8 Step search result hijack help

[EMS0525]

My search results are hijacked here are the two log files, im running the malware now...

 

[EMS0525]

looking at the other threads i downloaded and ran combofix and here is that log and the malware log too.

 

[EMS0525]

i did read the sticky about combofix. Now the search results seem to be working, but i would still greatly appreciate someone looking into the logs. Thank you.

 

[EMS0525]

Its messed up still... still not working.

 

[AnonymousSurfer]

Describe what's not working, and if you read the combofix topic, you would know NOT to have run it with out having someone advise you. Let me analyze your HijackThis logs, please be patient.

 

[AnonymousSurfer]

Here are the nasty files you should delete using HijackThis:

• O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
  [*]O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  [*]O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  [*]O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
  [*]O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dllExtra Protocols

 

[snowchick7669]

Just curious as to how you came to the conclusion that O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe was a nasty file.

According to my research

Please note that C:\Windows\System32\ctfmon.exe is legitimate and should not be deleted.

 

[EMS0525]

Describe what's not working, and if you read the combofix topic, you would know NOT to have run it with out having someone advise you. Let me analyze your HijackThis logs, please be patient.

Sorry. I deleted those files using the hijack this. Is there something else i need to do now? Run all them again? Thank you so much. I really appreciate it.

new hijack this log:

 

[AnonymousSurfer]

Are your search results still getting Hijacked?

 

[kimsland]

Disable (or uninstall) Spybot S&D
Open HJT Scan Only and place a tick in the following entry box
Close all Internet browsers and select FIX

O1 - Hosts: ::1 localhost

Un-install Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK
• Any popup errors about Antivirus just ok or close

Note: 1 space after ComboFix in that uninstall command



Uninstall SUPERAntispyware
Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall



Update Java and remove older Java versions
Run JavaRa
This will remove all your old Java stuff (that is not required)
It will also help you check for new Java updates Runtime updates
Or just go here and auto check: http://java.com/en/download/installed.jsp?detect=jre&try=1



Download and run TFC http://oldtimer.geekstogo.com/TFC.exe
Your computer may need to Restart



Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


Restart, and let me know how its performing

 

[EMS0525]

yes, no matter what i click it does... it first comes up with this most the time:
http://www.adcloudmedia.com/denyPage1.html

then to this:
http://www.informationgetter.com/search-results.aspx?keywords=truck

Its all over... its the same alot though.

 

[kimsland]

You may want to update to a more secure Hosts file
There's lots of important info on that here: http://www.mvps.org/winhelp2002/hosts.htm
As it's difficult to see the actual download, here it is: http://www.mvps.org/winhelp2002/hosts.zip
Important! Windows Vista requires special instructions: http://www.mvps.org/winhelp2002/hostsvista.htm

Simply download the hosts.zip file, extract, then run mvps.bat, then restart

[Important Notice - 2K/XP/Vista Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs
in W2000 and XP. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

Then restart, and test browsing the Internet again

 

[EMS0525]

now when i click on a link it goes to the same page...

http://kc.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=52593&x=rkWBmPxg29RROV:Z0mjf66fFBAMGWfjOgUWuXSgJCVXB5UfoRSg3mByvnfDOkmsR4P0zIkMxQ8WxnSjU4ffQ8QkV990jFG7mLSXCWuibNBMhhGDItGJF3an3xk7KEc35KYXOMfsoImRTpVyjjtxl36QS2Axa15;ZK6xwdGl8HPMCE3kHpPZDxmfX4MWX7wZ:awWWg5u$n

 

[kimsland]

Try this


Download Combofix again

Combofix:

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here

Also restart and provide a fresh HJT Scan log

 

[EMS0525]

HJT log still not working.... man id love to get my hands on who ever comes up with this stuff. this is before combofix...

 

[kimsland]

There are no issues in your HJT log

You could remove all these, note: they are authentic entries, but do not need to be starting with Windows:
Run HJT Scan Only, Close all Internet Browsers
Select all of the following and then select FIX, then Restart

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
O16 - DPF: {0C34F1FD-B5EE-41F6-9D1D-BB19BBE402E7} (FBViewerCtrl.FBViewer) - https://hss.filebound.com/includes/FBViewerCtrl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223085673359
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ingenix.webex.com/client/T26L10NSP49EP12/training/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

 

[EMS0525]

here is the newest hjt log and combofix log

 

[EMS0525]

still getting this with search results
http://www.adcloudmedia.com/denyPage1.html

 

[kimsland]

The HJT log is not complete, something went wrong? Note you are following what I ask, to restart, so forth?

Also, were all these disabled before running all of the above?

• SpywareGuard
• Spybot Search & Destroy
• Windows Defender

As per the 8 Step Guide (Disable real time protection of other programs)
Personally I'd say uninstall those 3, as they haven't helped you anyway!
Actually you may as well uninstall SUPERAntispyware, whilst you are at it

I think after restart, you should startup Malwarebytes; update it again and run a quick scan
If anything is found, please remove it at the end of the scan (and also provide the log)
Then Restart (I know, but Windows requires a Restart all the time!)
Then run a fresh HJT Scan log, and provide the attachment again

 

[EMS0525]

malwarebytes didnt find anything....

 

[kimsland]

Well as presumed ... Nothing

Run IE Reset Fixit Tool:

Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer, go through the standard settings, I usually turn off everything I can

Then run a free online scan with Eset: http://www.eset.com/onlinescan/
That'll take some time But is required at this point

 

[EMS0525]

Why can there be one program that scans and finds everything... why is there a dozen things you have to scan with?

So far the eset found 3: win32/bagle.gen.zip.worm

 

[kimsland]

lol

Good point

If I made a Malware scanner, I'd be making one that does everything
It might take 4 hours to scan, but who cares !!!

 

[EMS0525]

Well it went all night and cleaned 4 items.

 

[EMS0525]

ok, next step? Still not fixed. This is ridiculous...