Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Clicking on Google Links redirects me to spyware sites

Posted on 2007-11-20
11
Medium Priority
?
8,371 Views
Last Modified: 2013-12-09
When i click on links in a Google search it redirects me to sites like "daytotal.com, btcar.com, etc.."

clickng the same link 2 or 3 times after clicking on the back button, eventually lets me go to the correct page, but never the first time.

I know i have some spyware or adware. i cleaned with adaware once, checked my hosts file, and cleared my cookies and internet cache, but i'm still having the same problem.

Please help.
0
Comment
Question by:mehul_kar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 4

Expert Comment

by:DavidTMoore
ID: 20322506
definately sounds like spyware to me.  What software did you use to clean your computer?  

I use spybot and have had great luck with it, you can get it here:
http://www.safer-networking.org/en/download/
0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20322583
thanks for the quick reply. i used ad-aware and it found somethings, but they should be all cleaned out now.
i'll try spybot too.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20323129
It would help if we could see what was going on with your computer. I suggest that you download, run, and post a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

You can either upload the log at EE-Stuff.com or to any hosting sites,
go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to this site::
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it back here.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:mehul_kar
ID: 20324072
http://rafb.net/p/zik3NH42.html

here's the link indigenus. fyi, i already ran hijackthis and checked the log on hijeckthis.de and looked over it myself. nothing looks out of the ordinary. but i hope you find something i didn't.

.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 1000 total points
ID: 20324480
You have a Wareout infection.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{364FEFF9-0325-4528-8049-343CCF1EACD9}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DDDBF9A-F4B4-43B3-82C2-B278D3738EA4}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEC2511E-8F91-4C3D-B44B-B92B0590C68B}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{364FEFF9-0325-4528-8049-343CCF1EACD9}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
 
Then close all windows except this one and press Fix checked.
 
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20341662
here's my fixit report:

Username "Mehul Kar" - 11/23/2007 21:31:35 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdcjz.exe"

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.
 
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdcjz.ren 72765 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SkyTel"="SkyTel.EXE"
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"ePower_DMC"="C:\\Acer\\Empowering Technology\\ePower\\ePower_DMC.exe"
"Boot"="C:\\Acer\\Empowering Technology\\ePower\\Boot.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\\Program Files\\XemiComputers\\Active Desktop Calendar\\ADC.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

And here is my new hijackthis log:

http://rafb.net/p/X1Gqvx91.html
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20341673
Looks better...running better now? Any more redirects?
0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20342959
nope all good now. thanks a lot indigenus.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20343764
Your welcome, take care.
Dave
0
 

Expert Comment

by:wayne_from_wales
ID: 20969844
This solution wont work on Vista :(
0
 
LVL 2

Expert Comment

by:esa_esa_2000
ID: 24708205
i got same problem when i tried spybot search & distroy it got it
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
The viewer will learn how to dynamically set the form action using jQuery.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question