Solved Yahoo redirecting search results, logs included from 8 steps

[amalteaser]

Hi,

Im having some problems with yahoo redirecting on IE, firefox and opera. Also I get the odd pop up window with a google search which I dont ask for. Iv'e tried various malware and virus checkers and at first they came up with about 2 which I removed but now they all say the systems clean but Im still getting redirected.

Iv'e followed the 8 steps the best I can though I only realised I didn't need to run the GMER after Id done it as I have 64 bit vista.

Anyway heres the logs I hope someone can help me

 

[Broni]

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[amalteaser]

Hi I did what you asked and heres the log

 

[amalteaser]

Just thought Id mention that I started having this problem when a computer on the same network as me connected by a router had a similar problem. After a virus check the problem on the other computer seemed to disapear and a few days later my computer suddendly started with the problem. Im not sure if a virus can have done a leap frog on the other computer onto mine or something but I've now turned all file sharing/media sharing etc off on both computers, which im hoping means they can't transfer anything else between them if thats whats been happening.

 

[Broni]

Thank you for extra info

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[amalteaser]

I did the scan and I've attached the 2 logs

 

[Broni]

Does your ISP requires to use proxies, or you don't know, what I'm talking about?
Do other search engines (Google, Bing) get redirected as well?

 

[amalteaser]

I dont think we use proxies, we have one of those dynamic ip address things and theres nothing in the proxy box in my internet settings or router.

I just tried on google and bing and not a redirect in sight, which is strange but to be honest I only use yahoo search on the yahoo home page normally. I guess I just assumed it was happeneing on all searches as it was directing from yahoo on all browsers. I do still get the odd google home page pop up all of a sudden though even if Iv'e not been near yahoo.

Can we still fix it or am I just to avoid yahoo like the plague?

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 89.206.170.66:8080
  FF - prefs.js..browser.search.defaultenginename: "Winamp Search"
  FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query="
  FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query="
  O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll File not found
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
  O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O33 - MountPoints2\{7697cc1f-4ecc-11dd-bfc3-806e6f6e6963}\Shell - "" = AutoRun
  O33 - MountPoints2\{7697cc1f-4ecc-11dd-bfc3-806e6f6e6963}\Shell\AutoRun\command - "" = D:\install.EXE id= ver=1.0.0.0 -- File not found
  O33 - MountPoints2\{b5bfd4b0-38e9-11df-ad92-001e8c87812a}\Shell - "" = AutoRun
  O33 - MountPoints2\{b5bfd4b0-38e9-11df-ad92-001e8c87812a}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{c9caa03b-68b5-11de-b0b9-001e8c87812a}\Shell\AutoRun\command - "" = G:\WFILE.EXE -- File not found
  O33 - MountPoints2\{d1f2c47c-d561-11dd-9ba0-001e8c87812a}\Shell - "" = AutoRun
  O33 - MountPoints2\{d1f2c47c-d561-11dd-9ba0-001e8c87812a}\Shell\AutoRun\command - "" = F:\autorun2.exe -- File not found
  @Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:ECF54A0E
  @Alternate Data Stream - 191 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  @Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:B310C233
  @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[amalteaser]

I deleted my java update 6 and 18 and installed the new java update 21 then ran the OTL, heres the logs. (just checked if any redirecting changed but its still the same)

 

[Broni]

Turn your computer off.
On your router, you'll find a small hole, marked "Reset".
Keep pushing that hole with a pencil, or a paperclip until all lights briefly flash off and on.
Restart computer.
Check for redirection.

 

[amalteaser]

Hi

I reset the router and restarted pc but im still getting redirection from yahoo search, mostly to other search engines like ask jeeves or sometimes it just brings me back to yahoo home page. It also sometimes just shows a blank page for ages while it says its waiting for google analytics.

 

[Broni]

Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

Restart computer.
Check for redirection.

========================================================================

Go Start>Run ("Start search" in Vista).
Type in:
cmd
Click OK (press Enter in Vista)

At command prompt, type in:
ipconfig /all (<-----watch for "space" after "ipconfig")
Press Enter.

Click the icon on the menubar on the left and then Edit>Select all
Click the icon in the menubar again then Edit>Copy

This copies all the text to the clipboard.

Paste the output into your next reply.

======================================================================

Please download SystemScan and save it to your desktop.

• Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
• If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  
• Double-click on sys*****.exe to start the tool.
• A read before proceeding disclaimer will appear.
• Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
• After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
• When SystemScan opens, click the "Unselect all" button.
• Important: Under "Make your choice and than click...", check the boxes next to:
  • PC accounts
• Everything else should be unchecked.
  
• Click "Scan Now".
• Another warning box will appear. Please follow the instructions and click OK.
• Please be patient while the scan is in progress.
  
• Systemscan will scan your computer and create a folder named Suspectfile on the Desktop to save its report.
• When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
• Copy and paste the contents of report.txt in your next reply.

 

[amalteaser]

Tried to do the restore ms host file, recieved error box saying

"ERROR: cannot create file C:\\Windows\system32\Drivers\ETC\hosts"

ipconfig produced this:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Gem>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Cougar
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Belkin

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : Atheros L1 Gigabit Ethernet 10/100/1000Ba
se-T Controller #5
Physical Address. . . . . . . . . : 00-1E-8C-87-81-2A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7831:b3a6:fe4a:26cd%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 16 July 2010 18:12:03
Lease Expires . . . . . . . . . . : 23 August 2146 02:33:28
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 301997708
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-08-46-27-00-1E-8C-87-81-2A

DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2007:31dd:3f57:fdfc(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::2007:31dd:3f57:fdfc%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : isatap.Belkin
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Users\Gem>

Attached the systemscan report

 

[Broni]

Please, retry, but this time...
Run HostsXpert.exe by right clicking on it and clicking on "Run As Administrator".

 

[amalteaser]

I have retried HostsXpert a couple of times with and without admin but it still gives the same error box.

I pasted the other data ipconfig etc into the above message

 

[Broni]

ipconfig looks normal.
Never post new material by editing your older posts, because I'm not getting email notifications for it.

We'll reset hosts file in different way.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[amalteaser]

Heres the logs

 

[Broni]

How is redirection ?
You still owe me 3rd scan (SystemScan).

 

[amalteaser]

I think this was the system scan report. No improvement on redirection im afraid. Sometimes it has started redirecting me when im not on a search engine now though, it tried to send me to another page when I clicked reply on this forumn before. Its also started bringing up a new page when I click on things like my history or something and then comes up with a error saying "The Url is not valid and cannot be loaded" but if I refresh a few times I eventually get the page.

 

[Broni]

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow
  
  at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

 

[amalteaser]

Hi

I used the program and did the quick scan ok but I had trouble with the complete scan. About 30% in it popped a message up saying
" A virus has been detected during scanning (RC=3221226356)"

The scan box disappears when this message pops up and the txt file u asked for is therefore not generated. Iv'e tried in normal and admin mode to run a complete scan but with the same results. It seems to have put 2 files in its quaratine folder and produced a cureIt txt file.

I couldn't included the whole txt file without zipping it as its 2mb. I instead took the last section and put it in a txt file. The rest of the document basically consists of a giant long list saying:

C:\Documents and Settings\All Users\Application Data\NVIDIA\Resource.old - OK

But with every program or thing on my computer, Iv'e looked down the list and they all seem to have a "ok" next to them. Tell me if you want the full file.


I noticed at the bottom of the cureIt txt file it mentions something about scan interupted by user. Im not sure if the virus alert box or this is why it shut down but I didn't even touch the computer till the alert box popped up so I didn't terminate the scan myself.

Redirection still ongoing aswell after restart.

 

[Broni]

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[amalteaser]

I ran the temp file cleaner and restarted pc then downloaded the Kaspersky stuff and ran a scan.

It gave me the following txt report file

 

[Broni]

Clear Java cache as described here: http://www.java.com/en/download/help/plugin_cache.xml
Restart computer and check for redirections.