Why are my search results being redirected?

Please download Malwarebytes Anti-Malwareand save it to your desktop.
alternate download link 1
alternate download link 2

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates,
manually download them from here
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

did it help?

Malwarebytes' Anti-Malware 1.31
Database version: 1557
Windows 5.1.2600 Service Pack 3

12/27/2008 9:00:21 PM
mbam-log-2008-12-27 (21-00-21).txt

Scan type: Quick Scan
Objects scanned: 57720
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00289da (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\__c005FCB6.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

I'm going to click 'yes' now to restart my computer.

Seems to me, MBAM did it's job

The problem still happens, I'll give SUPERAntiSpyware a go and tell you it goes.

Sorry if this takes a while, with 256 MB of RAM in my computer these things take a while.

Didn't MBAM remove all the nasties ..... or are there "more" ?

Take your time

After a 3 hour scan, it found 5 regestry errors but my searches still do not work.

Any other recommendations?

Spybot's TeaTimer enabled?

If YES, pls. DISABLE it and run MBAM once again.

I just uninstalled Spybot because it was just so unstable and it slowed my computer down a lot. Anyways I ran another scan in MBAM and it did not find anything. Here is the log:

Malwarebytes' Anti-Malware 1.31
Database version: 1557
Windows 5.1.2600 Service Pack 3

12/28/2008 12:10:22 PM
mbam-log-2008-12-28 (12-10-22).txt

Scan type: Quick Scan
Objects scanned: 56578
Time elapsed: 25 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Does the following help (IE)?

Tools, Internet Options, Programs, Reset WEB Settings.

IF that doesn't work.......

maybe you only need to flush your DNS cache.

You need to do this from the command prompt:

-- Click Start > Run > type: ipconfig /flushdns

After it is flushed, you need to reregister it again.
-- Click Start > Run > type: ipconfig /registerdns

That should clear out the cache.

It wouldn't hurt to keep a copy of WinsockFix on hand. http://downloads.subratam.org/WinsockFix.zip

When I type in 'ipconfig /flushdns' (without quotes) it tells me to choose a program from a list to open it with, which one do I choose?

In post above, I spelled it really, really oddly. I meant to write 'program' not 'origram'

With the computer still connected to the internet:

Please go to Start > Control Panel > Network and Internet Connections > Network Connections. Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and left-click on the Properties option. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer.

Go to Start > Run.... In the Open: field type cmd and press the OK button. This will open a Command Prompt.
Type or copy & paste the entire contents inside the QUOTE box below into the command window:

QUOTE
ipconfig /flushdns [/QUOTE]

Hit Enter and exit the Command Prompt.

After running malwarebytes to remove Win32.Zafi.b and booting;
I also discovered that it helps to run stinger, and an anti-malware product. I ran AVG, spybot, and then lavasoft. Each one picked out another piece of the junk left over. I was at least smart and aware enough not to trigger the pop-up.

I also ran a couple of repair utilities to recover some of the over written files and double check the registry etc.

Thanks for the lead on malwarebytes, the other more main stream tools didn't work that well.

If I type in a web page directly, it works.

I'm in Fire Fox's safe mode right now and it still is not working for me, all those search results get redirected.
Oddly, Google Chrome works while IE7 and FireFox doesn't.
Picture Proof
What I'm talking about is, see how it says "CNET Download.com" in blue(IE), then there is a description and under that there is a link in green, that is the site that I get sent to, not download.com

That is the problem that is getting pretty annoying now.

That the dns flush/regester did not work.

I clicked on the download.com link (in picture above, in Fire Fox Safe Mode) and I got sent to anoter google search that was "50 Cnet Window Shopper" and none of the links work there either.

There was a discussion in another forum that seems similar to your situaiton..

Here's the link to the topic of the thread.. Much like yours but read all the posts in the thread
http://forums.cnet.com/5208-6122_102-0.html?forumID=44&threadID=322010&messageID=2936331&tag=posts;tree#2936331

Here's the fix that was found by another user in that same thread:
http://forums.cnet.com/5208-6122_102-0.html?forumID=44&threadID=322010&messageID=2939371#2939371

Hope this helps.

Grif

That guy is experiencing the same problem as I am. That file is where it said it would be.

However, on my computer it says it is an audio related file and it was created long before I was getting the issue.

[url= Picture

Should I still remove it or not? Whats the worst that could happen?

astidkalis instructions fixed the problem for me too.

Find C:/Windows/system32/wdmaud.sys

Delete it (or move/rename) and Reboot.

Note what Grif Thomas said wdmaud.sys should be in "C:\Windows\System32\drivers" so its ok to delete the file in "C:\Windows\System32\".

It worked! Now my searches are back to normal, thanks everyone for helping me out.