Symesko

Livesearchnow redirect virus

63 posts in this topic

dds.txtattach.txt

Good Day!

For the past few weeks, every once in a while when using my google search, I get redirected to a random search engine or website(quite often a celebrity gossip site). livesearchnow.com is the most common redirect destination. It is getting quite frustrating, so any help getting rid of this issue will be great appreciated. I have run Malware on both a quick scan and full scan and it has come back clean.

I hope I have attached the DDS files properly, and thanks in advance for your assistance!

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Share this post


Link to post
Share on other sites

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Share this post


Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

ComboFix.txt

I have run ComboFix now. I did have a warning pop up about my Anti-Virus and Spyware not being disabled despite me turning everything to off. I went through the procedure again, but it still warned me that McAfee was running. Hopefully that didn't cause any issues, if it has, i'll try again(and remove McAfee if need be). And yes, I did remember to turn my stuff back on again now :)

Share this post


Link to post
Share on other sites

What browser is being redirected?

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Share this post


Link to post
Share on other sites

Good Day,

I'm using Chrome for my web browser. Here is the log:

# AdwCleaner v2.011 - Logfile created 12/05/2012 at 07:00:24

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Symesko - SYMESKO-LT

# Boot Mode : Normal

# Running from : C:\Users\Symesko\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

Folder Found : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\extensions\staged

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

Key Found : HKCU\Software\Ask.com

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v8.0 (en-US)

Profile name : default

File : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\prefs.js

Found : user_pref("browser.search.selectedEngine", "SweetIM Search");

Found : user_pref("keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&barid={1A1B0253-2259-11E2-8CCC-[...]

Found : user_pref("browser.startup.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-[...]

Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");

Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B[...]

Found : user_pref("browser.search.defaultenginename", "SweetIM Search");

Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "Secure Search");

Found : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://ca.search.yahoo.com/search?fr=mcafee&p=");

-\\ Google Chrome v23.0.1271.95

File : C:\Users\Symesko\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.13] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}",

Found [l.17] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}", "hxxp://www.google.com/" ]

Found [l.1734] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}",

Found [l.2316] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}", "hxxp://www.google.com/" ]

*************************

AdwCleaner[R1].txt - [3281 octets] - [05/12/2012 07:00:24]

########## EOF - C:\AdwCleaner[R1].txt - [3341 octets] ##########

Share this post


Link to post
Share on other sites

Some adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~~~

Next.............

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Share this post


Link to post
Share on other sites

Here are the logs for both the programs.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 3.8.9 (12.05.2012:5)

OS: Windows 7 Home Premium x64

Ran by Symesko on 05/12/2012 at 23:28:58.21

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 05/12/2012 at 23:35:20.00

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# AdwCleaner v2.011 - Logfile created 12/05/2012 at 23:11:52

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Symesko - SYMESKO-LT

# Boot Mode : Normal

# Running from : C:\Users\Symesko\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

Folder Deleted : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\extensions\staged

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

Key Deleted : HKCU\Software\Ask.com

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v8.0 (en-US)

Profile name : default

File : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\prefs.js

C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\user.js ... Deleted !

Deleted : user_pref("browser.search.selectedEngine", "SweetIM Search");

Deleted : user_pref("keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&barid={1A1B0253-2259-11E2-8CCC-[...]

Deleted : user_pref("browser.startup.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-[...]

Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");

Deleted : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B[...]

Deleted : user_pref("browser.search.defaultenginename", "SweetIM Search");

Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "Secure Search");

Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://ca.search.yahoo.com/search?fr=mcafee&p=");

-\\ Google Chrome v23.0.1271.95

File : C:\Users\Symesko\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.13] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9[...]

Deleted [l.17] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B02[...]

Deleted [l.1734] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA3[...]

Deleted [l.2316] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-[...]

*************************

AdwCleaner[R1].txt - [3408 octets] - [05/12/2012 07:00:24]

AdwCleaner[R2].txt - [3468 octets] - [05/12/2012 23:11:32]

AdwCleaner[s1].txt - [3435 octets] - [05/12/2012 23:11:52]

########## EOF - C:\AdwCleaner[s1].txt - [3495 octets] ##########

On that note, I haven't had the search re-direct happen to me in the last day or two, so it's possible we have made some headway. Once again, thank you greatly for all your help!

Share this post


Link to post
Share on other sites

Good Day,

So today, either this or another virus has decided to show back up. It's redirecting me to a different search engine now.... tlbsearch.com which in turn searches for "free e cards". I don't remember seeing this before so I'm not sure if it's a new issue or one that was being over ridden before.

Share this post


Link to post
Share on other sites

Do you get redirects with Internet Explorer also?

Lets do some checking in Chrome:

First please make sure you have the latest version of Chrome:

Click the wrench in the upper right hand corner

Click on "About Google Chrome"

If an update is available it will be downloaded and installed

Next:

Carefully check for any odd extensions or plugins: (it's a good idea to disable them all and see if you're still redirected and then add each one back until you find the culprit)

Type the following into the address box and hit Enter:

chrome:plugins

Do the same for:

chrome:extensions

Next:

Go to Settings > Show advanced settings........ (at the bottom)

Put a check next to all of these:

  1. Clear browsing history
  2. Clear download history
  3. Empty the cache

Click "Clear Browsing Data"

Next:

Look through the rest of Tools, Settings and View Backround Pages and make sure there's nothing suspicious.

---------------------------

Then look at this link (it's for a different infection but the way to change Chromes settings is the same)

http://deletemalware...tall-guide.html

---------------------------

If you don't see anything, disable all extensions and plug-ins and see how it is.

Let me know, MrC

Share this post


Link to post
Share on other sites

Internet Explorer doesn't seem to be infected. I tried 10 searches with IE and didn't get a single redirect when I clicked on a result link. Sadly, I absolutely refuse to use IE.

Chrome is up to date. I'm not seeing anything strange in the extensions/plugins. I removed all the search engines except for Google. After disabling all of them, I'm still be redirected when I click the result. It's a sporadic thing... it will happen for a few searches, then it goes away for a few. Sometimes I can go back and click the link and it takes me to the page, sometimes it takes me 7 or 8 or 20 tries.

One thing I did notice that may be of use - if I'm going to be redirected, the web address bar goes blank for a second, and then the address for the site i'm being directed to appears. If I don't get re-directed, then the address of the site I'm intending to visit is displayed instantly.

Share this post


Link to post
Share on other sites

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Share this post


Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 3.8.9 (12.05.2012:5)

OS: Windows 7 Home Premium x64

Ran by Symesko on 08/12/2012 at 16:42:30.70

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 08/12/2012 at 16:49:06.13

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

Created a new browers profile, that did not fix anything.

Reinstalled Chrome, that also did not fix it.

I have noticed that now (today at least), it is redirecting me to "Ihavenet.com" search engine. It seems to change the search engine it redirects to daily.

Share this post


Link to post
Share on other sites

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Share this post


Link to post
Share on other sites

Here is the ESET scan results

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=8

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6844

# api_version=3.0.2

# EOSSerial=

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-12-09 10:12:43

# local_time=2012-12-09 03:12:43 (-0700, Mountain Standard Time)

# country="Canada"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5122 16777213 100 90 2501705 116947341 0 0

# compatibility_mode=5893 16776574 100 94 40883080 106634613 0 0

# scanned=303138

# found=0

# cleaned=0

# scan_time=11021

Share this post


Link to post
Share on other sites

Alright, I have Reset IE to defaults. I just tried about 10 searches (using Chrome) and didn't get a single re-direct. Hopefully this is some headway....

Share this post


Link to post
Share on other sites

Good.........

Lets check your computers security:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Share this post


Link to post
Share on other sites

I ran it twice, because I was thinking this was an error, but this was the result both times.

UNSUPPORTED OPERATING SYSTEM! ABORTED!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.