Possible browser hijacking

[fulham7]

I followed the removal guide. I have only one problem I am aware of. When I search for something on google all the results come up, 8/10 times I can click on a result and it goes to the page, the rest of the time it re-directs me to wierd websites.

Would really appreciate some help!!

Thanks again

Rich

 

[touch]

Hello fulham7

Download LSP-Fix and save it into its own directory. You can download LSP-Fix from the following location:
http://www.bleepingcomputer.com/files/lspfix.php
Once the file is downloaded navigate to where you saved the file and double-click on it to start the application
Click on -> I know what I'm doing - then – Finish – button

Reboot.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
C:\WINDOWS\system32\cru629.dat

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, as attached file

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[fulham7]

Log

Did everything right I think

Hopefully you can shed light on things with this then.

Rich

 

[touch]

It looks right

Unfortunality have you a large number of infections, therefore will you please check the below files for Me ->

Show hidden files and folders
Click Start button, then go to Programs, Accessories and click on Windows Explorer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading please check Show hidden files and folders.
Uncheck the Hide protected operating system files (Recommended) option.
Click Yes to confirm.
Click OK.


Upload and have these files scanned:
c:\windows\SYSTEM32\ws2_32.dll
c:\windows\SYSTEM32\DRIVERS\tcpip.sys

Here

http://virusscan.jotti.org/ or here http://www.virustotal.com/en/indexf.html


Post back the results

 

[fulham7]

Results

tcpip.sys = virustotal.com/analisis/cd67cbdfea62a9b1efd6424c8504394a

and cant find w22_32.dll at the moment

report back when found!!

Rich

 

[fulham7]

ive found w2s_32.dll doh!!

Taking forever to scan so il upload when i can.

Thanks for all the help!

 

[touch]

Ok. Most important is Tcpip sys are clean.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::

Snapshot::

File::
c:\windows\system32\6.tmp
c:\windows\system32\5.tmp
c:\windows\system32\4.tmp
c:\windows\system32\3.tmp
c:\windows\system32\2.tmp
c:\windows\system32\6to4svcx.exe
c:\windows\system32\aamd532if.exe
c:\windows\system32\2775855628.dat
c:\program files\Common Files\ihuzip._dll
c:\documents and settings\Dad\Local Settings\Application Data\ezinikyca.com
c:\documents and settings\Dad\Application Data\oxapit.bat
c:\documents and settings\All Users\Application Data\memyf.pif
c:\documents and settings\Dad\Application Data\dicysi.exe
c:\program files\Common Files\ocofuvecox._sy
c:\documents and settings\Dad\Application Data\opygikikyb.pif
c:\documents and settings\All Users\Application Data\inyv.exe
c:\program files\Common Files\betujez.exe

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, as attached file.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[fulham7]

ws2_32.dll

Just scanned -

virustotal.com/analisis/9bb8b5e6b3de7ca104212a15b38bdf31

Thanks again will upload the other bit in sec

Rich

 

[fulham7]

log report

hopefully this will help you

Regards

Rich

 

[touch]

It looks clean to Me

Please attach new hijackthis log

 

[fulham7]

log

On my way to returning the hijack this log to you it did this again -

the browser redirects me to this page alot

web-mediaplayer.net/installation/update/

Thanks again

Rich

 

[touch]

That´s odd

Download http://eric.71.mespages.googlepages.com/LopSD.exe
by Eric_71 and save it to your desktop.
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
Double-click LopSD.exe
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 2 to choose Option 2 (Fix + Hosts), then press Enter.

Wait until the end of the scan have finished

A report will be generated, attach the contents of it in your next reply.

 

[fulham7]

Google

still being redirected from google grr

Regards

 

[touch]

Which link/s are you redirected to ?

LopScript
Highlight the contents of the quote Box below, then right-click and choose Copy

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
C:\Program Files\Morpheus
C:\Program Files\MorpheusBar
C:\Program Files\Trymedia

Double click LopSD.exe to start the program.
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 4 to choose Option 4 (LopScript), then press Enter
A blank page will be opened, right-click it and choose Paste
Close the page, you'll be asked to save it, click Save
Don't close the window during suppression!
Wait until the end of the scan.

A report will be generated, attach the contents of it in your next reply.

(Copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt)