Search Page Hijack

caraamon · Nov 19, 2006

It seems I have this problem where if I click on a search result at any of the major search pages, I get redirected to some commerical searches (such as bitcar, whatever that is).

I've run all the preliminary steps, with no effect. Logs will be appended.

Additional notes that may or may not be related: I recently had a problem requiring me to do a repair reinstallation of XP because something broke badly when I was uninstalling Quicktime and iTunes. Broke as in a one second blue screen during bootup and automatic restart of the computer.

In addition, once I started noticing the problems with the browser, I tried to manually delete all internet temporary files, but whenever I'd get near to that using Windows Explorer, Explorer itself would crash. Ended up running any number of cleaning programs, such as CCleaner, as well as running a system scan of the drive. Problem seems to be fixed, but I don't know what it was that did it.

caraamon · Nov 19, 2006

Additional logs.

And thanks.

chaslang · Nov 19, 2006

Welcome to Majorgeeks!

Please installed HijackThis correctly as requested in step 7 of the READ & RUN ME. You installed it here:

C:\Documents and Settings\Me\Desktop\analyse.exe

That is exactly where we specify not to install it.

You also need to run this procedure: WareOut Removal and attach the requested log afterwards.

After running WareOut Removal run HJT and have it fix the below lines if they still exist:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B743BB9-5774-47AE-91C0-2BC204B2D25C}: NameServer = 85.255.113.122,85.255.112.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.122 85.255.112.62
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.122 85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.122 85.255.112.62

Then reboot your PC and attach a new HJT log and the log from FixWareOut. Also tell me how things are working.

caraamon · Nov 20, 2006

Okay, well last night a strange thing happened. I was showing my friend the bizarre behavior, I clicked on one link and it redirected me, then hit the back button and clicked another link and go no redirect. Since then I've had no redirects at all. I literally did nothing in between those clicks, and didn't do anything before them either.

However, since I don't trust mysterious things that fix themselves, I followed your instructions. Logs are attached.

If it matters, I was forced to drop my firewall to let FixWareOut download a file, and right after my computer massively slowed down. It returned to normal and I haven't had any problems. I do not know if its related or not.

chaslang · Nov 20, 2006

You did not fix those O17 lines using HJT. Did you forget? Did you forget to select them and click Fix checked? Try again! Are they still showing in a new HJT log?

caraamon · Nov 21, 2006

Whoops, sorry. I fixed them, I just attached the log from before I did it. Not having a good week.

Here's the new log.

chaslang · Nov 22, 2006

Did you add the below two items to your Trusted Zone?
O15 - Trusted Zone: http://www.play.net
O15 - Trusted Zone: http://www.scmasquerade.com

We don't recommend putting anything in the TZ unless you cannot live without it.

If you don't need them, fix them with HJT. Also fix the below line:
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} -

Other than that you are clean. How are things working?

caraamon · Nov 22, 2006

Yes I put them in there. I like to keep my security settings pretty high, and those two sites are either run by people I know and trust or are commercial sites I trust.

Things seem to be working fine.

Thanks for your help.

chaslang · Nov 23, 2006

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Search Page Hijack

caraamon Private E-2

Attached Files:

hijackthis.log

bdscan.txt

newfiles.txt

caraamon Private E-2

Attached Files:

runkeys.txt

Activescan.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

caraamon Private E-2

Attached Files:

hijackthis.log

report.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

caraamon Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

caraamon Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member