Solved

Clicking on Google Links redirects me to spyware sites

Posted on 2007-11-20
11
8,367 Views
Last Modified: 2013-12-09
When i click on links in a Google search it redirects me to sites like "daytotal.com, btcar.com, etc.."

clickng the same link 2 or 3 times after clicking on the back button, eventually lets me go to the correct page, but never the first time.

I know i have some spyware or adware. i cleaned with adaware once, checked my hosts file, and cleared my cookies and internet cache, but i'm still having the same problem.

Please help.
0
Comment
Question by:mehul_kar
11 Comments
 
LVL 4

Expert Comment

by:DavidTMoore
ID: 20322506
definately sounds like spyware to me.  What software did you use to clean your computer?  

I use spybot and have had great luck with it, you can get it here:
http://www.safer-networking.org/en/download/
0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20322583
thanks for the quick reply. i used ad-aware and it found somethings, but they should be all cleaned out now.
i'll try spybot too.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20323129
It would help if we could see what was going on with your computer. I suggest that you download, run, and post a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

You can either upload the log at EE-Stuff.com or to any hosting sites,
go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to this site::
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it back here.
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 1

Author Comment

by:mehul_kar
ID: 20324072
http://rafb.net/p/zik3NH42.html

here's the link indigenus. fyi, i already ran hijackthis and checked the log on hijeckthis.de and looked over it myself. nothing looks out of the ordinary. but i hope you find something i didn't.

.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 250 total points
ID: 20324480
You have a Wareout infection.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
 
O17 - HKLM\System\CCS\Services\Tcpip\..\{364FEFF9-0325-4528-8049-343CCF1EACD9}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DDDBF9A-F4B4-43B3-82C2-B278D3738EA4}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEC2511E-8F91-4C3D-B44B-B92B0590C68B}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{364FEFF9-0325-4528-8049-343CCF1EACD9}: NameServer = 85.255.115.18,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.220
 
Then close all windows except this one and press Fix checked.
 
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20341662
here's my fixit report:

Username "Mehul Kar" - 11/23/2007 21:31:35 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdcjz.exe"

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.
 
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdcjz.ren 72765 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SkyTel"="SkyTel.EXE"
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"ePower_DMC"="C:\\Acer\\Empowering Technology\\ePower\\ePower_DMC.exe"
"Boot"="C:\\Acer\\Empowering Technology\\ePower\\Boot.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\\Program Files\\XemiComputers\\Active Desktop Calendar\\ADC.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

And here is my new hijackthis log:

http://rafb.net/p/X1Gqvx91.html
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20341673
Looks better...running better now? Any more redirects?
0
 
LVL 1

Author Comment

by:mehul_kar
ID: 20342959
nope all good now. thanks a lot indigenus.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20343764
Your welcome, take care.
Dave
0
 

Expert Comment

by:wayne_from_wales
ID: 20969844
This solution wont work on Vista :(
0
 
LVL 2

Expert Comment

by:esa_esa_2000
ID: 24708205
i got same problem when i tried spybot search & distroy it got it
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
An enjoyable and seamless user experience can go a long way on an eCommerce site. While a cohesive layout and engaging copy play roles in creating a positive user experience, some sites neglect aspects that seem marginal but in actuality prove very …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question