TechSpot

Links from Google search are hijacked to 3rd party sites

By stidesforty
Nov 9, 2009
Topic Status:
Not open for further replies.
  1. Hi and thanks in advance for your help. Over the weekend I started getting a number of the fake virus protection pop-ups and thought I was careful to avoid clicking on them. I run Vista on a Dell with McAfee security. I generally use IE, although I also have Firefox and Chrome installed. Even after scanning with McAfee and running AdAware, when using IE or Firefox (not sure with Chrome), links after a Google search were sending me to random sites/yellow pages/ etc and not to the linked page.

    I have since followed the 8 step removal process, but links are still getting hijacked. Attached are the three logs requested. Thanks again!
     

    Attached Files:

  2. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    Anyone have thoughts on my malware/virus situation? Thanks in advance.
     
  3. kritius

    kritius TS Guru Posts: 2,087

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  4. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    Kritius-

    Thanks for jumping on my virus grenade. Ran Combofix. Had to run it twice as the first time it rebooted the computer after completing stage 3 (not sure if that is normal or now.) 2nd time got through all 50 stages and produced the attached log.

    thanks
     

    Attached Files:

  5. kritius

    kritius TS Guru Posts: 2,087

    What is your AV status?

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  6. kritius

    kritius TS Guru Posts: 2,087

    Also,

    I see that you use IObit Security 360, they used a stolen database from Malwarebytes Anti Malware to enhance their definitions, I would now consider this rogue software, if they stole another security vendors database, what else would they stoop to?

    If I were you I would consider if I wanted this on my system.
     
  7. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    Thanks. I have McAfee installed for AV.

    I didn't know about IObit. I uninstalled.

    Ran the script with ComboFix. Log is attached.
     
  8. kritius

    kritius TS Guru Posts: 2,087

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  9. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    OK. Couple things after runnning the last script.

    1-Got a notice that PEV.cfxxe had stopped working
    2-Auto reboot after Stage 50 and after completing log.
    3-I think the attached log is the newest one- it was actually in a ComboFix folder on C:

    thanks.
     
  10. kritius

    kritius TS Guru Posts: 2,087

    Go to start and then run and type cmd

    COPY /Y/B/V %WINDIR%\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys C:\atapi.sys

    Please verify that C:\atapi.sys exists.
     
  11. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    I copied the "COPY...atapi.sys" into a command prompt and it said "1 file copied"

    And it appears on the C: drive.

    CF log attached
     
     
  12. kritius

    kritius TS Guru Posts: 2,087

    Good

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  13. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    Ran the script.
    CF rebooted after stage50.
    Log attached.
     
  14. kritius

    kritius TS Guru Posts: 2,087

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.
     
  15. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    OK. GMER crashed twice in Normal Mode, and finally went all the way through on 3rd try in Safe Mode. Log is attached. Thanks again!
     
  16. kritius

    kritius TS Guru Posts: 2,087

    We Need to check for Rootkits with RootRepeal
    1. Download RootRepeal from the following location and save it to your desktop.
    2. Extract RootRepeal.exe from the archive.
    3. Open [​IMG] on your desktop.
    4. Click the [​IMG] tab.
    5. Click the [​IMG] button.
    6. Check all seven boxes: [​IMG]
    7. Push Ok
    8. Check the box for your main system drive (Usually C:), and press Ok.
    9. Allow RootRepeal to run a scan of your system. This may take some time.
    10. Once the scan completes, push the [​IMG] button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
     
  17. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    How long does rootrepeal take to run the scan? I started one, and RR crashed. I tried running again and it wouldn't. So I uninstalled, restarted and downloaded a new copy. It's been stuck for 25 mins with nothing seemingly happening. Should I run it in safe mode?
     
  18. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows Vista SP2
    Exception Code: 0xc0000005
    Exception Address: 0x0040ab12
    Attempt to write to address: 0x00000004
     
  19. kritius

    kritius TS Guru Posts: 2,087

    Thats not great.

    Delete the copy of ComboFix that ou have on your desktop and redownload it.

    Run it again and post the log.
     
  20. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    I figured that wasn't a good sign. New version of CF and log is attached.
     
  21. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    Tried to run RootRepeal today and it froze again in the same spot...when it is scanning C:/Windows/winsxs/Manifests. Not sure if that helps, but thought I'd pass it along.
     
  22. kritius

    kritius TS Guru Posts: 2,087

    Sorry for the delay, Internet died.

    Delete current copy of ComboFix, redownload, scan and post the log.

    Also, do you have Deamon Tools, Alcohol 120% etc installed?
     
  23. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    Sorry for my delay. I was out of town the last 5 days.

    I am now unable to download combofix from either of the sites. Can't save the file to my computer? Any thoughts?

    I don't think i have either of the programs you mentioned - never heard of them.

    Thanks
     
  24. kritius

    kritius TS Guru Posts: 2,087

    What happens when you try to download it?
     
  25. stidesforty

    stidesforty TS Rookie Topic Starter Posts: 28

    In Google Chrome, a new tab opens up and it says: "This webpage is not available. The webpage at http://download.bleepingcomputer.com/sUBs/ComboFix.exe might be temporarily down or it may have moved permanently to a new web address."

    In IE, i get the security warning, click on save, it appears to download, but then i get a vista pop-up "Destination Folder Access Denied...you need permission to perform this action."

    I am logged on as same user with admin rights as before.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.