Spyware, Viruses, & Security

General discussion

Why are my search results being redirected?

by ThatConfusedMo / December 27, 2008 8:32 AM PST

I posted this in the Browser section, but I now I'm thinking I have a virus and it is not an issue with my browser, you can read that here: http://forums.cnet.com/5208-6620_102-0.html?forumID=14&threadID=322133&messageID=2936992&tag=forums06;forum-threads

Anyways, my searches are getting redirected no matter of the web broswer I use (I've tried IE7, FireFox and Google Chrome). Here is a picture to show what I am talking about (click to make bigger): http://img257.imageshack.us/img257/8297/95950473ov2.jpg

Like I said in the other forum, I've ran a virus scan, spyware scan, Ad-Aware scan, an online scan on Ediwo.net and a SpyBot S&D scan. Still, the problem still occurs. I installed that Hijack This program, but I didn't know what the hell to do. Can someone please help me?

Post a reply
Discussion is locked
You are posting a reply to: Why are my search results being redirected?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Why are my search results being redirected?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
One more thing
by ThatConfusedMo / December 27, 2008 8:39 AM PST

I forgot to mention I also installed CCleaner, did a scan and a regestry fix, but that didn't do anything also, I just uninstalled Google Chrome and it still does not work.

Collapse -
Try the following.....
by Marianna Schmudlach / December 27, 2008 9:17 AM PST
In reply to: One more thing

Please download Malwarebytes Anti-Malwareand save it to your desktop.
alternate download link 1
alternate download link 2

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates,
manually download them from here
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

did it help?

Collapse -
Here is the log
by ThatConfusedMo / December 27, 2008 10:04 AM PST
In reply to: Try the following.....

Malwarebytes' Anti-Malware 1.31
Database version: 1557
Windows 5.1.2600 Service Pack 3

12/27/2008 9:00:21 PM
mbam-log-2008-12-27 (21-00-21).txt

Scan type: Quick Scan
Objects scanned: 57720
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00289da (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\__c005FCB6.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

I'm going to click 'yes' now to restart my computer.

Collapse -
Yes - restart your computer.
by Marianna Schmudlach / December 27, 2008 10:06 AM PST
In reply to: Here is the log

Seems to me, MBAM did it's job Happy

Collapse -
MBAM didn't do it
by ThatConfusedMo / December 27, 2008 10:37 AM PST

The problem still happens, I'll give SUPERAntiSpyware a go and tell you it goes.

Sorry if this takes a while, with 256 MB of RAM in my computer these things take a while.

Collapse -
No problem ...
by Marianna Schmudlach / December 27, 2008 11:09 AM PST
In reply to: MBAM didn't do it

Didn't MBAM remove all the nasties ..... or are there "more" ?

Take your time Wink

Collapse -
SUPERAntiSpyware...not so SUPER for me
by ThatConfusedMo / December 27, 2008 2:33 PM PST
In reply to: No problem ...

After a 3 hour scan, it found 5 regestry errors but my searches still do not work.

Any other recommendations?

Collapse -
Question: do you have......
by Marianna Schmudlach / December 27, 2008 3:14 PM PST

Spybot's TeaTimer enabled?

If YES, pls. DISABLE it and run MBAM once again.

Collapse -
Yes it was
by ThatConfusedMo / December 28, 2008 1:13 AM PST

I just uninstalled Spybot because it was just so unstable and it slowed my computer down a lot. Anyways I ran another scan in MBAM and it did not find anything. Here is the log:

Malwarebytes' Anti-Malware 1.31
Database version: 1557
Windows 5.1.2600 Service Pack 3

12/28/2008 12:10:22 PM
mbam-log-2008-12-28 (12-10-22).txt

Scan type: Quick Scan
Objects scanned: 56578
Time elapsed: 25 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Collapse -
Are you still being redirected?
by Marianna Schmudlach / December 28, 2008 1:29 AM PST
In reply to: Yes it was

Does the following help (IE)?

Tools, Internet Options, Programs, Reset WEB Settings.

IF that doesn't work.......

maybe you only need to flush your DNS cache.

You need to do this from the command prompt:

-- Click Start > Run > type: ipconfig /flushdns

After it is flushed, you need to reregister it again.
-- Click Start > Run > type: ipconfig /registerdns

That should clear out the cache.

It wouldn't hurt to keep a copy of WinsockFix on hand. Happyhttp://downloads.subratam.org/WinsockFix.zip

Collapse -
What origram do I choose?
by ThatConfusedMo / December 28, 2008 2:32 AM PST

When I type in 'ipconfig /flushdns' (without quotes) it tells me to choose a program from a list to open it with, which one do I choose?

Collapse -
I spelled program wrong
by ThatConfusedMo / December 28, 2008 2:39 AM PST

In post above, I spelled it really, really oddly. I meant to write 'program' not 'origram'

Collapse -
What happens IF you try it this way.....
by Marianna Schmudlach / December 28, 2008 2:50 AM PST

With the computer still connected to the internet:

Please go to Start > Control Panel > Network and Internet Connections > Network Connections. Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and left-click on the Properties option. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer.

Go to Start > Run.... In the Open: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy & paste the entire contents inside the QUOTE box below into the command window:

QUOTE
ipconfig /flushdns [/QUOTE]

Hit Enter and exit the Command Prompt.

Collapse -
Followup on Win32.Zafi.b
by FinGif / January 6, 2009 9:26 PM PST
In reply to: Try the following.....

After running malwarebytes to remove Win32.Zafi.b and booting;
I also discovered that it helps to run stinger, and an anti-malware product. I ran AVG, spybot, and then lavasoft. Each one picked out another piece of the junk left over. I was at least smart and aware enough not to trigger the pop-up.

I also ran a couple of repair utilities to recover some of the over written files and double check the registry etc.

Thanks for the lead on malwarebytes, the other more main stream tools didn't work that well.

Collapse -
just curious
by jonah jones / December 28, 2008 2:49 AM PST

if you type www.google.com in the address bar -->enter

do you get the 'yahoo answers' as well?

jonah

.,

Collapse -
No
by ThatConfusedMo / December 28, 2008 2:53 AM PST
In reply to: just curious

If I type in a web page directly, it works.

Collapse -
a quick guess would be
by jonah jones / December 28, 2008 3:12 AM PST

that google toolbar...

it's a known problem


a quick glance through some results indicate that Safe mode eliminates the problem...

jonah "hates toolbars" jones

.,

Collapse -
Another picture
by ThatConfusedMo / December 28, 2008 3:28 AM PST
In reply to: a quick guess would be

I'm in Fire Fox's safe mode right now and it still is not working for me, all those search results get redirected.
Oddly, Google Chrome works while IE7 and FireFox doesn't.
Picture Proof
What I'm talking about is, see how it says "CNET Download.com" in blue(IE), then there is a description and under that there is a link in green, that is the site that I get sent to, not download.com

That is the problem that is getting pretty annoying now.

Collapse -
Also, I forgot to mention
by ThatConfusedMo / December 28, 2008 3:32 AM PST
In reply to: Another picture

That the dns flush/regester did not work.

Collapse -
WOW BIG WTF
by ThatConfusedMo / December 28, 2008 3:37 AM PST

I clicked on the download.com link (in picture above, in Fire Fox Safe Mode) and I got sent to anoter google search that was "50 Cnet Window Shopper" and none of the links work there either.

Collapse -
Just Maybe A Fix... See This Link..
by Grif Thomas Forum moderator / December 30, 2008 1:08 AM PST
In reply to: WOW BIG WTF
Collapse -
I dont know about that...
by ThatConfusedMo / December 31, 2008 7:31 AM PST

That guy is experiencing the same problem as I am. That file is where it said it would be.

However, on my computer it says it is an audio related file and it was created long before I was getting the issue.

[url= Picture

Should I still remove it or not? Whats the worst that could happen?

Collapse -
Broken Picture Link
by ThatConfusedMo / December 31, 2008 7:42 AM PST
Collapse -
Same problem here
by robotewa / December 31, 2008 11:20 AM PST

astidkalis instructions fixed the problem for me too.

Find C:/Windows/system32/wdmaud.sys

Delete it (or move/rename) and Reboot.

Note what Grif Thomas said wdmaud.sys should be in "C:\Windows\System32\drivers" so its ok to delete the file in "C:\Windows\System32\".

Collapse -
Problem Solved!
by ThatConfusedMo / January 1, 2009 2:13 AM PST
In reply to: Same problem here

It worked! Now my searches are back to normal, thanks everyone for helping me out.

Collapse -
(NT) Good Job & Thanks For Posting Back!
by Grif Thomas Forum moderator / January 1, 2009 4:59 AM PST
In reply to: Problem Solved!
Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.