The Browser is redirected to an ad site when I click on one of the search results. It does this no matter if its IE or FireFox. I ran all of the procedures in the 8 step process. One problem, though... After the CCleaner ran, the reboot turned McAfee back on. I did not catch this. I hope I did not complicate things.

Thank You,
The Astronerd

Attached Files

	hijackthis.log (12.7 KB, 5 views)
	mbam-log-2009-12-18 (10-59-56).txt (1.5 KB, 4 views)
	SUPERAntiSpyware Scan Log - 12-18-2009 - 14-07-37.log (465 Bytes, 2 views)

Run the ESET Scanner:
ESET SCANNER

See if it picks up anything additional...

Tmagic650,
OK... I ran the ESET scanner and it found nothing. I couldn't find a log file for it, though. I haven't tried to run a browser yet. What do you think?

I went back and downloaded all updates for the 8 step process and then unhooked my lan cable. I turned off McAfee. I ran the 8 step process. I have included the log files plus an added log from AdAware. CCleaner, Malwarebytes, SUPERAntiSpy ware found nothing. I'm not familar with the guts of HijackThis to know if it shows unless i take the log to www.hijackthis.de to have it analyzed. AdAware seems to have found a bunch of stuff.
More symptoms:
The redirect is going to newserversearch.com, errrawscevehseen.com and sasrceewrrehven.com among other sites. My right mouse button no longer works on the browser window so I can't "copy and paste".

Attached Files

	hijackthis 12-22-2009.log (12.7 KB, 1 views)
	AdAware Log 12-22-2009.txt (45.9 KB, 2 views)
	mbam-log-2009-12-21 (21-24-56).txt (892 Bytes, 1 views)

The SUPERAntiSpyware log... I had trouble attaching...

Attached Files

SUPERAntiSpyware Scan Log - 12-21-2009 - 23-07-11.log (465 Bytes, 3 views)

New Information:
I do not know if this matters or not but when the machine is booted up in safe mode with networking, the redirect does not happen.

Turn off System Restore, rerun the scans and turn System Restore back on...

This information might help you assess the cause of the problem:

OK...
I downloaded all of the updates for the 8 step and followed ALL of the instructions. Disconnected LAN cable. Disabled McAfee per instructions. Disabled McAfee firewall per instructions. Ran the 8 step processes. I turned McAfee back on. Reconnected the LAN cable.
I used a Google search to try to get back to this forum. Got redirected.
Right mouse button still disabled for cut-n-paste.
Here are the log files.
What do I do now
The problem still exists.

Attached Files

	hijackthis12-24-2009-2.log.txt (12.9 KB, 5 views)
	mbam-log-2009-12-24 (15-11-30).txt (870 Bytes, 5 views)
	SUPERAntiSpyware Scan Log - 12-24-2009 - 16-46-24.log (465 Bytes, 4 views)

I guess this machine is going to be a "boat anchor" until I reformat the hard drives. I would like to preserve all .doc, .xls, .jpg, and .raw files. But as you guys have said, .doc files and others must be suspect. Can these files be scanned somehow so as to NOT transfer the infection to the reformatted drives? Is there a specific set of instructions as to how to rebuild this machine and prevent reinfection during the rebuild? My machine specs are in my profile. I have a three machine subscription to McAfee. The other machines are clean.
Oh, as an afterthought, about a month before the infection showed up, I deleted WindowsDefender to try and relieve the "head banging" 100% CPU utilization that lasted about 10 minutes after a cold boot.

Astronerd, since the other member who gave you instructions doesn't come back to a thread, I'll be glad to help you. The advice to turn off System Restore should not have been given.

You did not need to disable all of your security to run these programs. Please be sure it has been enabled again. Also, please turn System Restore back on.

Can you please tell me just what' happening? Why do you think you need to reinstall and what malware do you think has gotten into your files?

I don't see anything in the logs that you left that would account for the redirect. The mouse problem is a separate matter. It appears that you have several processes on the system to help with the online schooling. If you don't mind, I'd like to run them by you to make sure you know they're running: I'm leaving short descriptions for you:

Ipswitch Transfer Service>> Move files from your computer to any server in the world.
MathXL online homework, tutorial, and assessment system.
Install From The Web Client
Microsoft Virtual Server
System Requirements Lab>> analyses your computer to see if it can run a specific product
Pearson Installation Assistant>> for MathXL
Pearson Education Inc. Online>> Learning tools.Sibelius Scorch free web browser plug-in that lets you play, transport, change instruments, save and print your Sibelius scores on the Internet.

And these which point to Central Piedmont Community College > open Spring, 2010

C:\Program Files\CPCC E-Locker Webdrive\wdservice.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\CPCC E-Locker Webdrive\wdservice.exe

These are all legitimate processes. If you are using them now actively, there is no problem. If you are not, we should set up a removal.

One I wasn't sure of:

C:\Program Files\Common Files\Winferno\WSS\WSS.exe???
O23 - Service: Winferno Subscription Service - Capital Intellect Inc - C:\Program Files\Common Files\Winferno\WSS\WSS.exe

I couldn't determine what you were subscribed to.

It's all in the name of security. Many times, people have processes running they aren't aware of or that they no longer use.

Thanks Bobbye!
Naturally, I'm writing from a different machine.
Since becoming infected, the machine in question has been disconnected from the internet. The only time it is reconnected is to update the tools suggested for cleaning. After the updates, the LAN cable is removed again. By being offline, the disabling of the security programs is moot as long as I turn them back on after the scans, isn't it? I did turn System Restore back on after the last scan.
Now for the symptoms:
Connect to the internet. Pull up google. Enter a search for "blue moon". The list comes up. Select the entry for the "Blue moon - Wikipedia, the free encyclopedia". It actually goes to the correct site. Now enter a search for "astronomy". The list comes up. Select the entry for "Astronomy Picture of the Day". The result page has:

Server not found
Firefox can't find the server at nressaceerhrewv.com.

Return to google. Enter the search for "blue moon" again. The list comes up. Select the entry for the "Blue moon - Wikipedia, the free encyclopedia". The result page has:

Server not found
Firefox can't find the server at nressaceerhrewv.com.

I have no clue as to why, after all of the scans have completed, the search selection seems to work only once.

Now, as to the programs you referenced:
Ipswitch Transfer Service is connected to WS_FTP pro, which is an FTP file transfer program I use for updating web sites that I maintain. I use it regularly.
Sibelius is a music sheet transfer program. It is now deleted.
CPCC E-Locker is a way to connect my school drive to my machine as though it is local. It is now deleted.
Winferno is a registry cleaner that was recommended by McAfee. I have had it for about 8 months.
MathXL is an online homework program that my sons had used several years ago. I thought I deleted it. It does not show on Add/Delete. I would have assumed that Winferno would have cleaned up any unattached files.
Microsoft Virtual Server does not show on Add/Delete. How do i get rid of it?
Install From The Web Client - can not find this either. Don't know what it is.

Any help you can give is greatly appreciated. Maybe I will not have to spend two weeks reloading this machine?

Thank you for filling me in. I have started asking people to describe the 'redirect' because I found that whenever someone uses Google and has a problem accessing a site, they are using the 'catch all phrase "Google Redirect."

"Firefox can't find the DNS server at newserversearch.com." One Firefox user left this message for other users with the same problem in the Mozilla support:
The consensus was the use of the Trojan Remover program. It appears to find this file that the other programs do not.

Download Trojan Remover:
This security utility is available as a fully-working evaluation copy that will work for 30 days before you must either register or uninstall it.NOTE: You do NOT have to Register to run this 'evaluation copy.'

You will find the download site here: http://www.simplysup.com/tremover/download.html

• [1] Download the program and SAVE to your desktop.
  [2] Double click on the trjsetup to run the program.
  
  [3] Follow the onscreen instructions.
  
  [4] Save the log and print to Notepad. Include in your next reply.
  (Trojan Remover writes a detailed logfile every time it performs a scan. This logfile contains information on which programs load at boot-time, and what (if any) actions Trojan Remover carried out. The logfile can be viewed and printed using Notepad.
  [5]Once you have installed Trojan Remover you can delete the downloaded trjsetup file.

Reboot the computer. See if that handles the server redirect.

Rescan with HijackThis and leave new log and the report from the Trojan Remover in your next reply.

Where does Trojan Remover write the log? And is it a .log file? I can't seem to find it.

This logfile can be viewed in Trojan Remover by selecting 'Help > View Update Log'.

This may just be log for updates- I'm not sure. check it and let me know. When you did the download, then the scan, were there any instructions to name the file?

Found it! It's called TRLOG.TXT. The update of the virus signatures is called UPDLOG.TXT.
It is in:

C:\Documents and Settings\ "User ID" \My Documents\Simply Super Software\Trojan Remover Logfiles

Here it is...

Attached Files

TRLOG.TXT (55.9 KB, 5 views)

Still redirecting?

Click on any item in the selection list and this cones up:

Server not found
Firefox can't find the server at nressaceerhrewv.com.

Download LockSearch to your desktop

• A window will pop up, Press 2 and then Enter.
• A scan will start, let it run uninterrupted. It should only take a few minutes.
• A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop.
• Copy and paste the contents of the log in your reply

Thank you for the assistance kritius.

Tmagic, stay out of this thread. your 'help' is neither wanted or needed. You deserted this member a week ago after giving him bad advice.