Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search Engine Results Redirected to Ads

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 11th, 2011, 6:06 pm

Hello rulin8 :),

I noticed that you have both Windows Defender and Trend Titanium as antispyware. I suggest you to disable Windows Defender to prevent conflicts.

Upload files
  • Open Notepad. Copy and paste the following text into it:
    Code: Select all
    @echo off
    for %%g in (
    c:\windows\System32\AudioEng32.dll
    c:\programdata\fwcfg32.dll
    c:\programdata\AudioEng32.dll
    ) do zip Files_for_submission %%g
    del %0
  • Save it as grab.bat at the desktop. Make sure the Save as type: is All Files (*.*).
  • Double click on grab.bat to run it. Allow if prompted by any security software.
  • A file Files_for_submission.zip will appear on your desktop.
  • Please upload the zip file to this upload channel and follow the steps accordingly.

--------------------

I want you to update MBAM and run a scan.
  • Open MBAM and click on the Update tab, then Check for Updates.
  • When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
  • Leave the default options as it is and click on Start Scan.
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please post back:
1. how did the upload go?
2. MBAM report
3. how is the computer behaving now?
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia
Advertisement
Register to Remove

Re: Search Engine Results Redirected to Ads

Unread postby rulin8 » August 11th, 2011, 9:37 pm

Jack&Jill,

The upload was successful and the MBAM report is below (no infected files found). In the few trial google searches I've tried, I didn't get redirected to spam sites. Thus it appears all malware has been removed.

Thanks,
rulin8


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7438

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

8/11/2011 9:21:38 PM
mbam-log-2011-08-11 (21-21-38).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 393311
Time elapsed: 2 hour(s), 23 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
rulin8
Active Member
 
Posts: 13
Joined: July 31st, 2011, 1:39 pm

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 11th, 2011, 10:27 pm

Hello rulin8 :),

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Open Notepad. Copy and paste the following text into it:
    Code: Select all
    File::
    c:\windows\System32\AudioEng32.dll
    c:\programdata\fwcfg32.dll
    c:\programdata\AudioEng32.dll

  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update, please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

Your Adobe Reader is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Adobe Reader to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Adobe Reader 8.1.3

  • Go to the Adobe download page. Click here.
  • If your OS is not the same as stated, click on Do you have a different language or operating system? link.
    • Under the Select an operating system title, choose the OS that you have.
    • Change the language at the Select a language title.
    • Next, select the version of the reader at the Select a Version title.
    • Uncheck (untick) to opt out of Google Chrome installation.
    • Click the Download now button to proceed. Allow if prompted and save the file to a convenient location.
    • Run the downloaded file to continue with the installation.
  • If your OS is the same, uncheck (untick) to opt out of McAfee Security Scan Plus installation.
  • Click Download to proceed. Allow if prompted and save the file to a convenient location.
  • Run the downloaded file to continue with the installation.

Alternatively, you can try Foxit Reader Portable or Nuance PDF Reader.

--------------------

Your Java Runtime Environment is outdated. Older versions have security vulnerabilities that can be exploited.

Please update JRE to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Java(TM) 6 Update 15
Java(TM) SE Runtime Environment 6 Update 1


  • Go to the Java SE download page. Click here.
  • Look for Java SE 6 Update 26. Click the Download button to the right below JRE.
  • Click on Accept License Agreement after reading Oracle Binary Code License Agreement for the Java SE Platform Products.
  • From a list of files for download, click on the link which says jre-6u26-windows-i586.exe besides Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running, especially your web browser.
  • Then, from your desktop, double click on the download to install the newest version. Reboot your computer.

--------------------

Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Mozilla Firefox (3.6.18)

  • Go to the Mozilla Firefox download page. Click here.
  • Click on the Free Download button and save the setup file to a convenient location.
  • Double click on the setup file and follow the steps accordingly.

--------------------

Please post back:
1. ComboFix log
2. any more problems?
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Search Engine Results Redirected to Ads

Unread postby rulin8 » August 12th, 2011, 9:36 pm

Adobe Reader, JRE, and Firefox have been updated. The ComboFix log is below. Before running ComboFix, my anti-virus software detected a threat with c:\windows\System32\AudioEng32.dll, however I still have not had the search results redirected to spam sites nor has the anti-virus software detected any threats.

Thanks,
rulin8

ComboFix 11-08-12.01 - Amber 08/12/2011 20:08:16.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.957 [GMT -4:00]
Running from: c:\users\Amber\Desktop\ComboFix.exe
Command switches used :: c:\users\Amber\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-13 to 2011-08-13 )))))))))))))))))))))))))))))))
.
.
2011-08-13 00:31 . 2011-08-13 00:31 -------- d-----w- c:\users\Amber\AppData\Local\temp
2011-08-13 00:31 . 2011-08-13 00:31 -------- d-----w- c:\users\Thea\AppData\Local\temp
2011-08-13 00:31 . 2011-08-13 00:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-10 21:34 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 21:34 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 21:34 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-10 21:34 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 21:34 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 21:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-09 16:25 . 2011-07-20 13:44 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{72B0F37E-C3F9-481F-9B11-B1D20E2ED310}\mpengine.dll
2011-08-09 16:25 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-09 00:24 . 2011-08-09 00:24 -------- d-----w- c:\program files\ESET
2011-08-07 13:25 . 2011-08-07 13:25 -------- d-----w- c:\program files\VirusTotalUploader2
2011-08-07 12:53 . 2011-08-07 12:53 -------- d-----w- c:\users\Amber\AppData\Local\AOL
2011-08-05 01:32 . 2011-08-05 01:32 -------- d-----w- c:\users\Amber\AppData\Local\WinZip
2011-07-31 03:09 . 2008-01-02 21:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2011-07-30 22:23 . 2011-07-30 22:23 388096 ----a-r- c:\users\Amber\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-30 22:18 . 2011-07-30 22:18 -------- d-----w- c:\users\Amber\AppData\Roaming\Malwarebytes
2011-07-30 22:18 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-30 22:18 . 2011-07-30 22:18 -------- d-----w- c:\programdata\Malwarebytes
2011-07-30 22:18 . 2011-07-30 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 22:18 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 21:58 . 2011-07-30 21:58 8899 --sha-w- c:\programdata\fwcfg32.dll
2011-07-30 20:57 . 2011-07-30 20:57 8899 --sha-w- c:\programdata\AudioEng32.dll
2011-07-30 01:59 . 2011-07-30 01:59 343040 ----a-w- c:\windows\system32\AudioEng32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-04 18:02 . 2011-07-05 01:40 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-07-04 18:02 . 2011-07-05 01:38 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-07-04 18:02 . 2011-07-05 01:38 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-04 18:02 . 2011-07-05 01:38 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-06-02 13:34 . 2011-07-13 14:17 2043392 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026E7739-861E-44EE-9AF7-63E922DDCC94}]
2011-07-30 01:59 343040 ----a-w- c:\windows\System32\AudioEng32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2006-12-15 503296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Spare Backup"="c:\program files\Spare Backup\SpareBackup.exe" [2007-09-14 5252936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-16 149280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2007-11-17 2342912]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Philips GoGear VIBE Device Manager.lnk - c:\philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe [2010-7-19 1701224]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-30 608584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [x]
R3 mr7911;Photo Viewer ;c:\windows\system32\DRIVERS\mr7911.sys [2008-05-24 39552]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [2008-02-19 537256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-07-04 64080]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-07-18 281088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=MT6728
mStart Page = hxxp://broadband.zoomtown.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Amber\AppData\Roaming\Mozilla\Firefox\Profiles\yegvf0ig.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Internet Video Downloader: {B728AB94-9BC7-49b7-B76A-422BB31B2FD0} - c:\program files\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\firefoxextension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-12 20:31
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-08-12 20:36:51
ComboFix-quarantined-files.txt 2011-08-13 00:36
ComboFix2.txt 2011-08-11 01:23
ComboFix3.txt 2011-08-05 01:24
ComboFix4.txt 2011-07-31 03:01
.
Pre-Run: 47,376,461,824 bytes free
Post-Run: 47,374,970,880 bytes free
.
- - End Of File - - 66C83871C90E5EC13E085E01D2042ABE
rulin8
Active Member
 
Posts: 13
Joined: July 31st, 2011, 1:39 pm

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 13th, 2011, 2:42 am

Hello rulin8 :),

Have your real time protection disabled while you are performing the below step.

Please download OTM© by Old Timer from one of the links below and save it to your desktop.

Link 1
Link 2

  • Double click OTM.exe to run it.
  • Copy and paste the following text into the white box under Paste Instructions for Items to be Moved:
    Code: Select all
    :files
    c:\windows\System32\AudioEng32.dll
    c:\programdata\fwcfg32.dll
    c:\programdata\AudioEng32.dll
    
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    
    :commands
    [CREATERESTOREPOINT]
    [emptytemp]
    
  • Click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) and paste it in your next reply.
  • The results can also be found in C:\_OTM\MovedFiles folder, the log file being named MMDDYYYY_HHMMSS.log, where MMDDYYYY_HHMMSS represent the date and time the fix was performed.

--------------------

Please post back:
1. the OTM log
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 15th, 2011, 7:28 pm

Hello rulin8 :),

I usually close the topic after 3 days without any reply, and it has already been 3 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

There a few more files to remove and I have some security recommendations for you later.

If I do not get any response within the next 24 hours, this topic will be closed.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Search Engine Results Redirected to Ads

Unread postby rulin8 » August 15th, 2011, 8:20 pm

Jack&Jill,

I tried to run the OTM.exe twice, however it crashed my OS both times. It appears the AudioEng32.dll and fwcfg32.dll files were moved but there is no log file.

Thanks,
Thea
rulin8
Active Member
 
Posts: 13
Joined: July 31st, 2011, 1:39 pm

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 15th, 2011, 11:02 pm

Hello rulin8 :),

If those files are still around, please try to delete them.

Are there any error messages during the crash?

Post a new DDS.txt, please.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Search Engine Results Redirected to Ads

Unread postby rulin8 » August 16th, 2011, 8:54 pm

Jack&Jill,

The DDS.txt is below and I've manually deleted the moved files. There were no error messages when OTM.exe crashed. Perhaps it would help if I provided more details on the crash. When I say the OS crashed, I mean the program closed and the desktop went blank (no icons/shortcuts, no mouse pointer, and no taskbar). I opened task manager via ctrl-alt-del and there were no processes or applications running so I restarted the computer. The first time I ran OTM.exe it only moved the "c:\windows\System32\AudioEng32.dll" file, before it crashed. The second time I ran OTM.exe, the program was in the middle of the 2nd "[emptytemp]" command before crashing. This time I left the computer with the blank desktop overnight (in case OTM.exe was still running). However, the next day there was no change, so I restarted. In C:\_OTM\MovedFiles there were 2 folders (1 for each time i tried to run it) however there were no log files in either.

Also, I've been successfully using search engines without being redirected to spam sites.

Hope this helps,
rulin8



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Amber at 20:35:48 on 2011-08-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.809 [GMT -4:00]
.
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxbkcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=MT6728
mStart Page = hxxp://broadband.zoomtown.com
BHO: {026e7739-861e-44ee-9af7-63e922ddcc94} - c:\windows\system32\AudioEng32.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\philip~1.lnk - c:\philips\gogear vibe device manager\GoGear_Vibe_DeviceManager.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vralimuscingh13.connectge.com/d ... tupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://alpharetta.connectge.com/dana-c ... Client.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{118D78FA-05C4-46CF-B9A5-5D7899A35D07} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FBB7E9FA-7484-40C0-8B5E-68D2516D0850} : DhcpNameServer = 192.168.200.1 192.168.200.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\amber\appdata\roaming\mozilla\firefox\profiles\yegvf0ig.default\
FF - component: c:\program files\arcsoft\media converter for philips\internet video downloader\plugin_firefox\components\nsURLRecordEx.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1079\firefoxextension\components\TmFFExt.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-7-4 188272]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-18 21504]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-30 366640]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-7-4 64080]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-30 22712]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-11-17 281088]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe --> c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [?]
S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [2008-5-23 39552]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-14 15:23:34 -------- d-----w- C:\_OTM
2011-08-13 01:27:30 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-13 01:27:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-13 00:37:04 -------- d-----w- c:\users\amber\appdata\local\temp
2011-08-13 00:37:03 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-13 00:04:43 -------- d-----w- C:\ComboFix
2011-08-10 21:34:52 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 21:34:51 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 21:34:49 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-10 21:34:35 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 21:34:35 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 21:34:32 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-09 16:25:55 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{72b0f37e-c3f9-481f-9b11-b1d20e2ed310}\mpengine.dll
2011-08-09 16:25:53 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-09 00:24:18 -------- d-----w- c:\program files\ESET
2011-08-07 13:25:37 -------- d-----w- c:\program files\VirusTotalUploader2
2011-08-07 12:53:42 -------- d-----w- c:\users\amber\appdata\local\AOL
2011-08-05 01:32:01 -------- d-----w- c:\users\amber\appdata\local\WinZip
2011-07-31 03:09:35 172032 ----a-w- c:\windows\system32\igfxres.dll
2011-07-31 02:34:42 98816 ----a-w- c:\windows\sed.exe
2011-07-31 02:34:42 518144 ----a-w- c:\windows\SWREG.exe
2011-07-31 02:34:42 256000 ----a-w- c:\windows\PEV.exe
2011-07-31 02:34:42 208896 ----a-w- c:\windows\MBR.exe
2011-07-30 22:23:36 388096 ----a-r- c:\users\amber\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-30 22:18:20 -------- d-----w- c:\users\amber\appdata\roaming\Malwarebytes
2011-07-30 22:18:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-30 22:18:10 -------- d-----w- c:\programdata\Malwarebytes
2011-07-30 22:18:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-30 22:18:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-04 18:02:33 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-07-04 18:02:33 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-07-04 18:02:33 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-07-04 18:02:33 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:36:32.98 ===============
rulin8
Active Member
 
Posts: 13
Joined: July 31st, 2011, 1:39 pm

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 17th, 2011, 1:21 am

Hello rulin8 :),

The DDS.txt is below and I've manually deleted the moved files.
Misinterpretation here. My bad for not making it clearer. You should delete the files only if they are at their original paths, not after being moved by OTM. Since you have already deleted them, nothing to be done here.

the program closed and the desktop went blank (no icons/shortcuts, no mouse pointer, and no taskbar).
This is normal, but not suppose to last over one night.

You might want to uninstall this as some people find it categorized as unwanted application:
Browser Address Error Redirector

Since you are no longer having any more problems, I would say you are good to go. Please complete the following steps and I will provide some recommendations after that.

--------------------

Please download ERUNT© by Lars Hederer from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Backup your registry with ERUNT
  • Double click on erunt-setup.exe and run the installation setup.
  • Follow the setup instructions until you reach Select Additional Tasks, uncheck (untick) Create NTREGOPT desktop icon.
  • Continue until you get prompted to run ERUNT at startup. Choose No.
  • Next, make sure Launch ERUNT is checked (ticked) and click Finish.
  • Click OK when ERUNT is launched, and accept all default setting. ERUNT will then backup the registry.

--------------------

Remove orphaned reg entries
  • Open Notepad. Copy and paste the following text into it:
    Code: Select all
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{026e7739-861e-44ee-9af7-63e922ddcc94}]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=-
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=-
    "{A057A204-BACC-4D26-9990-79A187E2698E}"=-
    
    
    Note: Copy exactly everything in the code box. Make sure there is no empty lines at the beginning, and have one empty line at the end of the codes.
  • Save it as Fix.reg on the desktop. Make sure the Save as type: is All Files (*.*).
  • Double click on Fix.reg. When it asks you to merge the information to the registry, click Yes.

--------------------

Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.
  • Go to Start > Run.... Copy and paste the following text into the white box:
    ComboFix /uninstall
    Click OK.
  • Run OTM by double clicking on OTM.exe. Click on CleanUp, proceed to reboot if prompted.
  • Delete the CKScanner, TDSSKiller, aswMBR, SystemLook and GooredFix files on your desktop.
  • Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows Vista to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with Panda USB Vaccine, an effective method to prevent malware from spreading.

8. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

9. Also look up:
Computer Security - a short guide to staying safer online
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.

If you have been helped and wish to donate to support this volunteer site, go to Donations For Malware Removal.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Search Engine Results Redirected to Ads

Unread postby rulin8 » August 17th, 2011, 9:01 pm

Jack&Jill,

Thank you very much for all of your help and quick responses. It is appreciated.

Thanks again,
rulin8
rulin8
Active Member
 
Posts: 13
Joined: July 31st, 2011, 1:39 pm

Re: Search Engine Results Redirected to Ads

Unread postby Jack&Jill » August 18th, 2011, 3:08 am

Hello rulin8 :),

You are most welcome. Glad to be of assistance.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Search Engine Results Redirected to Ads

Unread postby Wingman » August 22nd, 2011, 10:42 am

As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware