TechSpot

Search links are being redirected. Please help!!!

By thakkar2000
Mar 30, 2007
  1. When I search in google with internet explorer 7, I get the right results but when I click on the links I get redirected to another page (like couponmountain.com). Every time I am redirected to a different site. This happens in google, yahoo, msn, ask.com and all the other searches. Please help!! I do not want to restore, I hope to clean it. I have a log file attached. View attachment 15392 Thank you.
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello and welcome to TechSpot.

    Your system has several nasties.

    Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

    If, after reading the above thread, you decide to clean your system, do the following.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Now go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly, then post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. thakkar2000

    thakkar2000 TS Rookie Topic Starter

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your AVG Antispyware log says all entries have been ignored. That`s because you haven`t followed the instructions properly for using AVG Antispyware.

    It also appears you`re running more than one antivirus programme. Symantec/Norton and Nod32. This is not recommended and can cause serious conflicts. Uninstall one of your antivirus programmes.

    Post fresh HJT and AVG Antispyware logs. Also post the Fixwareout log.

    Regards Howard :wave: :wave:

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. thakkar2000

    thakkar2000 TS Rookie Topic Starter

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    AWS
    WeatherBug
    PartyGaming
    PartyPoker
    winupdates

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    winupdates.exe
    ALCMTR.EXE
    RunApp.exe
    Weather.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

    O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.sandesh.com/wfplayer/tdserver.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\AWS<Delete the entire folder.
    C:\Program Files\PartyGaming<Delete the entire folder.
    C:\Program Files\winupdates<Delete the entire folder.
    C:\WINDOWS\ALCMTR.EXE

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. thakkar2000

    thakkar2000 TS Rookie Topic Starter

    I couldn't find any of the following in add remove programmes:

    WeatherBug
    PartyGaming
    PartyPoker
    winupdates

    None of the processes you mentioned were in the tab.

    And I couldn't find these in the HJT:

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm


    I could only locate and delete this one. The other ones were not there:
    C:\Program Files\AWS<Delete the entire folder.

    For the rest I followed your instructions.

    Here is the new log file.

    View attachment 15462

    The system seems to be running fine. The redirecting seems to have stopped, I tried many searches and it worked fine. Are there other nasties I need to take care of now? Thank you for your help.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

    O17 - HKLM\System\CCS\Services\Tcpip\..\{7354575A-C9DA-4AD4-B77A-9757D7DE6497}: NameServer = 85.255.115.62,85.255.112.107

    O17 - HKLM\System\CCS\Services\Tcpip\..\{C04D8709-B9A0-4475-ACF3-532B5B257E07}: NameServer = 85.255.115.62,85.255.112.107

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CADAA2E5-43B8-48FE-9572-A9CAAED9B70C}: NameServer = 85.255.115.62,85.255.112.107

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E727310E-3154-4314-88E5-ADA2279B907C}: NameServer = 85.255.115.62,85.255.112.107

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.62 85.255.112.107

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.62 85.255.112.107

    Click on the fix checked button.

    Close HJT and reboot your system.

    Post a fresh HJT log as well as the C:\fixwareout\report.txt.

    Regards Howard :)

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. thakkar2000

    thakkar2000 TS Rookie Topic Starter

  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ALCMTR.EXE

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\ALCMTR.EXE

    Reboot your system.

    Other than the above, your system is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. thakkar2000

    thakkar2000 TS Rookie Topic Starter

    I followed your instructions. Thank you very much for your help. I have another problem though (this was there before we did all of the scanning etc.)

    When I open my add or remove programs in control pannel it has a list of a lot of programs. Some of these programs, I've never heard of or seen on my computer (for example "1600", "bufferchm", "cuetour", "internet worm protection", "cp_dwsharktalAlbums1"). When I click on the programs they say used rarely but they don't have the add/remove tab underneath. I don't know if these are legitamte programs or not. Also, some of the regular programs that I know are legitamate don't show the add/remove tab.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Take a look HERE for your add remove programmes issue and see if it helps.

    Regards Howard :)

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. thakkar2000

    thakkar2000 TS Rookie Topic Starter

    I followed the instructions but the software folder only had a handful of programs. For a majority of my programs, all of which weren't in the software folder list, they still show no add/remove button. I have attached a screen shot of how it looks like...

    View attachment 15488
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I must confess, I`m not too sure what`s causing that problem.

    I suggest you open a new thread in our Windows OS forum.

    Regards Howard :)

    This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. thakkar2000

    thakkar2000 TS Rookie Topic Starter

    That's ok. I'll try posting there. Thank you for all your help. You are the best!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...