Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Clicking on Google Links redirects me to spyware sites

Posted on 2007-11-20
11
8,366 Views
Last Modified: 2013-12-09
When i click on links in a Google search it redirects me to sites like "daytotal.com, btcar.com, etc.."

clickng the same link 2 or 3 times after clicking on the back button, eventually lets me go to the correct page, but never the first time.

I know i have some spyware or adware. i cleaned with adaware once, checked my hosts file, and cleared my cookies and internet cache, but i'm still having the same problem.

Please help.
0
Comment
Question by:mehul_kar
11 Comments
 
LVL 4

Expert Comment

by:DavidTMoore
ID: 20322506
definately sounds like spyware to me.  What software did you use to clean your computer?  

I use spybot and have had great luck with it, you can get it here:
http://www.safer-networking.org/en/download/
0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20322583
thanks for the quick reply. i used ad-aware and it found somethings, but they should be all cleaned out now.
i'll try spybot too.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20323129
It would help if we could see what was going on with your computer. I suggest that you download, run, and post a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

You can either upload the log at EE-Stuff.com or to any hosting sites,
go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to this site::
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it back here.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 1

Author Comment

by:mehul_kar
ID: 20324072
http://rafb.net/p/zik3NH42.html

here's the link indigenus. fyi, i already ran hijackthis and checked the log on hijeckthis.de and looked over it myself. nothing looks out of the ordinary. but i hope you find something i didn't.

.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 250 total points
ID: 20324480
You have a Wareout infection.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{364FEFF9-0325-4528-8049-343CCF1EACD9}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DDDBF9A-F4B4-43B3-82C2-B278D3738EA4}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEC2511E-8F91-4C3D-B44B-B92B0590C68B}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{364FEFF9-0325-4528-8049-343CCF1EACD9}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
 
Then close all windows except this one and press Fix checked.
 
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20341662
here's my fixit report:

Username "Mehul Kar" - 11/23/2007 21:31:35 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdcjz.exe"

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.
 
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdcjz.ren 72765 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SkyTel"="SkyTel.EXE"
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"ePower_DMC"="C:\\Acer\\Empowering Technology\\ePower\\ePower_DMC.exe"
"Boot"="C:\\Acer\\Empowering Technology\\ePower\\Boot.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\\Program Files\\XemiComputers\\Active Desktop Calendar\\ADC.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

And here is my new hijackthis log:

http://rafb.net/p/X1Gqvx91.html
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20341673
Looks better...running better now? Any more redirects?
0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20342959
nope all good now. thanks a lot indigenus.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20343764
Your welcome, take care.
Dave
0
 

Expert Comment

by:wayne_from_wales
ID: 20969844
This solution wont work on Vista :(
0
 
LVL 2

Expert Comment

by:esa_esa_2000
ID: 24708205
i got same problem when i tried spybot search & distroy it got it
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question