Clicking on search results get redirected (8 steps done)

By arliebyrd · 15 replies
Jan 24, 2010
  1. For almost a week everytime I click on a google search result instead of going to the result website I get redirected to random websites. As per you instructions at "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" I have attached the 3 logs that you requested.

    For some weird reason I didn't see that I don't have to check the Old Prefetch Data option for CCleaner. Is my computer going to have any problem since I had it checked the first time I ran it?

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Delete these:
    R3 - URLSearchHook: (no name) - - (no file)
    O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"

    and run the Eset On-line scanner:
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You are having the member remove the legitimate entry
    O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"

    why is that?

    And you aren't mentioning that both McAfee and Symantec are running.

    why is that??

    And you are having her run Eset now?

    why is that?
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You do not have the right to tell the member this is not necessary. If you want to point it out as an optional removals at some point and include all the other "not necessary" programs that don't need to start on boot and run in the background, then list all of the other 21 processes.

    I would guess that you don't even realize that LeapFrog is a touch reading program for children. This member could easily have a child that uses this program regularly.

    Yes, but pointing it out is important. Many users don't know they have multiple AV programs running-or they might never have used a program the manufacturer preloaded. They aren't aware that it's on startup anyway and it has to be properly removed. Telling them why they shouldn't have multiple antiviruses or firewalls is important. They can 'choose' which they want, but only if they are aware.

    Tmagic, I'm going to say this once and I don't plan to come back on any of the threads you've picked up:
    When someone asks for help, it is the responsibility of the helper to give them the best help possible. And this is based on many things: checking program versions that were run, checking update status, checking for security programs, understanding the significance of the log entries.

    Then if the helper tells someone to run a program, the helper will be responsible for handling the results. You don't tell someone to run Combofix and/or Eset and then ignore the results. You don't ask if everything is running okay then walk away. If you read a log with entries you don't understand, search for information-or-ask someone who is more knowledgeable. (that is not an offer) Many times the initial problem such as a redirect can be resolved, but that doesn't mean that all of the malware has been found and removed.

    And you don't desert a thread, leaving someone with all the extra programs and reports and logs they've created.

    You may have 10,000 post to your credit, but that in no way is a resume of your ability to clean a system correctly and fully.
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It's a hard pill to swallow that you are using some automated program to find entries! If you can't determine these by searching and identifying, then you shouldn't be posting in this forum. Why should the user even bother with you if they can use an automated program like you do!

    You search the internet and find out WHY multiple AV programs are not desirable. you explain that to the user. Then you give them the tools to remove them. You take the time to search and write up this information.

    Not all computer users/builders/technicians, etc. are aware of cleaning programs or techniques. Those people can better apply the knowledge they DO have to the area where that knowledge is needed.

    I am not 'training' you Tmagic. It just bothers me a lot that you're replying in this forum at all.

    My discussion about this ends here.
  8. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    "My discussion about this ends here"...

    Let's hope so...
  9. arliebyrd

    arliebyrd TS Rookie Topic Starter

    I just got back from a business trip and saw the posts just now. I'm sorry but now I don't know what my next step is. Maybe this info would help
    - I am using McAfee, the free version from comcast (not sure if there's any difference from the one that you buy
    - I thought I got all the Norton/Symantec softwares out. I didn't think I need it after installing McAfee
    - I have two kids that uses the Leapster program on the computer. I would prefer that I doesn't get messed up while I'm trying to fix the computer

    Thanks for the help guys
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    arliebyrd, I have kids and have made good use of the Leap Frog products. There is no need for you to stop any processes related to this program.

    About Symantec/Norton: I think half the people in the world who have a computer still have an entry left for the program! This is mainly because so many computer manufacturers preload it on the system before shipping. And as I pointed out, many never use Norton so it's always a good idea to advise people of multiple antivirus programs.

    Please download the
    Norton Removal Tool and save it to your desktop.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Then double click on the Norton file you saved and run it. You do not need the license key number to uninstall it. Follow any onscreen prompts. Boot back into Normal Mode when finished.

    When that has been done, please reopen HijackThis to 'do system scan only.'. Check each of the following if present: Optional removals are in green.

    R3 - URLSearchHook: (no name) - - (no file)
    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE>> See Option 1
    O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) ->> See Option 2
    O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)>>
    See Option 3
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O24 - Desktop Component 0: (no name) ->> See removal instructions at end.
    O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Owner\Desktop\baby_desktop.html

    Option 1: Install Pending Files.LNK
    Uninstall program for Lanovation's Prism Deploy and Prism Pack adminstrators software deployement tools. The site information is HERE.
    If this is something that you or other family members use, leave it. If not, check for HJT to remove.

    Option 2: PMJPEG is a shareware image viewer with quick JPEG . It has 'PixWizard' which can take over opening .jpg files. IF you are aware of this and have it installed intentionally, no problem. As far as I can see it's a legitimate program. 'Sharing' is always a word that concerns me.

    Option 3: TPSvc is related to the Vmware Workstation 6.0 virtualization software. This program uses the Winlogon Notify key to automatically start. Again, this might be a program that you or your family uses. Read about it HERE. If you aren't using it, HJT should remove the entry and it should be uninstalled.

    Close all Windows except HijackThis and click on "Fix Checked."

    Removing the 024 entries in HijackThis:
    Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.

    The next step depends on the Optional Removals. When you have made the decisions and finished the HijackThis removals, please run a new scan and attach new log to next reply.
  11. arliebyrd

    arliebyrd TS Rookie Topic Starter

    For some reason my computer won't start on safe mode. After selecting the OS to start some lines started to come up. All lines start with "multi(o)disk(0)". Then it would say that it "can not start successfully. A recent hardware or software change might have caused this." So to cut it short I had to run the NOrton Removal Tool on Normal Mode. After that it asked to restart so I did then ran HijackThis and checked all the ones you mentioned except O16, and O23 is not there anymore, and had HJT fix it. I went to the customize desktop but the only thing there was "My current home page".

    The HJT log after checking the display/desktop is attached.

    Just an update. Redirecting doesn't happen that much anymore but there are still pop ups (not often but never happens before the redirecting problem) even if the pop up blocker is on. Not sure if its related. Again thanks

    Attached Files:

  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    We need to find out what's causing this. Try to go to Safe Mode and when you get the error message, check the computer clock. Then do the following:

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.
    Errors are time coded.

    The HijackThis logs looks okay so whatever you did worked. Can you tell me what kind of pop-ups or ads you're getting and what pop-ups blocker you use. It is possible the kids could have clicked on a pop-up?

    As for the 'redirecting', some times people are using that term when they don't get a site displayed. Malware caused redirects are going to be specific and constant- not once in a while?
    And when you have a problem getting a site, where do you go?
  13. arliebyrd

    arliebyrd TS Rookie Topic Starter

    Below are the error logs that I got after unsuccessfully booting on safe mode:
    Application log (only one)
    Event Type: Error
    Event Source: Application Error
    Event Category: (100)
    Event ID: 1000
    Date: 2/5/2010
    Time: 6:37:03 AM
    User: N/A
    Computer: BYRDS
    Faulting application , version, faulting module unknown, version, fault address 0x00000000.

    For more information, see Help and Support Center at
    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 20 30 2e ure 0.
    0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
    0020: 20 75 6e 6b 6e 6f 77 6e unknown
    0028: 20 30 2e 30 2e 30 2e 30
    0030: 20 61 74 20 6f 66 66 73 at offs
    0038: 65 74 20 30 30 30 30 30 et 00000
    0040: 30 30 30 000

    Here's for the System log (three errors)
    Event Type: Error
    Event Source: Ftdisk
    Event Category: None
    Event ID: 45
    Date: 2/5/2010
    Time: 6:41:20 AM
    User: N/A
    Computer: BYRDS
    The system could not sucessfully load the crash dump driver.

    For more information, see Help and Support Center at
    0000: 00 00 00 00 01 00 56 00 ......V.
    0008: 00 00 00 00 2d 00 04 c0 ....-..À
    0010: 0a 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........

    Event Type: Error
    Event Source: Ftdisk
    Event Category: None
    Event ID: 49
    Date: 2/5/2010
    Time: 6:41:20 AM
    User: N/A
    Computer: BYRDS
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    For more information, see Help and Support Center at
    0000: 00 00 00 00 01 00 56 00 ......V.
    0008: 00 00 00 00 31 00 04 c0 ....1..À
    0010: 03 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 2/5/2010
    Time: 6:41:56 AM
    User: N/A
    Computer: BYRDS
    The following boot-start or system-start driver(s) failed to load:

    For more information, see Help and Support Center at

    I also attached new log files for hijackthis and superanti spyware because results are starting to get redirected again plus IE is acting different. After a few minutes of using IE the tabs will be missing and if you right click a link and choose "open in new tab" it will say that option is not available. Also the taskbar that is usually blue will turn gray and it looks like how is used to in the older versions of Windows.

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Error #7026, Source: Service Control Manager:
    Take it off of start up- anything Roxio or Easy Media Creator:
    Start> Run> type in msconfig> enter> Selective Startup> Start menu> Uncheck the processes> Apply> OK.

    Note: the first time you reboot after using msconfig, you will get a nag message. You can ignore it and close after checking 'don't show this message again.' Stay in Selective Startup.

    Error #49, Source: ftdisk:
    We're getting off track here. I know the thread has been a mess. Work on the events. Run the following:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Attach Combofix report to next reply.

    Rescan with HJT and include new log.
  15. arliebyrd

    arliebyrd TS Rookie Topic Starter

    I was doing the msconfig that you mentioned then I got a little lost after choosing "Selective Startup". You said start menu then uncheck the processes. Did you mean the startup tab? If that's the case there is no Roxio or Easy Media Creator on the list. I already downloaded the combofix on the desktop (I had to disable McAfee for it to save) so for now the hurdle is the msconfig. Thanks for the patience
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Sorry- didn't get feedback you had replied.

    Using the msconfig utility is scary- the first 3 times. Then it's a piece of cake!

    Yes, the tab is for Startup When you click on that, the Startup menu opens and you can see what is starting when you start the computer. Everything that is checks will start. Most people have way too much here and it slows the system down. Everything that starts here will continue to run in the background the entire time you're on the system.

    The one thing to remember is that the first time you restart the computer after changing the Startup, a message comes up 'suggesting' you go back to Normal Startup instead of Selective Startup. but if you do that, anything you unchecked will recheck itself- so we call that a nag message and tell you to check not to show it again and close it.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...