Symesko

Internet Explorer doesn't seem to be infected. I tried 10 searches with IE and didn't get a single redirect when I clicked on a result link. Sadly, I absolutely refuse to use IE. Chrome is up to date. I'm not seeing anything strange in the extensions/plugins. I removed all the search engines except for Google. After disabling all of them, I'm still be redirected when I click the result. It's a sporadic thing... it will happen for a few searches, then it goes away for a few. Sometimes I can go back and click the link and it takes me to the page, sometimes it takes me 7 or 8 or 20 tries. One thing I did notice that may be of use - if I'm going to be redirected, the web address bar goes blank for a second, and then the address for the site i'm being directed to appears. If I don't get re-directed, then the address of the site I'm intending to visit is displayed instantly.

Good Day, So today, either this or another virus has decided to show back up. It's redirecting me to a different search engine now.... tlbsearch.com which in turn searches for "free e cards". I don't remember seeing this before so I'm not sure if it's a new issue or one that was being over ridden before.

Here are the logs for both the programs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 3.8.9 (12.05.2012:5) OS: Windows 7 Home Premium x64 Ran by Symesko on 05/12/2012 at 23:28:58.21 Blog: http://thisisudax.blogspot.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 05/12/2012 at 23:35:20.00 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # AdwCleaner v2.011 - Logfile created 12/05/2012 at 23:11:52 # Updated 02/12/2012 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : Symesko - SYMESKO-LT # Boot Mode : Normal # Running from : C:\Users\Symesko\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk Folder Deleted : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\extensions\staged ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar Key Deleted : HKCU\Software\Ask.com Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.7601.17514 [OK] Registry is clean. -\\ Mozilla Firefox v8.0 (en-US) Profile name : default File : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\prefs.js C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\user.js ... Deleted ! Deleted : user_pref("browser.search.selectedEngine", "SweetIM Search"); Deleted : user_pref("keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&barid={1A1B0253-2259-11E2-8CCC-[...] Deleted : user_pref("browser.startup.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-[...] Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", ""); Deleted : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B[...] Deleted : user_pref("browser.search.defaultenginename", "SweetIM Search"); Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", ""); Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "Secure Search"); Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://ca.search.yahoo.com/search?fr=mcafee&p="); -\\ Google Chrome v23.0.1271.95 File : C:\Users\Symesko\AppData\Local\Google\Chrome\User Data\Default\Preferences Deleted [l.13] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9[...] Deleted [l.17] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B02[...] Deleted [l.1734] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA3[...] Deleted [l.2316] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-[...] ************************* AdwCleaner[R1].txt - [3408 octets] - [05/12/2012 07:00:24] AdwCleaner[R2].txt - [3468 octets] - [05/12/2012 23:11:32] AdwCleaner[s1].txt - [3435 octets] - [05/12/2012 23:11:52] ########## EOF - C:\AdwCleaner[s1].txt - [3495 octets] ########## On that note, I haven't had the search re-direct happen to me in the last day or two, so it's possible we have made some headway. Once again, thank you greatly for all your help!

Good Day, I'm using Chrome for my web browser. Here is the log: # AdwCleaner v2.011 - Logfile created 12/05/2012 at 07:00:24 # Updated 02/12/2012 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : Symesko - SYMESKO-LT # Boot Mode : Normal # Running from : C:\Users\Symesko\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk Folder Found : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\extensions\staged ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\AskToolbar Key Found : HKCU\Software\Ask.com Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.7601.17514 [OK] Registry is clean. -\\ Mozilla Firefox v8.0 (en-US) Profile name : default File : C:\Users\Symesko\AppData\Roaming\Mozilla\Firefox\Profiles\5hv8056j.default\prefs.js Found : user_pref("browser.search.selectedEngine", "SweetIM Search"); Found : user_pref("keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&barid={1A1B0253-2259-11E2-8CCC-[...] Found : user_pref("browser.startup.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-[...] Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", ""); Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B[...] Found : user_pref("browser.search.defaultenginename", "SweetIM Search"); Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", ""); Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "Secure Search"); Found : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://ca.search.yahoo.com/search?fr=mcafee&p="); -\\ Google Chrome v23.0.1271.95 File : C:\Users\Symesko\AppData\Local\Google\Chrome\User Data\Default\Preferences Found [l.13] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}", Found [l.17] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}", "hxxp://www.google.com/" ] Found [l.1734] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}", Found [l.2316] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10007&barid={1A1B0253-2259-11E2-8CCC-94CD9BA31E3D}", "hxxp://www.google.com/" ] ************************* AdwCleaner[R1].txt - [3281 octets] - [05/12/2012 07:00:24] ########## EOF - C:\AdwCleaner[R1].txt - [3341 octets] ##########

ComboFix.txt I have run ComboFix now. I did have a warning pop up about my Anti-Virus and Spyware not being disabled despite me turning everything to off. I went through the procedure again, but it still warned me that McAfee was running. Hopefully that didn't cause any issues, if it has, i'll try again(and remove McAfee if need be). And yes, I did remember to turn my stuff back on again now

TDSSKiller.2.8.15.0_03.12.2012_21.18.47_log.txtTDSSKiller.2.8.15.0_03.12.2012_21.14.03_log.txt Here are the TDSS logs. Scan results showed 4 suspicious.

RKreport1_S_12032012_02d2007.txt Here is the report from RougeKiller. Thanks

dds.txtattach.txt Good Day! For the past few weeks, every once in a while when using my google search, I get redirected to a random search engine or website(quite often a celebrity gossip site). livesearchnow.com is the most common redirect destination. It is getting quite frustrating, so any help getting rid of this issue will be great appreciated. I have run Malware on both a quick scan and full scan and it has come back clean. I hope I have attached the DDS files properly, and thanks in advance for your assistance!