TechSpot

Search results hijacked, pop-ups

By freakasis
Nov 29, 2009
  1. malware bytes found adware.mywebsearch and removed it, log is atatched.
    spybot found something else but i forgot to save it
    and the hijakthis log is attatched.
    also at the same time this happened CLI.EXE started using 99% of the cpu. this seems to be a common problem with ATI software, tried uninstalling all ATI stuff and reinstalling it, CLI was using 99% again. so i removed it from startup.

    anyone know what i got? thanks
     
  2. freakasis

    freakasis TS Rookie Topic Starter

    ran spybot again, it found DoubleClick, MediaPlex, and Zedo. all of which are tracking cookies. Im thinking that they came from whatever original infection i have.
     
  3. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Please Download SUPERAntiSpyware, install it, scan your computer, and post the logs when done.

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
    is not something we here at Techspot like to see. Please Take action and delete that.

    According to the HijackThis log, you have no infections. Please Download ESET and scan your computer with it, then post if you still have hijacked search results.
     
  4. freakasis

    freakasis TS Rookie Topic Starter

    sorry, i saved the logfile before i removed it. it was in fact removed. Trying your suggestions now...
     
  5. freakasis

    freakasis TS Rookie Topic Starter

    superantispyware found 27 infected cookies and removed them all. eset is running now.
     
  6. freakasis

    freakasis TS Rookie Topic Starter

    everything finished, the search engine was clean for about 2 minutes. i tried a few searches and they worked fine, now theyre being jacked again.
     
  7. freakasis

    freakasis TS Rookie Topic Starter

    heres an update
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I like to pull you together into some kind of organization please.

    For our purposes to begin, wer ask that you run Malwarebytes, Superantispyware and HijackThis. Then we ask that you attach the logs to your next reply.

    If you want help here, please stop running the other programs such as Spybot. It is also too soon to have you run an online scan.

    Please disable TeaTimer as it can affect the scans:
    Spybot Search & Destroy TeaTimer
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    Please follow the steps
    HERE
    .

    When you run Malwarebytes, be sure this line is checked:
    [*]Make sure that everything is checked, and click Remove Selected.

    When you run Superantispyware, be sure this line is checked:
    [*] Make sure everything found has a checkmark next to it,then press 'Next'.

    Question: do you have Internet Explorer set to open with a blank page?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    Attach the first 2 logs.

    Rescan with HijackThis and paste the log in your next reply.

    Anon- you got a bit ahead of things here.
     
  9. freakasis

    freakasis TS Rookie Topic Starter

    RootkitDetectiveReport
     
  10. freakasis

    freakasis TS Rookie Topic Starter

    spybot was uninstalled before the scan. and im not sure what you mean it is too soon to have run an online scan. it took almost an hour. yes i do have IE set to a blank page.

    i will repeat them if necessary.
     
  11. freakasis

    freakasis TS Rookie Topic Starter

    malware bytes got to 3 min 56 sec and froze. it said scanning something and heuristics when it froze....tried uninstalling and reinstalling it, froze at the same spot.
     
  12. freakasis

    freakasis TS Rookie Topic Starter

    ran it in safemode and it worked, found 1 thing, and was removed. tried it again in normal mode. froze..same spot.
     
  13. freakasis

    freakasis TS Rookie Topic Starter

    see below.......
     
  14. freakasis

    freakasis TS Rookie Topic Starter

    search results are still getting jacked
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    freakasis, please refrain from making new replies for one line comments. This is what the Edit feature is for> click on Edit to reopen the post> add, delete or change what you want, then click on Save. I have asked the moderator to merge posts 9-13.

    I also ask that you use some patience. Your first post was only 18 hours ago, now the total is up tp 14, 11 of whicch are from you and clearly appear to be 'bumps'.

    IF you would like me to help with the malware cleaning, I ask that you only run the programs I instruct you to. Why did you run RootDetective? It is possible that by running additional programs that were not recommended that you have skewed the reults of the entries in the logs.

    The antivirus scan show malware TR/Dldr.WMA.Wimad.X Trojan on a music download. The source of this Trojan is Multimedia files. Trojan.Wimad is a Trojan that downloads remote files from remote Web sites by exploiting the Digital Rights Management (DRM) technology available in Windows. The Trojan arrives on the compromised computer as a license-protected multimedia file. It appears to have been removed by the AV program.

    I would guess that you downloaded the music from a trorrent- file sharing-site. IF so, that is a sure way to get malware.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Attach the Combofix report and Eset log to next repky.

    Do NOT run any other security or cleaning program.


    I suggest that you disable both the BitDefender and Eset online scans running in the background. They could affect what is showing in the logs:

    Open IE> Tools> Manage add-on find the following> highlight> disable
    BDSCANONLINE ( might be listed as either scan8 or oscan8)
    OnlineScanner Control (might be listed as eos)
     
  16. freakasis

    freakasis TS Rookie Topic Starter

    the first time i ran combofix i didnt have the revocery environment installed and my internet connection wouldnt re-enable so i ran it once without it (1) and then rebooted and ran it again with the recovery environment (2). then ran the ESET and the ESET found nothing.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    P2P Warning:

    I notice that you are actively participating in 3 file sharing programs:

    uTorrent
    Frostwire
    Limewire


    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent, Frostwire and Limewire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    I'm going to ask for assistance for the Combofix entries. Please be patient.

    Please do not run any other security programs in the meantime.
     
  18. freakasis

    freakasis TS Rookie Topic Starter

    limewire was uninstalled already, frostwire is rarely used, and not for illegal purposes. didnt realize utorrent was even on this computer. it was not my intention to "bump" the thread, i was just trying to keep everyone up to date. did not realize that posting a few times in a row was not allowed, sorry. (i did try to delete the one post that said "see below" but could not find a delete option.)

    i have a good idea about how to avoid spryware and the like, havent had an infection in years. however i did let a few of my friends and my sister use the computer a few times (never again) and who knows what they did. i was trying to save myself the time of reinstalling everything but i needed a secure computer to check my bank statements and wanted to watch some netflix movies on it without popups in front of it, so i chose not to wait and reinstalled windows xp this morning, after i found a way to add the SATA drivers to the install cd (dont have a floppy drive).

    i do appriciate your help, thanx
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for update.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...