Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search Results redirecting to the wrong websites

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Search Results redirecting to the wrong websites

Unread postby Carolyn » June 28th, 2009, 3:23 pm

Hi Sandy,

My name is Carolyn. Chuck asked me to work with you becuase he has been called away unexpectedly.

The two items identified by the Kaspersky scan are not currently a threat. One is a file that was quarantined by ComboFix, the other is an infected System Restore Point. After your computer is clean we will uninstall ComboFix. That process will take care of both of those items.

Please run another custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it (click on SELECT ALL and use ctrl-c to copy the contents of that box please) :

Code: Select all



[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please go online and see if your searches are still getting redirected. You also reported that some exe's were being blocked. Please test those and let me know if that is still the case. If they are being blocked, please let me know what programs are effected.

Please post in your next reply your ComboFix log and the information that I requested.
User avatar
MRU Emeritus
MRU Emeritus
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Register to Remove

Re: Search Results redirecting to the wrong websites

Unread postby Sandy_S » June 30th, 2009, 4:15 pm

Hi Carolyn,

Combofix Report.

ComboFix 09-06-29.07 - Connor 30/06/2009 19:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2039.1577 [GMT 1:00]
Running from: c:\documents and settings\Connor\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Connor\Desktop\CFScript.txt
AV: The Shield Deluxe 2009 Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
* Resident AV is active


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))

2009-06-28 13:44 . 2009-06-28 13:44 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-28 13:44 . 2009-06-28 13:44 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-28 13:44 . 2009-06-28 13:44 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-28 13:44 . 2009-06-28 13:44 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-28 13:44 . 2009-06-28 13:44 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-28 13:44 . 2009-06-28 13:44 296800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-28 13:44 . 2009-06-28 13:44 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-28 13:44 . 2009-06-28 13:44 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-28 13:43 . 2009-06-28 13:43 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-28 13:43 . 2009-06-28 13:43 72704 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-28 13:43 . 2009-06-28 13:43 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-28 13:43 . 2009-06-28 13:43 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-28 13:43 . 2009-06-28 13:43 561016 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-28 13:43 . 2009-06-28 13:43 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-28 13:43 . 2009-06-28 13:43 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-28 13:43 . 2009-06-28 13:43 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-28 13:43 . 2009-06-28 13:43 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-28 13:43 . 2009-06-28 13:43 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-20 16:40 . 2009-06-20 16:40 -------- d-----w- C:\rsit
2009-06-20 16:38 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 16:38 . 2009-06-23 07:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 16:38 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:30 . 2009-06-16 14:30 -------- d-----w- c:\program files\Trend Micro
2009-06-16 14:28 . 2009-06-16 14:52 -------- d-----w- c:\program files\Spybot - Search & Destroy

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-06-30 18:34 . 2009-05-09 07:57 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-28 13:44 . 2009-01-24 16:07 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-26 06:12 . 2009-04-13 17:31 -------- d-----w- c:\program files\Galaxy Online
2009-06-19 16:16 . 2006-12-08 13:47 -------- d-----w- c:\documents and settings\Connor\Application Data\Skype
2009-06-16 12:25 . 2006-05-20 11:14 -------- d-----w- c:\documents and settings\Connor\Application Data\AdobeUM
2009-06-16 10:16 . 2005-05-25 21:08 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-12 15:29 . 2008-07-01 14:33 34 ----a-w- c:\documents and settings\Connor\jagex_runescape_preferences.dat
2009-05-08 16:57 . 2008-09-18 10:12 242184 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2009-05-08 14:56 . 2009-05-08 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-05-08 14:54 . 2009-05-08 14:54 -------- d-----w- c:\documents and settings\Connor\Application Data\BitDefender
2009-05-08 14:54 . 2009-05-08 14:52 -------- d-----w- c:\program files\Common Files\BitDefender
2009-05-08 14:54 . 2009-05-08 14:54 -------- d-----w- c:\program files\PCSecurityShield
2009-05-08 14:48 . 2008-08-07 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-07 15:32 . 2002-08-29 12:00 345600 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-02-18 15:19 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-24 19:17 . 2009-04-24 19:17 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-24 19:17 . 2009-01-24 13:45 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 12:26 . 2002-08-29 12:00 1847168 ------w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-03 12:00 . 2009-04-03 12:00 266400 ----a-w- c:\documents and settings\Connor\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

((((((((((((((((((((((((((((( SnapShot_2009-06-27_14.57.08 )))))))))))))))))))))))))))))))))))))))))
+ 2005-05-25 01:29 . 2009-06-28 19:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-25 01:29 . 2009-05-08 13:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-05-25 01:29 . 2009-06-28 19:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-05-25 01:29 . 2009-05-08 13:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"BDAgent"="c:\program files\PCSecurityShield\BitDefender 2009\bdagent.exe" [2009-05-08 778240]
"BitDefender Antiphishing Helper"="c:\program files\PCSecurityShield\BitDefender 2009\IEShow.exe" [2009-05-08 73728]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]


"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [24/01/2009 14:45 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1003344]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 11:09 111112]
S3 Arrakis3;PCSecurityShield Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [17/07/2008 12:06 118784]
S3 hdlSrv;hdlSrv;c:\program files\M-Systems Utility\hdlSrv.exe [19/11/2002 14:26 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:43]

2009-06-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
------- Supplementary Scan -------
uStart Page = hxxp://uk.yahoo.com/
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn ... taller.exe
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 19:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5604)
------------------------ Other Running Processes ------------------------
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\PCSecurityShield\BitDefender 2009\vsserv.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\PCSecurityShield\BitDefender 2009\seccenter.exe
Completion time: 2009-06-30 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 18:49
ComboFix2.txt 2009-06-27 15:05
ComboFix3.txt 2009-06-23 08:59

Pre-Run: 19,985,526,784 bytes free
Post-Run: 20,089,802,752 bytes free

165 --- E O F --- 2009-06-30 17:58

I have had a play on the internet and everything aapears to woeking fine, my searches are going to the correct websites. The exe's are good and my updates are happening again, so we would appear to have won, still a little worried that Kaspersky beleives that we have a virus.

Look forward to hearing from you on how to wrap things up here.


Active Member
Posts: 12
Joined: June 16th, 2009, 10:36 am

Re: Search Results redirecting to the wrong websites

Unread postby Carolyn » July 1st, 2009, 11:44 am

still a little worried that Kaspersky beleives that we have a virus.

This next step will remove both of the items that were flagged by Kaspersky...

    Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)


    Update Java
    Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    • Download the latest version of Java.
    • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 14.
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
      Java(TM) 6 Update 2
    • Click the Remove or Change/Remove button.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    • Note: If you don't want the Google toolbar, make sure you uncheck the option included in the installer!


    Update Adobe Acrobat Reader

    There is a newer version of Adobe Acrobat Reader available.
    • Please go to this link Adobe Acrobat Reader Download Link
    • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
    • Click the Continue button
    • Click Run, and click Run again
    • Next click the Install Now button and follow the on screen prompts

    When the installation is complete go to Add/Remove Programs and uninstall all previous versions.


    Now, feel free to scan again with Kaspersky to confirm that those items flagged earlier have been dealt with.


    This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

    Your log now appears to be clean. Congratulations!

    Please delete RSIT.exe from your computer. You can also deleted the folder it created, C:\rsit

    Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

      Delete ComboFix and Clean Up
      Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
      Please advise if this step is missed for any reason as it performs some important actions.

      Protection Programs
      Don't forget to re-enable any protection programs we disabled during your fix.

      General Security and Computer Health
      Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

      • Set correct settings for files
        • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
        • Under Hidden files and folders if necessary select Do not show hidden files and folders.
        • If unchecked please check Hide protected operating system files (Recommended)
        • If necessary check Display content of system folders
        • If necessary Uncheck Hide file extensions for known file types.
        • Click OK

      • Make sure that you keep your antivirus updated
        New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
        Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

      • Security Updates for Windows, Internet Explorer & Microsoft Office
        Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
        Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

      • Update Non-Microsoft Programs
        Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

      • Make Internet Explorer More Secure
        You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

      Recommended Programs

      I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

      • WinPatrol
        As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

      • SpywareBlaster
        SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

      • Malwarebytes' Anti-Malware or SuperAntiSpyware
        These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
        You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
        You can download SuperAntiSpyware from HERE.

      • Hosts File
        For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

        Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
        If this isn't done first, the next reboot may take a VERY LONG TIME.
        This is how to do it. First be sure you are signed in as a user with administrative privileges:
        Stop and Disable the DNS Client Service
        Go to Start, Run and type Services.msc and click OK.
        Under the Extended Tab, Scroll down and find this service.
        DNS Client
        Right-Click on the DNS Client Service. Choose Properties
        Select the General tab. Click on the Stop button.
        Click the Arrow-down tab on the right-hand side at the Start-up Type box.
        From the drop-down menu, click on Manual
        Click the Apply tab, then click OK

      • Use an alternative Internet Browser
        Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
MRU Emeritus
MRU Emeritus
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Search Results redirecting to the wrong websites

Unread postby Sandy_S » July 2nd, 2009, 7:33 am


OK i have done everything that you requsted the Kaspersky came up clean and i have made some changes to my protection as recommended in your standard protection.

So i am pleased to be able to thank you and your colleagues for their help and support, because without it i would have been in some serious trouble.

Best Regards

Active Member
Posts: 12
Joined: June 16th, 2009, 10:36 am

Re: Search Results redirecting to the wrong websites

Unread postby Carolyn » July 3rd, 2009, 11:40 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
MRU Emeritus
MRU Emeritus
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Register to Remove


  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware