,

    Shari
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem with Cybersitter if you installed it yourself.

    No need to uninstall open office.

    All the DelO15Domains.inf does, is reset your trusted zone, that`s all. It won`t create a new home page.

    Are you still having a problem with image searches?

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Unfortunately, yes. Just tried it after running the Del015 thing. New HJT after reboot is attached.

    Apparently, the
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
    Came back.

    Should I disable Spybot when running the Del? (oops, I didn't...) I approved all the changes that spybot popped up after the reboot.

    I'm completely mystified, Howard.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re running an outdated version of HJT, see HERE.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Sorry, Howard. How embarrassing. My apologies.

    New version scan attached.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    Uninstall AVG Antispyware.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

    O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} -

    Click on the fix checked button.

    Close HJT and reboot your system.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. ambushedbaby

    ambushedbaby TS Rookie Topic Starter Posts: 26

    Howard, I must be an *****. :monkey:

    I disabled Spybot using the two step process.
    Uninstalled AVG antispy
    Ran the HJT.
    Removed the two items you listed.
    Fixed them with HJT.
    Rebooted system.

    Ran HJT again - AFTER I renamed it to Crusty.exe because I had failed to do so when I got the newer version.

    Rebooted and Spybot popped up a bunch of registry change boxes. Approved them all.
    .................
    And it seems the 'fix' didn't take. Yes, google image still is bringing up other sites. Seems to be the same or similar series-most child related or spam.
    .................
    Here's the latest HJT :

    Thank you so much Howard, and my deepest apologies for the fact that I can't seem to follow instructions.

    Tried one more time to see if i could get it right.

    Closed out of here. Rebooted.
    Set Cybersitter to inactive.
    Checked to make sure TeaTimer was disabled and exited the Resident.
    Ran HJT.
    Fixed the two boxes you'd previously mentioned.
    Exited HJT and rebooted.
    Tried an image search on roses and got...Roses!
    Yippee!

    If you have time, could you tell me what it was that was hijacking the image function of google, and why it was so specific an issue that didn't affect anything else, if you know?

    Ran a fresh HJT which is attached. (Though I guess you don't really need it as whatever it was I deleted seems to have solved the problem.)

    Many thanks, Howard. I appreciate your time. If you were around here, I'd bake a pie just for you. ;-)

    Shari
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    I assume it was the two entries that didn`t want to go from your HJT log that was causing your image search problem.

    I suggest you now re-enable SS&D.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of ambushedbaby only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...