Jump to content


Photo

Search engine is hijacked?


  • This topic is locked This topic is locked
27 replies to this topic

#1 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 19 June 2011 - 02:32 PM

When I go to a search engine and do a search, the regular page pops up. When I click on a link. sometimes it takes me to the correct website, but more often than not it takes me to an unrelated site.

So far today it has taken me to travel web sites, something classed My Local Hero (local yellow page looking thing)

I don't know how to get rid of it.

Can anyone point me in the right direction? I read some other posts but they all seem very specific so I wanted to start from scratch. I am a little new to this - so I apologize ahead of time if I have questions.

Thanks for your help.
Colleen

#2 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 19 June 2011 - 08:54 PM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#3 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 20 June 2011 - 03:36 AM

Thank you for your info. I tried to run the dds, but in the middle of it my screen went blue and I got a pretty intimidating message.

"A problem has been detected and windows has been shut down to prevent damage to your computer [RQL_NOT_LESS_OR_EQUAL]"

There were more lines but there was also a technical code:

STOP: 0x0000000A (0x00461000, 0x0000001C, 0x00000000, 0x0806163CF)

I had disabled my "noscript" as mentioned but am not sure if maybe there is something else I need to disable.

Do you know if the blue screen is a result of something interfering with the DDS or if there is something really wrong? My husband thinks I might be safer letting a computer tech do this instead of doing this myself...should I be afraid?

Thanks
Colleen

#4 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 20 June 2011 - 05:55 AM

Hi,

Are you able to use system in safe mode? If yes, please try to run DDS there.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#5 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 20 June 2011 - 07:01 PM

I believe the files you want are the ones I am attaching. One says something about zipping/unzipping - I am sorry if this is posted incorrectly - not sure what to do with it and I couldn't find specific instructions for it.

Please let me know if you need me to do something else to it in order for you to be able to use it.

Thanks for your help.
colleen

Attached Files



#6 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 20 June 2011 - 07:09 PM

Hi,

Logs posted like expected :D

Next AVG has to be uninstalled so that it won't interfere with cleaning process. That can be done with Appremover. AVG can be reinstalled after we've finished the case (I'll let you know when).


When done, please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#7 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 20 June 2011 - 07:16 PM

Thanks for your help. Before I do this - should any or all of this be done in safe mode?

Thank you.
Colleen

#8 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 20 June 2011 - 07:18 PM

If possible take the steps in normal mode, please.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#9 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 21 June 2011 - 04:34 AM

Thank you - I am leaving for vacation in a few hours. I will run this and post when I return so it will be most recent for when I can follow up instead of beginning this and leaving it unresolved. Thanks for your help so far - post back in 5 days.

#10 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 21 June 2011 - 05:49 AM

Ok, thanks for the heads up :D
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#11 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 25 June 2011 - 03:19 AM

Thank you for your help. Here are the files I believe you are looking for.

If you need something else, let me know.
(there is another file called combofix quarantined files)

In the meantime - should ALL my blockers/firewalls be down?

Colleen

Attached Files



#12 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 25 June 2011 - 12:02 PM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>;*.local
TB&#58; {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB&#58; {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 26.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Are there still symptoms left?
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#13 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 25 June 2011 - 01:47 PM

Thanks again - here is the morning log. As it was running it said there was a newer version of Combofix. I did NOT stop the analysis because I wasn't sure if I should.

If you need me to go back and do that over again with the updated version, let me know.


Off to do the other items on your list - and will post the next dds when that has been completed.

Colleen

Attached Files



#14 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 25 June 2011 - 03:41 PM

I think I did something wrong. The ESET ran but I can't find any file log to upload. It said there were 10 threats detected. Do you have any idea where it may have saved the log or if I did something wrong?

Here is the other log in the meantime. The combofix is in the above post.

Sorry...

Attached Files

  • Attached File  dds.txt   10.01KB   163 downloads


#15 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 25 June 2011 - 05:43 PM

Hi,

Did ESET window have any details about found items visible?
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#16 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 25 June 2011 - 08:35 PM

It did have info - it said 10 items and from what I recall mostly trojan related.

Do you want me to rerun and write them down if I can't find a way to generate a log?

Colleen

#17 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 25 June 2011 - 09:31 PM

Hi,

Please see if C:\Program Files\EsetOnlineScanner\log.txt file exists. If not then run the scanner again.

EDIT: Check also c:\program files\ESET contents for log file.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#18 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 25 June 2011 - 09:56 PM

I started to run it again before - just in case. It just ended and here is the exported text file.

Thanks
Colleen

Attached Files

  • Attached File  eset.txt   1.56KB   79 downloads


#19 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 26 June 2011 - 09:37 AM

Hi,

Delete these files:
C:\Documents and Settings\Joe\My Documents\My Music\Incomplete\Preview-T-3209657-loving pi.mp3
C:\Documents and Settings\Joe\My Documents\My Music\Incomplete\Preview-T-4224012-loving pi HIT TOP50.mp3
C:\Documents and Settings\Joe\My Documents\My Music\LIMEWIRE downloads\loving pi.mp3

How's the system running now?
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#20 hoffandcol

hoffandcol

    Member

  • Members
  • PipPip
  • 15 posts

Posted 26 June 2011 - 12:43 PM

The system seems to be ok - I tried to sign in as my husband and google some things. I haven't been redirected. Last week it seemed like my sign in would be fine until he logged in and started searching but so far so good.

I added them to the recycle bin and emptied it.

Thank you again for all your help...will await you next instructions.

Thanks!
Colleen




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users