Solved My Google search results links are hijacked when I click them-please help

[pyager66]

I followed the 8 step path, see attached logs...

Thank you so much in advance for even considering helping me.

Pyager66

 

[Bobbye]

Not much showing here. I would like more of a description of the 'redirect' though. We will have to dig deeper:

Consider disabling Stopzilla while we're working:


Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave the 2 logs in your next reply.

 

[pyager66]

Thanks so much for your fast reply

ComboFix Log File is attached




Eset Log File:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=843f2a25c9f5fc4e9e736b7d0574a051
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-06-05 02:12:52
# local_time=2010-06-04 10:12:52 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 33848182 14278 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=32970
# found=2
# cleaned=0
# scan_time=5685
C:\WINDOWS\system32\ws2_32.dll Win32/Patched.ED trojan 00000000000000000000000000000000 I
${Memory} Win32/Patched.ED trojan 00000000000000000000000000000000 I

 

[Bobbye]

I'm going to move a file that was found in Eset, which you ran first. The file is also mentioned in Combofix as infected. There is a chance that this will not remove it, but try first and if it does not, I'll have you submit it for further identification:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  c:\windows\system32\ws2_32.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include that log in your next reply.

It would also be best if you disabled the following programs while I'm helping you:
Trend Micro
Stopzille
Spybot
I need to be sure that malware is found and handled properly and not whisked off by a program that might not remove it totally.

 

[pyager66]

Uh Oh

I ran the file as you described. The computer asked me to restart to continue removing the files. I clicked okay and when it restarted it said Dell Bios info and then Windows Recovery Mode option and then Windows Startup Screen and then a Blue screen with the following error..
STOP:c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with the status o
f 0xc0000135 (0x00000000 0x00000000).
The system has been shut down.

I tried to restart several times but always the same result. I also tried to restart in safe mode with networking but I got the same error message.

Please let me know what's next...

Thanks,
pyager66

 

[Bobbye]

Okay, I'm a bit short on information here- all you typed was:

My google search results links are hijacked when I click them-please help

1. Are you able to get into the system at all?
Most STOP 0xC000021A errors occur because Winlogon.exe fails. This typically occurs because of a faulty third-party Graphical Identification and Authentication (GINA) DLL.

2.Were you having any other system problems? If yes, what?

3. Your logs are dated 6/5. Did you do anything with the system maybe on 6/4 that could have involved the following:

• Mismatched system files have been installed.
• A Service Pack installation has failed.
• A backup program that is used to restore a hard disk did not correctly restore files that may have been in use.
• An incompatible third-party program has been installed.

4.A reboot brought up the Dell BIOS. Did you choose the Recovery Module? How did it get from Recovery to the Windows Startup? And did the BSOD come up itself or after you did something?

 

[pyager66]

Last week the only problem I had was the problem with redirected links on my search results. My computer has not had any problems before that. Since I posted my first message on this message board I have not done anything on my computer except what you told me to do.

Since I ran OTMovit I am not able to get past the blue error screen that I posted in my last post. I am using my wife's computer to reply now.

I have not tried anything other than safe mode with networking to get past the blue screen because I didn't want to try anything without your input. I am hoping that you can tell me how to get Windows running again. At the very least, I could transfer some of my personal files onto a flash drive before I have to reformat the harddrive.

Any help you can give will be immensely appreciated.

1. Are you able to get into the system at all? NO
Most STOP 0xC000021A errors occur because Winlogon.exe fails. This typically occurs because of a faulty third-party Graphical Identification and Authentication (GINA) DLL.

2.Were you having any other system problems? If yes, what? NO

3. Your logs are dated 6/5. Did you do anything with the system maybe on 6/4 that could have involved the following: NO, I only did what you told me. Nothing else.
Mismatched system files have been installed.
A Service Pack installation has failed.
A backup program that is used to restore a hard disk did not correctly restore files that may have been in use.
An incompatible third-party program has been installed.

4.A reboot brought up the Dell BIOS. Did you choose the Recovery Module? NO I am waiting your input before doing anything.
How did it get from Recovery to the Windows Startup? AutomaticallyAnd did the BSOD come up itself or after you did something?By itself automatically

Thanks,
pyager66

 

[Bobbye]

When I asked if you had done any system work in ant of the categories I mentioned, I meant before I started helping you.

As for getting Windows started again, it sounds like you don't have any choice but to boot into the Recovery Module.

The ws2_32.dll that was removed, in itself, is a valid system file.But it was infected with this:
C:\WINDOWS\system32\ws2_32.dll Win32/Patched.ED trojan
and was also in memory
${Memory} Win32/Patched.ED trojan

What most likely happened is that the malware corrupted the winlogon. This can present a problem of saving files and putting them back on after you do a recovery. Since the system is booting into the Recovery, you are going to need to run it.

The following is from BitDefender and might help you understand the 'patched' term:

TECHNICAL DESCRIPTION:
This is a method for certain trojans to ensure that they get (eventually) executed. Usually malware which wants to ensure that it gets executed at every Windows start, registers itself in one of the documented registry keys / startup folders. However there are some trojans which infect other executable files in such a way that when those are executed, they launch the trojan too. These files may get corrupted, however they don't infect other executable files.

 

[pyager66]

Hey Bobbye,

I used my Dell Reinstallation CD to boot and ran a repair of my operating system per the Windows web support instructions.

Guess what!? I recovered my operating system and the virus was gone. You fixed it!!! IE8 was acting buggy so I reinstalled it. And everything is working fine now. Thanks so much for all your help to date! You rock in my book. I couldn't have gotten off of first base without your help.

I am thinking maybe I should put my personal files on a harddrive and reformat and reinstall windows just to be safe. Or maybe I should rescan to make sure my system is clean. What do you recommend?

Thanks,
Paul

 

[Bobbye]

Paul, you didn't have much choice here! I can't take any credit. but I am glad there pair went well. How about running Combofix and an online AV scan to make sure no malware remains?

I have your original Combofix report to refer back to if needed. So your can delete the file on the desktop (not the program, just the first log) then rerun Combofix.

When finished:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave both logs in next reply.

 

[pyager66]

ESET found a virus...

and the ComboFix file was too big to attach so I cut it into 4 files.

See attached.

Thanks,
Pyager66

 

[pyager66]

Hi Bobbye,

Any advice for the final cleanup?? I haven't heard from you for a few days.

Thanks,
Paul

 

[Bobbye]

Paul, I thought I answered this. the one files in the Eset log is the one moved in OTM and there are no new entries. You told me you did a repair and the the problem was resolved. O wrote that I couldn't get anything useful out of the 7 years of entries in the Combofix log(s)

You've been very short on giving me information. Are you having a problem now? What is it? If resolved, I
ll have to remove the cleaning tools.

I don't know where the reply went, but I did send it. Sorry.

 

[pyager66]

Thanks for the new reply. For whatever reason, you previous reply did not post so I was not aware of it. I am not having any new trouble, I just wanted to be sure that the system was clean. I'm so glad to hear that it is. Thanks so much for all your help. I am indebted to you.

Paul

 

[Bobbye]

You're welcome- glad I could help. Sometimes things get swallowed up in cyberspace!

Since the redirect had been resolved, you can remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if I can be of more help in the future.