TechSpot

Search Engine Redirect - Logs Attached

By vetters
Dec 12, 2009
  1. Hi,

    I followed the 8 step procedure to remove any malware that may be on my computer. At first it seemed to work, but my problem keeps happening. Here is the issue:

    Whenever I search on google or yahoo, I was getting redirected to the wrong sites. After doing the 8 steps, it kind of stopped happening. What I mean is if I type in google.com and then search, I don't get redirected anymore. However, if I use the search box at the top of either explorer or firefox, I'm still getting redirected to the wrong sites. Attached are the logs. Please help!

    Thank you!!
    View attachment 54542

    View attachment 54543

    View attachment 54544
     
  2. vetters

    vetters TS Rookie Topic Starter

    Hi,

    I was just wondering if anyone can help me. I posted about a week ago and I do understand that everyone is very busy, but I need to get my problem fixed. If no one can help, then I'm going to have to find help on another board soon.

    Thank you!
     
  3. vetters

    vetters TS Rookie Topic Starter

    It's been over two weeks since I first posted my problem on the board. I am just very disappointed by the lack of response from anyone. I know the holidays are upon us and everyone is busy, but I saw posts that came much later than mine being answered. And posts that didn't even try to solve the problem being answered. I followed the 8 steps to remove malware before I posted...trying to make things easier, but no one wants to help me. AND there were posts from people who were pushy being answered before mine. It doesn't really pay to be patient and understanding...you just get ignored.

    I know no one cares, but I guess at this point I'm just going to try to find help somewhere else. I'm sorry I waited this long. :( Good luck to everyone else. Thanks.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    vetters, occasionally a thread will fall between the cracks. My apology for the delay. It must have gotten pushed back to the second page.

    Do you still need help? I did look at the logs and see that SAS has found and removed some MyWebSearch FunWeb adware, but the system is still infected with it. There are also some entries in the HijackThis logs that should be removed.

    You should update the Adobe Reader to v9.xx. You have v7:
    Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

    Please let me know if the problem persists. IF they do, it would be helpful if you rescanned with HijackThis and left a new log.
     
  5. vetters

    vetters TS Rookie Topic Starter

    Thank you so much for responding to me! I haven't had a chance to get help elsewhere because I was out of town for most of the weekend. I updated my Acrobat Reader but I'm having the same issue. Here is the Hyjackit log that you asked me to attach.

    Please let me know if you could help me. :)

    Thanks!
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, there are some entries in the HijackThis log that need to be removed:

    Please reopen HijackThis to 'do system scan only.'. Check each of the following if present: Optional removals are in green.

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dllSee Optional 1
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    See Option 1
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}


    Optional 1: ICQ Toolbar DOS Vulnerability:
    Please read this and decide if you can do without this Toolbar: http://www.juniper.net/security/auto/vulnerabilities/vuln35150.html

    Close all Windows except HijackThis and click on "Fix Checked."

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup to Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with online AV scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please attach the Combofix report and Eset online scan log to next reply.
    Rescan with Hijackthis and attach new log.
     
  7. vetters

    vetters TS Rookie Topic Starter

    Hi!

    I ran everything and the logs are attached. It looks like I can search now without being redirected. However, the ESET online scanner did find a threat but since you had said to uncheck the "remove found threats" box...I guess its still there? Well anyway, let me know what you think. :)
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The file the Eset log shows is in the folder that Combofix uses for the quarantined items, Qoobox. When I have you uninstall Combofix, it will be removed. It is not active in your system.

    System is looking better- a few more files to remove in HijackThis:
    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


    Close all Windows except HijackThis and click on "Fix Checked."

    If the problem has been resolved, you can Remove all of the tools we used and the files and folders they created

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin

    Stay safe! Let me know if you need any more help.
     
  9. vetters

    vetters TS Rookie Topic Starter

    Everything seems to be working fine now. Thank you so much for all your help!!!!
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Here are some tips to help the system stay clean.:approve:

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...