A friends machine: He said it had a redirect problem but..

By Astronerd
Feb 4, 2010
  1. This machine belongs to a friend. I told him that I would try to run the issues on it for him.
    He said that it was redirecting on Google searches but it hasn't done it for me. I have cleaned up the Java, installed the latest Java, run the 8 step process and included the logs. It had a mess of stuff that Malware and SUPER-Antispy detected and deleted. By the way, i did this work on 01-28-2010 and the machine has not been connected to the internet since.

    I had to do a recovery reload of the operating system to even get the machine to boot. IE doesn't work. I downloaded Firefox.

    What next?

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You may have to end up doing a reformat and reinstall for your friend- that's a lot of infection! But most of it is the 'junk' kind of malware- mostly adware searches on alot.com:

    The main source of redirection is the following Toolbar:
    O3 - Toolbar: EFOToolbar - {AB26BF6C-BB04-4F00-8F98-BDE786CDE97D} - C:\Program Files\EarthFromOrbit\EFOToolbar.dll
    O8 - Extra context menu item: S&earchSave Web Search - res://C:\Program Files\EarthFromOrbit\EFOToolbar.dll/GoWebSearch.dll.htm

    (This is bundled with Earth From Orbit - a browser hijacker redirecting to searchsave.com)

    Additionally, many.most of the malware found was adware from searches with alot.com. This may be where the redirect takes him:

    The Privacy Policy for alot.com should turn everyone off!

    This may be incorporated in the AOL Toolbar. which would also be a source of adware:
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

    It appears he is using AOL 9. I don't know how this relates to the AOL 5 Toolbar.

    I also recommend checking the 2 following entries for removal:
    c:\program files\common files\aol\1204589197\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe>> AOL's spyware protection program
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

    It would be best if you reopen HijackThis to 'do system scan only' and checked ALL of the HijackThis entries above in BOLD Black type. I've grouped then for you instead of listing in order to give the descriptions and because you need to see the groupings.

    When you have finished checking all, close all Windows except HJT and click on "Fix Checked."
    I'll have you uninstall and remove the program folders for all he removes.

    Please downloComboFixFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.

      Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
      • Double click on the setup file on the desktop to run
      • Follow the prompts to allComboFixFix to download and install the Microsoft Windows Recovery Console.
      • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
        (Please note: If the Microsoft Windows Recovery Console is already installeComboFixFix will continue it's malware removal procedures.)
      • Query- Recovery Console image
      • Once the Microsoft Windows Recovery Console is installed usiComboFixFix, you should see the following message:
      • Click on Yes, to continue scanning for malware.
      • When finished, it will produce a log.Please include the ComboFix.txt in your next reply.

      • 1.Do not mouse-cliCombofix'sx's window while it is running. That may cause it to stall.
        ComboFixFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
        Combofixfix prevenautorunrun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
        4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

      Follow with Eset NOD32 Online AntiVirus Scanner

      Note: You will need to use Internet Explorer for this scan.
      • Tick the box next to YES, I accept the Terms of Use.
      • Click Start
      • When asked, allow the Active X control to install
      • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
      • Click Start
      • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
      • Click Scan
      • Wait for the scan to finish
      • Re-enable your Antivirus software.
      • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

      The rescan with HJT. Attach Combofixfix report, Esetset scan log and the new HJT log.

      NOTE: something on the board is corrupting some of the entries. This has happened before. I think I caught them all but if you're unsure of any entry, please ask me.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...