Jump to content

Search Result Redirection - HELP!


Recommended Posts

I recently had some malware that got installed on my Windows 7 PC and MBAM successfully quarantined and removed them:

mbam-log-2011-11-26 (15-39-13).txt

Files Infected:

c:\Users\<me>\AppData\Local\Temp\msimg32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\<me>\local settings\temporary internet files\tmp_6507.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\<me>\local settings\temporary internet files\tmp_6838.exe (Trojan.Agent) -> Quarantined and deleted successfully.

3 days later I had more malware and MBAM detected the following:

mbam-log-2011-11-29 (09-41-02).txt

Files Infected:

c:\Users\<me>\AppData\Local\Temp\msimg32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\<me>\local settings\temporary internet files\tmp_6119.exe (Trojan.Agent) -> Quarantined and deleted successfully.

However, I kept having issues and noticed a process nywvsxu.exe without a Description that seemed suspicious and would be present after I killed it and rebooted. MBAM detected additional malware but did not detect any issue with this file:

mbam-log-2011-12-02 (20-59-50).txt

Files Infected:

c:\Users\<other>\AppData\Local\Temp\0.581232132723523fdrgs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\<other>\AppData\Local\Temp\0.9828270885075594koreas.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Finally, I decided to run OTL.exe scan and noticed the file's creation date was right before I started having issues:

[2011/11/26 09:49:26 | 000,090,112 | RHS- | C] () -- C:\Users\<me>\AppData\Roaming\nywvsxu.exe

I renamed the file (see attachment)and the process no longer loads and MBAM has not detected any more malware since. However, when I click on any results from Google or Yahoo searches, I get sent to incorrect, yet often legitimate sites. There is no issue with accessing www.google.com only when I click on a link from the search itself. (The hosts file didn't have any extra entries - I did have a virus that modified it at one time). Typing the search result URL directly in the address bar works fine. I've tried for a week playing around with IE9 settings and searching the web for a clue as to how to get rid of this to no avail. BTW, I uploaded the exe file to virustotals.com today and it tested positive in more than a dozen virus scanners.

I should add that I've run TDSSKiller and it has not found any issues.

I recently had some malware that got installed on my Windows 7 PC and MBAM successfully quarantined and removed them:

mbam-log-2011-11-26 (15-39-13).txt

Files Infected:

c:\Users\<me>\AppData\Local\Temp\msimg32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\<me>\local settings\temporary internet files\tmp_6507.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\<me>\local settings\temporary internet files\tmp_6838.exe (Trojan.Agent) -> Quarantined and deleted successfully.

3 days later I had more malware and MBAM detected the following:

mbam-log-2011-11-29 (09-41-02).txt

Files Infected:

c:\Users\<me>\AppData\Local\Temp\msimg32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\<me>\local settings\temporary internet files\tmp_6119.exe (Trojan.Agent) -> Quarantined and deleted successfully.

However, I kept having issues and noticed a process nywvsxu.exe without a Description that seemed suspicious and would be present after I killed it and rebooted. MBAM detected additional malware but did not detect any issue with this file:

mbam-log-2011-12-02 (20-59-50).txt

Files Infected:

c:\Users\<other>\AppData\Local\Temp\0.581232132723523fdrgs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\<other>\AppData\Local\Temp\0.9828270885075594koreas.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Finally, I decided to run OTL.exe scan and noticed the file's creation date was right before I started having issues:

[2011/11/26 09:49:26 | 000,090,112 | RHS- | C] () -- C:\Users\<me>\AppData\Roaming\nywvsxu.exe

I renamed the file (see attachment)and the process no longer loads and MBAM has not detected any more malware since. However, when I click on any results from Google or Yahoo searches, I get sent to incorrect, yet often legitimate sites. There is no issue with accessing www.google.com only when I click on a link from the search itself. (The hosts file didn't have any extra entries - I did have a virus that modified it at one time). Typing the search result URL directly in the address bar works fine. I've tried for a week playing around with IE9 settings and searching the web for a clue as to how to get rid of this to no avail. BTW, I uploaded the exe file to virustotals.com today and it tested positive in more than a dozen virus scanners.

DDS.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.