Search links are being redirected. Please help!!!

[thakkar2000]

When I search in google with internet explorer 7, I get the right results but when I click on the links I get redirected to another page (like couponmountain.com). Every time I am redirected to a different site. This happens in google, yahoo, msn, ask.com and all the other searches. Please help!! I do not want to restore, I hope to clean it. I have a log file attached. View attachment 15392 Thank you.

 

[kitty500cat]

Hello and welcome to TechSpot.

Your system has several nasties.

Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

If, after reading the above thread, you decide to clean your system, do the following.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Now go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly, then post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread. Also post here the results of the AVG Antirootkit scan.

Regards

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[thakkar2000]

Thank you for your reply. I did what you said. When I scanned, I did not delete or fix anything, I just took the log. Here are the logs...View attachment 15405 View attachment 15406 View attachment 15407 View attachment 15408

The AVG rootkit scan found nothing.

Thank you for your help.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your AVG Antispyware log says all entries have been ignored. That`s because you haven`t followed the instructions properly for using AVG Antispyware.

It also appears you`re running more than one antivirus programme. Symantec/Norton and Nod32. This is not recommended and can cause serious conflicts. Uninstall one of your antivirus programmes.

Post fresh HJT and AVG Antispyware logs. Also post the Fixwareout log.

Regards Howard :wave: :wave:

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[thakkar2000]

I'm sorry about that.

Here are the new log files...

View attachment 15440

View attachment 15441

View attachment 15442

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

AWS
WeatherBug
PartyGaming
PartyPoker
winupdates

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

winupdates.exe
ALCMTR.EXE
RunApp.exe
Weather.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.sandesh.com/wfplayer/tdserver.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\AWS<Delete the entire folder.
C:\Program Files\PartyGaming<Delete the entire folder.
C:\Program Files\winupdates<Delete the entire folder.
C:\WINDOWS\ALCMTR.EXE

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[thakkar2000]

I couldn't find any of the following in add remove programmes:

WeatherBug
PartyGaming
PartyPoker
winupdates

None of the processes you mentioned were in the tab.

And I couldn't find these in the HJT:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm


I could only locate and delete this one. The other ones were not there:
C:\Program Files\AWS<Delete the entire folder.

For the rest I followed your instructions.

Here is the new log file.

View attachment 15462

The system seems to be running fine. The redirecting seems to have stopped, I tried many searches and it worked fine. Are there other nasties I need to take care of now? Thank you for your help.

 

[howard_hopkinso]

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0

O17 - HKLM\System\CCS\Services\Tcpip\..\{7354575A-C9DA-4AD4-B77A-9757D7DE6497}: NameServer = 85.255.115.62,85.255.112.107

O17 - HKLM\System\CCS\Services\Tcpip\..\{C04D8709-B9A0-4475-ACF3-532B5B257E07}: NameServer = 85.255.115.62,85.255.112.107

O17 - HKLM\System\CCS\Services\Tcpip\..\{CADAA2E5-43B8-48FE-9572-A9CAAED9B70C}: NameServer = 85.255.115.62,85.255.112.107

O17 - HKLM\System\CCS\Services\Tcpip\..\{E727310E-3154-4314-88E5-ADA2279B907C}: NameServer = 85.255.115.62,85.255.112.107

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.62 85.255.112.107

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.62 85.255.112.107

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log as well as the C:\fixwareout\report.txt.

Regards Howard

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[thakkar2000]

I followed your instructions. Here are the new log files...

View attachment 15476

View attachment 15477

Thank you.

 

[howard_hopkinso]

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALCMTR.EXE

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\ALCMTR.EXE

Reboot your system.

Other than the above, your system is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[thakkar2000]

I followed your instructions. Thank you very much for your help. I have another problem though (this was there before we did all of the scanning etc.)

When I open my add or remove programs in control pannel it has a list of a lot of programs. Some of these programs, I've never heard of or seen on my computer (for example "1600", "bufferchm", "cuetour", "internet worm protection", "cp_dwsharktalAlbums1"). When I click on the programs they say used rarely but they don't have the add/remove tab underneath. I don't know if these are legitamte programs or not. Also, some of the regular programs that I know are legitamate don't show the add/remove tab.

 

[howard_hopkinso]

Take a look HERE for your add remove programmes issue and see if it helps.

Regards Howard

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[thakkar2000]

I followed the instructions but the software folder only had a handful of programs. For a majority of my programs, all of which weren't in the software folder list, they still show no add/remove button. I have attached a screen shot of how it looks like...

View attachment 15488

 

[howard_hopkinso]

I must confess, I`m not too sure what`s causing that problem.

I suggest you open a new thread in our Windows OS forum.

Regards Howard

This thread is for the use of thakkar2000 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[thakkar2000]

That's ok. I'll try posting there. Thank you for all your help. You are the best!