Top-Search-101

Before I followed the procedures in the do this first thread, a combination of detectors (StopZilla for one) told me I had the following:

search hijacker.h
fsa.tmp
vundo.bib
trojan.win32.generic (drivers\rkhit.sys)
tr/agent.339968.0.trojan (restore\imagex.exe)

After following your procedures I believe the rkhit.sys has been removed, but nothing else.

Mostly what I noticed was a significant reduction in speed and an overall lag that was not present before. This is a relatively new machine with a fast processor, 4 gig ram etc. Firefox can be a memory hog, but it was off the charts. I needed to reboot all the time, typing was delayed, scrolling lagged etc.

At first I was wearing blinders and just thought Firefox got really greedy. Then I noticed that when I clicked on certain sites, like Amazon, it would open new windows when it shouldnt. Eventually I watched and it did a sneaky redirect in there, first hitting top-search, then going to Amazon. I had always closed those windows anyway, but now I know what is up.

I also have a text file on my desktop called debug that I cant close because it says it is open in internet explorer.

I have tried to follow all of the directions in the do this first thread. If anything is omitted, its due to error, not me intentionally skipping anything. The only things I didnt do were for 32 bit windows, this is a 64 bit machine. Because of that, I can post all three logs here in a single post.

Thank you for your help in advance.

 

I did run CCleaner and clean out my cache. I uninstalled StopZilla and the others when I started the procedure. I will reinstall it and run to see what it finds and then post the log. This should take a half hour or so.

There is still an undeleteable text file on my desktop. My browser seems better so far, but I havent tested everything because I didnt want to cause any new problems. I will work on seeing if anything else happens, but Im just skittish about screwing things up a second before they are fixed.

Thank you for your quick response.

 

The file is debug.log, a text file. It is blank, but cannot be deleted.

As for StopZilla, its still processing, but now it says I have at least 11 infections including the ones from before. Once its done I will post the log.

Thanks

 

Here is the log.

 

It wants me to pay to remove stuff. I do not have the full version. Are you saying the vundo.bib, search hijacker.h etc are false positives to get me to buy?

 

Confusion is a commodity in which I am a certified purveyor. I am doing the eset scan now, and so far it has found a few things. Log to follow when done.

What I meant was, you said that it looked like StopZilla didnt do much, but I was commenting on the supposed 15 items it found. I wondered if maybe it showed me false positives to get me to buy their product.

 

Here is my eset log. Let me know what you need me to do next.

Thanks

 

It will not allow me to delete it. Every time I change the folder to unset read only, it immediately changes back.

 

I have deleted the contents of that folder, which then allowed the folders deletion. What is my next step?

 

The turbo-search-101 hijack is still occurring. I know I wrote the wrong thing in the title, I must have confused myself. I have my malware scan running again to see if there are more issues remaining.

Thanks

 

It does not reset my home page. Its a lot stealthier than that. What it does is when I am on certain pages, if I click a link or sometimes even hover over a link with certain key words, it opens a new tab which goes to a relevant link via a redirect through turbo-search-101.com. So if I am in my Amazon seller account, when I click something related to Amazon it opens a new page, likely using this routing so I have clicked their affiliate link.

When I ran StopZilla the second time it allowed me to delete the infections without registering for some reason, but I am still showing as having a trojan in my windows restore/imagex.exe file. This is in my startup in msconfig, but it does have a name and identifying text, and I believe this is a component of Windows 7 (though it could still be infected).

Other than that, everything is cleaned out. I am going to restart and see if the hijacking continues now that StopZilla thinks its clean. Other than the listed trojan (imagex), I am clean.

Should I do anything with imagex?

Thanks

 

So far after restart I cannot get the turbo-search-101 behavior to recur. I believe we may be out of the woods.

Do I have any further steps you would like me to do?

Thanks

 

Looks like I spoke too soon. I didnt download or install anything new, but last night around midnight turbo-search-101 again. When I ran Stopzilla again it found 3 infections, one of them being imagex.

 

Sorry for the delay. Here is the log.

 

Here is my log from Bit Defender. It looks like it agrees that imagex is infected, but I dont think it was able to fix it. I also couldnt upload an html file, so I converted it to txt. Let me know the next step.

Thanks