• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1816
  • Last Modified:

Bogus internet search results=virus?

Whenever i enter a search into the top part of my home page (Yahoo), it returns bogus results...for instance if i search for "pumpkin pie recipes", instead of giving me cooking sites like emerils or paula deen, it'll give me shopping.com and/or about.com...sometimes it'll say "Libby's famous Pumpkin Pie" in the headline, but then the accompanying url directs you to "lowpriceshopper.com" or some bogus site......
I have run HiJackThis and have copied those results below...Can someone please tell me what to do next?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:05 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.lnk
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206869334890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6063 bytes
0
catcooper
Asked:
catcooper
  • 17
  • 10
  • 3
  • +3
4 Solutions
 
matthewrhoadesCommented:
http://hjt.networktechs.com/parse.php

That will parse the results for you.  The behavior you are talking about is consistent with a browser hijacking.  It is possible that your HOST file is compromised.  Use the link above and follow HJTs recommendations.  IF you are still experiencing issues try visiting http://www.trendmicro.com and using their virus scanner.  

Spybot R & D is a fantastic free virus scanner you can download.
0
 
catcooperAuthor Commented:
i went to the site and could not figure out how to enter my HiJackThis values...????
0
 
matthewrhoadesCommented:
Sorry, that link was a parsed log.

http://hjt.networktechs.com/
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
catcooperAuthor Commented:
thanks--i went there, pasted my HiJackThis log, followed their recommendations, restarted my computer and still have the same problem...
then did the same thing (ran HJT, parsed log, followed recs, restarted...same problem)
can you give me the link to Spybot R&D so i can scan for viruses? (if i search for it, i get bogus urls! )  :)
or what do you recommend i do now?
0
 
matthewrhoadesCommented:
http://www.fpweb.net/support/webhosting/hostfile.editing.support.asp

Check out the above.  When you get a hijacking frequently they will rewrite your host file so that when you look for legitimate sites it redirects you to another URL.

As far as Spybot goes:

http://www.spybot.com/en/download/

 
0
 
catcooperAuthor Commented:
what values should i put into the (yourdomainname)????
123.123.123.123 yourdomainname.com
123.123.123.123 www.yourdomainname.com 

The site talks about publishing a website.....????
0
 
matthewrhoadesCommented:
Bad example.

Tell me if you can access this site:  http://personal-computer-tutor.com/abc4/v36/mike36.htm

0
 
catcooperAuthor Commented:
yes i can...again, not sure what to do here....but am hoping you'll direct me! :)
0
 
matthewrhoadesCommented:
Copy the contents of your host file and post it here.

C:\Windows\System32\drivers\etc\ is where your hosts file is located.
0
 
catcooperAuthor Commented:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
0
 
matthewrhoadesCommented:
Your next step is to run Spybot, that file looks ok.


http://www.spybot.com/en/download/

Can you download this file?
0
 
catcooperAuthor Commented:
yep--downloading now
0
 
matthewrhoadesCommented:
That should get you closer to home, when it runs through it will indicate you what viral funk it finds, after that it can be an arduous task to find individual removal tools.  Last time I dealt with a browser hijack it took me about four or five hours to get all of the tools I needed and remove everything.  I ran Spybot and then went and got the invidual removal tools.  

I believe I ended up using Trend Micro cwshredder, spybot and HIjack this to get it all taken care of, those three things did it though.
0
 
catcooperAuthor Commented:
ok, well, please hang with me in case i have more ???
THANKS!
0
 
matthewrhoadesCommented:
I will be here a couple of hours yet :)
0
 
catcooperAuthor Commented:
ok,
i ran Spybot and fixed the few misc things it found...then, for the heckof it, i ran cwshredder and it found nothing...i had already ran HJT, so i thought i was good to go...
went to browser, tried looking for my pumpkin pie recipe and still the same thing happens....
what now?

here's the URL i get when i type in "pumpkin pie recipe" in the search field...
http://search.yahoo.com/search?p=pumpkin+pie+recipe&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8
if you type in the same thing, i imagine you get dirrent URLs to choose from?
0
 
catcooperAuthor Commented:
dirrent=different!
0
 
matthewrhoadesCommented:
I see a variety of different pie recipes, yes.  How about I post the recipe here, you print it out and then take your computer outside and put it down like a horse with a broken leg?

No, just kidding.  Run Spybot again, there is nasty recurring registry entry with most of these viruses that just causes it to recreate itself on start up.  When you finish running Spybot just jot down what viruses it finds (Did you get the latest updates for Spybot?) and post them here.

Also, are you able to get to http://www.trendmicro.com ?  If you can get there you can run HouseCall, the online virus scanner and that is probably the best scanner.
0
 
originalbiffmalibuCommented:
Without going through the hassle of hijack this, merely run the programs below and all hijacks will be fixed.  If you cannot access any of these to download them, let us know.

You may want to download:

Combofix (bleepingcomputer.com)
Smitfraudfix (search google)
superantispyware (superantispyware.com)
spybot search and destroy (safer-networking.org)
antivir  (free-av.com)

Please install/run Combofix first.  When that has completed and while still in safe mode, install spybot S&D and update it.  Also run Smitfraudfix while in safe mode.  Smitfraud also offers a DNS hijack fix on its menu, run that as well.  Install anti-vir and superantispyware.  Update and run these as well.  After that, you will definitely be clean.
0
 
catcooperAuthor Commented:
i like your first solution although i'd rather just pitch this laptop from the top floor! :)
ok, am running SpyBot again now.--and, yes, i did update it first..i actually did a print screen last time and this is what it found.

i did not restart my computer before i tested out the search function again....maybe that was my problem?


screenshot.xls
0
 
matthewrhoadesCommented:
The links Biff posted are good resources.  Run HJT this again and post the log.  Lord knows what the issue might be at this point.  Most of the time HJT and CWShredder fix it.  Last time I had this issue Smitfraudfix did solve the issue, but then again it also showed up in Spybot.
0
 
pshaneCommented:
I am having same problems.  I search for simple things and get crazy results.  Results like monstermarklace.com, ansearch.com, info.com.  It shows these links under the actual google results and also uses those links when I click on the results.  In other words, results text appear fine... but when I mouse over it shows these bogus sites and others.  I have run smitfraud, superanti, and spybot so far.  no success
0
 
catcooperAuthor Commented:
here's the HJT log
i have to run out for a bit but will try and check back in a few hrs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:21 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.lnk
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206869334890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5628 bytes
0
 
originalbiffmalibuCommented:
I see nothing in your log that would cause that.  I will say again, Combofix is the most powerful utility out there to clean your system of the nastiest malware.  Do it both in safe mode and in regular mode.  Then run SAS and spybot to clean the traces.  It WILL work.
0
 
catcooperAuthor Commented:
originalbiffmalibu: i went to bleepingcomputer.com but can't seem to find the combofix download.....
0
 
catcooperAuthor Commented:
shoot--well, it's late and i have to be up at 4am to head back home tomorrow...will be travellin most of the day but will get back to this tomorrow afternoon/evening as soon as i can
0
 
catcooperAuthor Commented:
oh, one more thing B4 i go for originalbiffmalibu....if you're still there and if you post any suggestions for me, pls send me a link to where you want me to go...the 2nd item on your list was Smitfraudfix and you had said to search Google...well, i did and found my recipe for pumpkin pie...HA! ok, seriously...that's my problem--i CAN'T search as it brings me back bogus stuff--hence this thread...
ok, that's it for now--thanks
0
 
readydaveCommented:
These kinds of issues can be so annoying and frustrating. http://www.bleepingcomputer.com/combofix/how-to-use-combofix is the link where I found some tutorials for the combofix software as well as links to download it from.

Something else you may want to try first is to run Internet Explorer without any addons. The quickest way to do this is to click Start, then click Run and then type in "iexplore.exe -extoff" (wihtout the quotes). This starts IE up without any addons running. The main window should tell you it is running without addons enabled, etc.

Now try to do your searches without any addons running and see if you get the results you are looking for. If so, then one of your add ons is causing the issue.

Over the years I have cleaned many machines using the tools and methods mentioned in the above posts. I find that while the cleaning gets rid of most items, it doesn't always get rid of everything. The safest way to be 100% sure is to back your files up, format the hard drive, and reinstall your OS and then immediately patch it and put current A/V software on. After that, restore your data. A lot of people do not have time for that, but there it is.

Let us know how you fare...
0
 
rpggamergirlCommented:
Try MalwareBytes, if it doesn't clean the infection then this could be the Zlob.DNS.changer in which you would need to reset your router, but first run MalwareBytes.
Download MalwareBytes from either of these locations if you can't access to the MBAM site.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://projects.securitywonks.net/projects/details.php?file=158
0
 
catcooperAuthor Commented:
ok, guys...at the airport now and saw your posts...getting ready to board my flight but will try your respective fixes when i get home (long travel day ahead of me--west to east coast with 2 stops in between)...thanks all...be back in touch later
0
 
catcooperAuthor Commented:
ok, so my flight was late, blah, blah, blah....but i finally got to do some of your suggestions.
readydave: "run Internet Explorer without any addons"&tried that and the same thing showed&bogus stuff, so I guess it's not the add-ons.
originalbiffmalibu: Didn't get to run Combofix due to below
rpggamergirl: "Download Malware" & did that and after a LONG time (2 1/2 hours), and it showed 2 infections...Trojan.Agent and Rootkit.Agent. I "removed selected" ... restarted my computer, did my pumpking pie recipe search and YAY! I was successful. :)

Thanks to all for your help!
0
 
pshaneCommented:
I had the same problem on a computer over the weekend and the program the finally fixed it for me was malwarebytes.  Check it out at http://www.malwarebytes.org/

It saved the day!!!
0
 
catcooperAuthor Commented:
Thanks for everyone who helped...matthewrhoades for sticking with me in the beginning and originalbiff/readydave/rpggamergirl for hanging in there with me until the issue was resolved...
0
 
rpggamergirlCommented:
Glad to know it's been resolved.
Thanks for the points and the grade!
Happy computing and pumpkin pie cooking!
Now I feel hungry, :)
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 17
  • 10
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now