• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
hoffandcol

Search engine is hijacked?

28 posts in this topic

When I go to a search engine and do a search, the regular page pops up. When I click on a link. sometimes it takes me to the correct website, but more often than not it takes me to an unrelated site.

So far today it has taken me to travel web sites, something classed My Local Hero (local yellow page looking thing)

I don't know how to get rid of it.

Can anyone point me in the right direction? I read some other posts but they all seem very specific so I wanted to start from scratch. I am a little new to this - so I apologize ahead of time if I have questions.

Thanks for your help.
Colleen

Share this post


Link to post
Share on other sites
Hi,

Download DDS and save it to your desktop from [url="http://download.bleepingcomputer.com/sUBs/dds.com"][b][color="seagreen"]here[/color][/b][/url] or [url="http://download.bleepingcomputer.com/sUBs/dds.scr"][b][color="seagreen"]here[/color][/b][/url] or [url="http://www.forospyware.com/sUBs/dds"][b][color="seagreen"]here[/color][/b][/url].
Disable any script blocker, and then double click [b]dds file [/b]to run the tool. [list]
[*]When done, DDS will open two (2) logs: [list=1]
[*] DDS.txt
[*] Attach.txt
[/list]
[*]Save both reports to your desktop. Post them back to your topic.
[/list]

Share this post


Link to post
Share on other sites
Thank you for your info. I tried to run the dds, but in the middle of it my screen went blue and I got a pretty intimidating message.

"A problem has been detected and windows has been shut down to prevent damage to your computer [RQL_NOT_LESS_OR_EQUAL]"

There were more lines but there was also a technical code:

STOP: 0x0000000A (0x00461000, 0x0000001C, 0x00000000, 0x0806163CF)

I had disabled my "noscript" as mentioned but am not sure if maybe there is something else I need to disable.

Do you know if the blue screen is a result of something interfering with the DDS or if there is something really wrong? My husband thinks I might be safer letting a computer tech do this instead of doing this myself...should I be afraid?

Thanks
Colleen

Share this post


Link to post
Share on other sites
Hi,

Are you able to use system in safe mode? If yes, please try to run DDS there.

Share this post


Link to post
Share on other sites
I believe the files you want are the ones I am attaching. One says something about zipping/unzipping - I am sorry if this is posted incorrectly - not sure what to do with it and I couldn't find specific instructions for it.

Please let me know if you need me to do something else to it in order for you to be able to use it.

Thanks for your help.
colleen

Share this post


Link to post
Share on other sites
Hi,

Logs posted like expected :D

Next AVG has to be uninstalled so that it won't interfere with cleaning process. That can be done with [url="http://www.appremover.com/"]Appremover[/url]. AVG can be reinstalled after we've finished the case (I'll let you know when).


When done, please visit this webpage for download links, and instructions for running ComboFix tool:

[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]

[color="Blue"]Please ensure you read this guide carefully first.[/color]

Please continue as follows:
[list=1]
[*][b]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix[/b], [url="http://www.bleepingcomputer.com/forums/topic114351.html"]link[/url]
Remember to re-enable them afterwards.


[*]Click [b]Yes[/b] to allow ComboFix to continue scanning for malware.
[/list]
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

[b]C:\ComboFix.txt
New dds log.[/b]

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.[/b][/color]

Share this post


Link to post
Share on other sites
Thanks for your help. Before I do this - should any or all of this be done in safe mode?

Thank you.
Colleen

Share this post


Link to post
Share on other sites
If possible take the steps in normal mode, please.

Share this post


Link to post
Share on other sites
Thank you - I am leaving for vacation in a few hours. I will run this and post when I return so it will be most recent for when I can follow up instead of beginning this and leaving it unresolved. Thanks for your help so far - post back in 5 days.

Share this post


Link to post
Share on other sites
Ok, thanks for the heads up :D

Share this post


Link to post
Share on other sites
Thank you for your help. Here are the files I believe you are looking for.

If you need something else, let me know.
(there is another file called combofix quarantined files)

In the meantime - should ALL my blockers/firewalls be down?

Colleen

Share this post


Link to post
Share on other sites
Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

[code]DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>;*.local
TB&#58; {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB&#58; {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File[/code]


Save this as
CFScript

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.[/b][/color]

[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img]

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


[b]Uninstall old Adobe Reader versions[/b] and get the latest one (Adobe Reader 10.1) [url="http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows"]here[/url] or get Foxit Reader [url="http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm"]here[/url]. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced [url="http://pdfreaders.org/"]here[/url].


[b][color="blue"]Your Java is out of date.[/color][/b] Older versions have vulnerabilities that malware can use to infect your system. [b]Please follow these steps to remove older version Java components and update to the latest version...[/b]

[b][color="blue"]Updating Java:[/color][/b][list]
[*]Download the latest version of [b][url="http://java.sun.com/javase/downloads/index.jsp"]Java Runtime Environment (JRE) 6 Update 26[/url][/b].
[*]Click the
[b]Download[/b]
button to the right.
[*]Select Windows on platform combobox and check the box that says:
[b][i]Accept[/b] License Agreement[/i]. Click continue.

[*]The page will refresh.
[*]Click on the link to download [i]Windows Offline Installation[/i] with or without Multi-language and save to your desktop.
[*]Close any programs you may have running - especially your web browser.
[*]Go to [b]Start[/b] > [b]Control Panel[/b] double-click on [b]Add/Remove[/b] programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the [b]Remove[/b] or [b]Change/Remove[/b] button.
[*]Repeat as many times as necessary to remove each Java versions.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on [b]jre-6u26-windows-i586-p.exe[/b] to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
[/list]

* Go [url="http://www.eset.eu/online-scanner"][color="red"][b][u]here[/u][/b][/color][/url] to run an online scanner from ESET.[list]
[*][color="red"][b]Note:[/b][/color] You will need to use [color="blue"][b]Internet explorer[/b][/color] for this scan
[*]Tick the box next to [b]YES, I accept the Terms of Use.[/b]
[*]Click [b]Start[/b]
[*]When asked, allow the activex control to install
[*]Click [b]Start[/b]
[*]Make sure that the option [b]Remove found threats[/b] is UNchecked.
[*]Click [b]Scan[/b]
[*]Wait for the scan to finish.
[/list]
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Are there still symptoms left?

Share this post


Link to post
Share on other sites
Thanks again - here is the morning log. As it was running it said there was a newer version of Combofix. I did NOT stop the analysis because I wasn't sure if I should.

If you need me to go back and do that over again with the updated version, let me know.


Off to do the other items on your list - and will post the next dds when that has been completed.

Colleen

Share this post


Link to post
Share on other sites
I think I did something wrong. The ESET ran but I can't find any file log to upload. It said there were 10 threats detected. Do you have any idea where it may have saved the log or if I did something wrong?

Here is the other log in the meantime. The combofix is in the above post.

Sorry...

Share this post


Link to post
Share on other sites
Hi,

Did ESET window have any details about found items visible?

Share this post


Link to post
Share on other sites
It did have info - it said 10 items and from what I recall mostly trojan related.

Do you want me to rerun and write them down if I can't find a way to generate a log?

Colleen

Share this post


Link to post
Share on other sites
Hi,

Please see if C:\Program Files\EsetOnlineScanner\log.txt file exists. If not then run the scanner again.

EDIT: Check also c:\program files\ESET contents for log file.

Share this post


Link to post
Share on other sites
I started to run it again before - just in case. It just ended and here is the exported text file.

Thanks
Colleen

Share this post


Link to post
Share on other sites
Hi,

Delete these files:
C:\Documents and Settings\Joe\My Documents\My Music\Incomplete\[b]Preview-T-3209657-loving pi.mp3[/b]
C:\Documents and Settings\Joe\My Documents\My Music\Incomplete\[b]Preview-T-4224012-loving pi HIT TOP50.mp3[/b]
C:\Documents and Settings\Joe\My Documents\My Music\LIMEWIRE downloads\[b]loving pi.mp3[/b]

How's the system running now?

Share this post


Link to post
Share on other sites
The system seems to be ok - I tried to sign in as my husband and google some things. I haven't been redirected. Last week it seemed like my sign in would be fine until he logged in and started searching but so far so good.

I added them to the recycle bin and emptied it.

Thank you again for all your help...will await you next instructions.

Thanks!
Colleen

Share this post


Link to post
Share on other sites
Good. It's time to secure your system to prevent against further intrusions.


[color="blue"]THESE STEPS ARE VERY IMPORTANT[/color]

[color="purple"]Let's reset system restore[/color]
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
[color="blue"]NOTE: only do this ONCE,[size=18][b]NOT[/b] [/size]on a regular basis[/color]


Now lets uninstall ComboFix:[list]
[*]Click START then RUN
[*]Now copy-paste [b]Combofix /uninstall[/b] in the runbox and click OK
[/list]

[color="orange"]UPDATING WINDOWS AND INTERNET EXPLORER[/color]

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to [url="http://windowsupdate.microsoft.com/"][color="blue"]the windows update site[/color][/url] to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


[color="purple"]Make your Internet Explorer more secure[/color]

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



Download and run [url="http://secunia.com/vulnerability_scanning/personal/"]Secunia Personal Software Inspector (PSI)[/url] and fix its findings.


[b]Just a final reminder for you. I am trying to stress these two points.[/b]
[color="green"][size=18]UPDATE UPDATE UPDATE!!![/size][/color] Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
[color="purple"]Visit Microsoft's Windows Update Site Frequently[/color] - It is important that you visit [url="http://www.windowsupdate.com"]http://www.windowsupdate.com[/url] regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

[color="green"]Have a great day,[/color]
Blade :)

Share this post


Link to post
Share on other sites
Thank you - I am off to start these processes now.

I will shore up the IE, but since I usually use FireFox, is there anything I need to do to that browser?

You have been so helpful. I am so lucky you clicked through on my question.
Colleen

Share this post


Link to post
Share on other sites
I ran the securia - and there are some patches I can't find. The Microsoft 2000 is out of date - it says I should upgrade. (End of life - to be determined financially if I can upgrade) and (insecure but not end of life) Facebook photo uploader - which I can't figure out how to manually patch. There is another program (Team speak) which my husband uses for online gaming and I can't figure out that patch. When I load it it says something is missing for the file.

Should I try to figure them out, uninstall and start from scratch?

Sorry to keep asking...
Colleen

Share this post


Link to post
Share on other sites
Hi,

If you can't afford fresh Office I recommend to take a look at free alternatives. [url="http://www.openoffice.org/"]Open Office[/url] and [url="http://www.libreoffice.org/"]Libre Office[/url] are good options.

Have you checked if PSI offers solution for those vulnerable items? There should be a solution link for every found problem offered by PSI.

Share this post


Link to post
Share on other sites
I will check out those office options. I usually upload items to google so the formatting changes anyway since my work computer software is formatted differently anyway.

There was a link for the Team Speak program, but the patch wouldn't load. It kept getting some error. When my husband gets home I will ask him how often he uses it - maybe I can uninstall that version and just download a new, updated version.

There was no link for the facebook uploader. I can't find a place to update it. I would prefer to wait until all the security is reactivated before messing around with that site.

From here, can I reactivate firewalls and antivirus?

Do you have any suggestions on better programs to use?

THANK YOU so much for all your time and assistance.
Colleen

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0