Redirects when doing searches problem. 8 steps done and attached

[Bobbye]

What I've been suspecting is that this malware is taking me to sites so they get clicks on them and thus increases those sites click revenue. It's clever because it then lets me after wards go to the correct site, obviously hoping I will tolerate the temporary misdirect and not try to remove it from my system.

I'm not sure this assessment is correct. You've given life to something that may not be in the system.

Please give me a couple of the URLs from the sites you are being directed to. When you out the URL in, change the http to hxxp so the link won't be 'clickable to others.IF you are doing a search, don't make it vague> for instance, searching for 'computer help' is much to broad.

FYI: the Mandalay site you clicked on has a specific video that your system could be blocking. Tell me what this is> "I get a totally different URL and site." And I noticed something interesting> look at the word at the end of the URL you got when searching for 'poker'> it's Spoker Ya think that might be 'search for poker'? Clever! This is for Poker Video Tips - Spoker.com

'Poker' is also way too vague. I got this many hit for it using Firefox/Google> 119,000,000 for poker
For me, the pokerstars site is the 14th site, over on second page of search. So it appears you might have some adware from accessing these sites.

I don't know what the 'bulk upload' is on photobucket, so I looked. It's a bulk image uploaded. On the photobucket site, it appears to b legitimate.http://tutorials.photobucket.com/tutorial_160.html

But it is available on other sites also. And there is an add-on for Firefox HERE.

Are you by chance in the UK? I am noticing a pattern for some search by members in the UK.

 

[Evoni]

I'm located in the USA, not the UK.

Alright I just did a search using firefox and yahoo on "Danica Patrick".

I clicked on this search result:
The Official Site of Danica Patrick
Official site of Danica Patrick, Indy race car driver. Includes biography, news, photos, and more.
www.danicaracing.com - Cached

Instead of taking me to the above URL, it took me to this one:

hxxp://www.searchfindsite.com/6961/search.php?keyword=danica%20patrick&sid=b7e900e67d1fe44163856f1bc599a71b&cid=BPO

Did a yahoo search for "meatloaf recipe"

Clicked on this, which should have taken me to the Food network site:

Search Results

Meatloaf Recipe: Best Meatloaf Recipe, Turkey Meatloaf
Discover the best meatloaf recipes around including recipes for turkey meatloaf from the experts in the Food Network kitchen.
www.foodnetwork.com/topics/meatloaf/index.html - 127k - Cached

But went here instead:

hxxp://news6health.com/index5.php?kw=meatloaf%20recipes

Did a search on the saints foot ball team and clicked on this:

New Orleans Saints - Home
Saints Junior Training Camp. USA Football. USA Football Lessons ... Team Mascot: GUMBO. Gatorade Junior Training Camp. NFLHS.com. Shop Saints. Advertising ...
www.neworleanssaints.com/Home.aspx - 91k - Cached

Went here instead of to the Saints home page:

hxxp://shopcompareus.com/ac/search.php?phrase=football+teams&uid=b84e1be6f545c8425709844cb8d70c4a&kuid=80b231998a9227b2408f211cce6ae422&src=7s

While doing the above I did some other searches like on Sarah Palin and Bill Clinton but with those searches when I clicked on the url for their official site I actually went there, so that's what I mean about intermittent. Sometimes I go to the site I'm clicking on via a search and other times it directs me to something like the above sites.

 

[Bobbye]

Okay, let's see is this works:

Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

 

[Evoni]

I'm leaving on a 2 night trip in a hour, so I'll have to try that when I return on Thursday evening. I'll post my results by Friday afternoon. Thanks!

 

[Evoni]

Back from trip and did what you said with SDFix. Report.txt file is attached as you requested.

Thanks.

 

[Bobbye]

There are some hidden tmp files that need to be removed. We can try this:

Click on the Control Pane> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected operating system files-Recommended'> Apply> OK

Then run this TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

When finished, go back and hide the files and folders. Empty the Recycle Bin

Run SDFix again. Attach new log.
Rescan with HijackThis. Include new log.

 

[Evoni]

Here's the latest. I have checked show hidden files and folders and then unchecked hide protected operating system files and clicked ok. I have then gone back into control panel and the settings are what I just did.

I run TFC it says it will reboot and then my system just hangs at the blue windows window for 15 minutes or so. I then reset computer.

I go back to control panel and I can't go back and hide the files and folders because they are back to their original settings even though they weren't before the reset. I go to recycle bin and there's nothing there.

I have done the above 3 times with the same results.

Due to that I haven't RUN SDFIX again or Hijack this, but will if you still want me to. It appears something is stopping those hidden files from actually getting deleted even though I see before TFC attempts the reboot that it is trying to delete something.

 

[Evoni]

Hi Bobbye, I never had a reply to my last message, does that mean you don't have anything else to suggest I try? I just returned from another trip out of town and I'm still having the same problem.

 

[Bobbye]

No, it just means I didn't get the email feedback about your reply.

my system just hangs at the blue windows window for 15 minutes or so.

IF you get a hang or any error message check the time of the message or BSOD on the computer clock. Then you can look for any Error that corresponds to that time: Errors in the Event Viewer are time-coded

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

If you can proceed with the following without Errors or BSOD, please do it:

This began 3 weeks ago, so I need to get some of the basic info again. The main thing I want you to try again is Combofix. Download Combofix as instructed. Then disable McAfee completely, go offline and then run Combofix:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls before you run this program..

• Double click on the setup file on the desktop to run
• Ignore any prompt for Recovery Console for now.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

If this still doesn't work, I will have you run a Rootkit program.

 

[Evoni]

I ran TFC again and when it rebooted it still hung at Windows where it has the blue screen that states Windows is shutting down, so the temp files that TFC was trying to remove didn't happen.

I also followed your instructions for "eventvwr" after wards but didn't find any errors from today's dates, though there were errors from earlier this year and last year.

I was finally able to download combofix when I first disabled McAfree from virus protection mode instead of afterwards as the instructions advise. I ran it and have a log but when I try to attach it to this message it says the file length which is 248, exceeds the forum limits of 200. So now what do I do?

Thanks!

 

[Bobbye]

I've never heard of a Combofix report that was too big to attach! Are you sure it's just a single report?

I think you have some serious system problems Evoni. I'm not sure virus and malware removal is where you should be. You pretty much haven't been able to run programs, you're getting frequent errors and BSODs. And it is curious that with all of this, there aren't any corresponding errors.

 

[Evoni]

Bobby, if you go back and read the past posts by me, I've been able to run every program, not sure where you thought I couldn't. However, when I ran TFC it's true that when it tries to reboot my computer it hangs at the "Windows is closing "blue screen.

This is the message I get when I try to attach the combofix file.

ComboFix.txt:
Your file of 248.0 KB bytes exceeds the forum's limit of 200.0 KB for this filetype.

When I ran Combofix, I had Mcafee on-access scanning disabled as you will see below but neglected to turn off the McAfee personal firewall. Would this result in a text file that is too large?

ComboFix 10-03-06.03 - Diana 03/06/2010 14:12:31.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1572 [GMT -8:00]
Running from: c:\documents and settings\Diana\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

 

[Evoni]

Hi Bobby, read my previous reply too please.

I ran Combofix again this time trying to make sure that the Mcafee firewall was turned off, though I'm not sure I succeeded with that, and I had a much smaller combo fix log file of 16.5 KB. Unfortunately when I try to attach it to this message and click on the attachment option I'm getting an error on the page and it's not allowing me to try to attach anything. I'm getting this on 2 computers and with both Windows Internet Explorer and Mozilla Firefox.

Is the above problem, something going on with the forum, or is it on my end of things?

 

[Bobbye]

Is the above problem, something going on with the forum, or is it on my end of things?

As far as I know, it is on your end. I have not seen any other problems with this feature mentioned. It would be consistent with the other problems you are having pointing to some kind of system problems. I don't know if it's your security, settings or other cause.

 

[Evoni]

Bobby, all of a sudden it's working on both my computers so perhaps it was a temporary problem with the forum message base that was cleared up. The combofix file is attached to this message.

 

[Evoni]

Bobby, did you spot anything in the combofix log I attached a couple days ago?

 

[Bobbye]

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\Oxuyu.dat
c:\windows\Bqapuja.bin
c:\windows\system32\drivers\mjsoa.sys 
c:\windows\system32\drivers\srlximpu.sys 
c:\program files\Viewpoint\Common\ViewpointService.exe

Folder::

Registry::

Driver::
odlv
yvmxnjkl
Viewpoint Manager

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Let me know what problems remain.
__________________

 

[Evoni]

I haven't had any redirects in the last couple days so it's possible that this problem was fixed by Combofix, <crossing fingers>.

Thanks for your help!

 

[Bobbye]

Will you please attach the CF log made after the changes. And one more check with Eset online scanner. If they are clean, I'll have you remove the cleaning tools and old restore points.

 

[Evoni]

Bobby, attached is the latest combofix file and the log of the Eset scan I did today.

 

[Bobbye]

I missed a couple of entries:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\mjsoa.sys
c:\windows\system32\drivers\srlximpu.sys
 
Folder::
c:\documents and settings\Diana\Application Data\Real\Update\setup3.10

Registry::

Driver::
odlv
yvmxnjk
Viewpoint Manager Service

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

You also need to empty the Java cache:
Control Panel> KJava> General tab> Temporary internet files> Settings> Delete.
Then click on Update tab> Uncheck 'check automatically check for updates'> answer Yes when asked to cofirm> Apply> OK.

I'll check this report when done. If all has been handled, I'll have you remove the cleaning tools and old restore points.

You might want to consider removing Real Player and getting Real Alternative 2.0.2 instead. This will allpw you to do the same thing as Real Player but won't bloat the system while doing it.

 

[Evoni]

Attached is the latest Combofix log file.

 

[Bobbye]

The system should be a lot lighter now with all those Real Player entries gone!

Evoni, there is a file and a driver that is refusing to leave. I can't identify it, so I'm going to ask you to submit it for identification:

Please go to http://www.virscan.org/

Suspicious file(s) to scan:
c:\windows\system32\drivers\srlximpu.sys
and
yvmxnjkl

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Please paste or attach the report that it gives you.
Also, are you having any of the original problems now? Are there any new or related problems?

 

[Bobbye]

Please let me know if you require additional help. If you do not, I'll close the thread.