all of my google searched get hijacked

[Elise]

Yes, that is normal. This scan creates no log. Please proceed with the ESET scan when ready.

[wilkelldad]

Yes, that is normal. This scan creates no log. Please proceed with the ESET scan when ready.

There are some scanning options here...

Remove threats I assume? How about scan archives?

[Elise]

Yes and Yes

[wilkelldad]

Finished the ESET scan. Nothing found.

OK....REALLY dumb question here (actually, dumb guy asking question) I have a log file from when all of this began, before I contacted you where MBAM found something. MBAM quarantined and deleted it. I didn't even think of mentioning it, since everything had been cleaned, until I was watching the ESET scan window with 0 infections found. Would this log help? I'll paste it below.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4191

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/12/2010 12:57:56 PM

mbam-log-2010-06-12 (12-57-56).txt

Scan type: Quick scan

Objects scanned: 133504

Time elapsed: 19 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\V71IQL7HI7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Elise]

You mentioned earlier you were using a public network. Do you see any difference when using a public network or your home connection? So far, everything points to an infected router/DNS poisoning.

[wilkelldad]

The redirects yesterday were while I was in the hotel, on the public network.

I never thought about the router. While there have been unexplained delays, almost like an overworked computer, on all of the other computers on my home network. None of the other computers are being redirected.

Should I replace the router, then just plan on restoring the computer to factory condition?

[Elise]

The redirects yesterday were while I was in the hotel, on the public network.

If you did not experience any redirects at home, this means that the router they use to send their wireless signal, is infected. This does mean that your computer in fact is clean. A router is often targetted these days. The remedy is simple, push the reset button, and when done, change the default password so it will be harder for malware to alter the settings again.

Do you experience any redirects on this computer at home?

[wilkelldad]

If you did not experience any redirects at home, this means that the router they use to send their wireless signal, is infected. This does mean that your computer in fact is clean. A router is often targetted these days. The remedy is simple, push the reset button, and when done, change the default password so it will be harder for malware to alter the settings again.

Do you experience any redirects on this computer at home?

With the exception of yesterday's (Thursday) redirect, they all occurred at home. Even so, I reset my router and changed the network key and password to the dashboard.

redirect.

The un-nerving things is, I guess, there is something stealth in here and I suppose I can only hope it's just a pest.

I appreciate your help to this point, but I've got to decide whether it's not just time to cry uncle.

[Elise]

Please try the following:

Please Download Flash Cookie Killer by Bobbie Flekman and save it to your Desktop

1. Double click from your desktop
   
2. Check "Everything but Adobe Site Settings"
   
3. Mouse click "Make it so!"
   
   
4. Now go to the Adobe Flash Player Settings Manager
   
5. In the "Website Storage Settings" choose the "Delete All Sites" tab then "Confirm"
   
   
6. Next in the "Global Storage Settings" uncheck "Allow third-party Flash content to store on your computer"
   
   
7. Finally in the "Global Privacy Settings" choose "Always Deny" then "Confirm"
   
   
8. You have now successfully deleted cookies stored and changed the Flash Players default settings to prevent access in the future.
   

[wilkelldad]

Just finished this and rebooted.

Searched and was redirected. I was able to capture the redirects in screen shots, I don't know if these would help.

Thanks for sticking with me.

[Elise]

Lets see if we may somehow have some hostsfile hijacking which may be overlooked due to Spybot.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
   
2. If prompted with a legal dialog, accept the warning.
   
3. Click and then on "Advanced Mode"
   
   
4. You may be presented with a warning dialog. If so, press
   
5. Click on
   
6. Click on
   
7. Uncheck this checkbox:
   
   
8. Close/Exit Spybot Search and Destroy
   

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox. Do not include the word "Code"
   

   :commands
   [emptytemp]
   [resethosts]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

[wilkelldad]

as an FYI...the sdhelper and teatimer boxes were already unchecked when I went there. If this is hiding things I can uninstall the whole program if it helps. Let me know.

The result of the OTL scan

All processes killed

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David

->Temp folder emptied: 5462289 bytes

->Temporary Internet Files folder emptied: 30828605 bytes

->Java cache emptied: 52521834 bytes

->FireFox cache emptied: 36816511 bytes

->Google Chrome cache emptied: 12512444 bytes

->Flash cache emptied: 42114 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 41620 bytes

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 41044 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 65787 bytes

->Flash cache emptied: 567 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 1510 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 2554944 bytes

Total Files Cleaned = 134.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.0 log created on 07172010_133059

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\David\Local Settings\Temp\~DF1E79.tmp not found!

File\Folder C:\Documents and Settings\David\Local Settings\Temp\~DF1FCE.tmp not found!

File\Folder C:\Documents and Settings\David\Local Settings\Temp\~DF2687.tmp not found!

File\Folder C:\Documents and Settings\David\Local Settings\Temp\~DF29F0.tmp not found!

File\Folder C:\Documents and Settings\David\Local Settings\Temp\~DF364E.tmp not found!

File\Folder C:\Documents and Settings\David\Local Settings\Temp\~DF3EBE.tmp not found!

C:\Documents and Settings\David\Local Settings\Temp\~DF3F2B.tmp moved successfully.

C:\Documents and Settings\David\Local Settings\Temp\~DF83CA.tmp moved successfully.

Registry entries deleted on Reboot...

AGAIN, THANKS FOR YOUR HELP

[Elise]

Please have a look how things are now.

[wilkelldad]

Please have a look how things are now.

I am cautiously optimistic

At least 50 search in each, IE and FF, with NO REDIRECTS. I'll kick it around over the next day or so before rejoicing. I may have just hit the "on" switch.

You're a trooper to keep working with me.

I'll let you know.

Thanks

David

[Elise]

Lets hope that did it David.

Please keep me posted.

[wilkelldad]

Good morning Elise,

It's back. After a night of un-redirected searchs, when clicking on the result of the first search I did this morning, in FF, the page half loaded then hung-up. I hit f5 for a reload and the redirects started. Nothing, yet, in IE. The initial redirect was going to a site that McAfee warned was malicious, thereafter to other search engines.

Thoughts?

[Elise]

Can you try to run the same OTL fix and then see if that takes care of the issue?

[wilkelldad]

Can you try to run the same OTL fix and then see if that takes care of the issue?

Ran it and didn't paste log, reran. Here are the logs:

All processes killed

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: David

->Temp folder emptied: 4886 bytes

->Temporary Internet Files folder emptied: 47861 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 4079026 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 4.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.0 log created on 07182010_120744

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

I'll let you know how it performs.

Thanks Elise!

David

[wilkelldad]

:)

First search out of the box in FF and IE. Chrome remains unaffected (seemingly).

[wilkelldad]

This time I did the same search in all three browsers, clicked the same three links in each.

[Elise]

Please click Start > Programs > Accessories and right click on Command prompt. Select Run as Administrator.

Type sfc /scannow and press enter.

Exit the command window when you see the System File Checker pop up in the taskbar and let it run unhindered. Note, you might be prompted for your Windows DVD.

When done, let me know if you experience any more redirects (take your time ).

[wilkelldad]

Right click menu on only has RUN (not "as administrator") I am running it now.

[Elise]

Okay, as long as it is running, it is okay.

[wilkelldad]

Happy Saturday Elise,

I am still being redirected. I thought I'd ask, since at one point we turned off the Spybot teatimer and rescanned...do you think that there is anything else we did along the way may have been hindered by that program?

If you don't think that anything dangerous is going on, and really it's just an inconvenience, I may just wait until I have the time to sit down and reformat the hard drive to factory condition.

I do appreciate the time you've spent helping me.

[wilkelldad]

Hi Elise,

You thought I was gone.

I think we've got it. I reset the router, changed the passwords, reran some of the scans and fixes we did earlier, and have been searching all afternoon. Not one re-direct.

Thanks you for your help gaining control of my cyberworld!

Sincerely,

David

Watch for donation, on my way (Would have gone anyway).