SearchWebway8 trojan help

Solitaire

I'm trying to help a neighbour who's browsers have been hit with a weird virus that seems a bit more complex than a regular DNS/redirecter virus. It seems to block certain websites from searches (especially Google-based services except Google itself) and redirects or 404s if you try to go to them directly. If a page has been flagged as a help or email site the browsers will either 404 or block the site on the basis of known embedded malware or SSL certificate msimatches (even known-safe websites!).

So far IE8, Firefox and Chrome are ALL affected, with only slight varaition of symptoms. Avast is also acting a bit weird and isn't turning anything up, so I'm guessing its most likely compromised too :eek:

One interesting symptom is that when you try to back-button away from a failed attempt to access something back to Google's search page, a website called M-Search pops up then magically transforms back into Google. Not suspicious in the least :rolleyes: It seems to hail from a site called SearchWebway8.com which I'm not going to look at on my comp as I fancy my current OS install thank you kindly There have been a few posts on the Web with people screaming they're under attack from either SearchWebway7 or 8, but I've never seen a solution in any of the few links I've dug up.

Seeing as there are multiple users on this comp and only one of them is around I can't just format+reinstall the offending rig at the moment, but I don't like the odds that this malware could do something unpleasant to their email account details while its on there so I'm now begging for info or better yet a non-lethal way to stomp on this mysterious and unpleasent bug for good!

Solitaire

No-one?

Update: With a program update Avast sprang back to life and chopped out a whole load of junk. I'm pretty sure whatever was screwing with Google is gone because with all the (many! :eek: ) trojans laid to rest Google itself has vanished. Not surprised - the results I was getting in "Google" previously were so dodgy I was sure it was a fakesite.

Now that the trojan responsible is gone there's no more fake Google, but the problem is that Google itself, as well as all the stuff cordoned off previously, still seems to be on some kind of OS/Registry-based (not browser!) DNS blacklist and is inaccessible :eek: Any clue on how to fix Windows' wounds without formatting it??

ASJ112

hi

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txts will open.
• Save both reports to your desktop.

---

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

BigOwl55

Solitaire wrote: »

No-one?

Update: With a program update Avast sprang back to life and chopped out a whole load of junk. I'm pretty sure whatever was screwing with Google is gone because with all the (many! :eek: ) trojans laid to rest Google itself has vanished. Not surprised - the results I was getting in "Google" previously were so dodgy I was sure it was a fakesite.

Now that the trojan responsible is gone there's no more fake Google, but the problem is that Google itself, as well as all the stuff cordoned off previously, still seems to be on some kind of OS/Registry-based (not browser!) DNS blacklist and is inaccessible :eek: Any clue on how to fix Windows' wounds without formatting it??

I had the same problem - searchwebway8 inserted itself into search results and would not go away. I used Malwarebytes, Superantispyware, Symantec, and others. I think once the infection was cleared I was still seeing aftereffects.

You might want to flush dns (ipconfig /flushdns) and check the hosts file (/windows/system32/drivers/etc/hosts) for spurious entries redirecting legit URLs to wacky IPs.

For those of you looking for an easier route, I found good info at bleepingcomputer.com on removing the TDSS, TDL3, or Alureon rootkit using TDSSKiller. That was easy and quick but by the time I found it I was clean. All is good now.

hzhardy

ASJ112 wrote: »

hi

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txts will open.
• Save both reports to your desktop.

---

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

I am having the same issue, so here is the files.

ASJ112

no need to attach the logs

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

The Music Man

Recently acquired a computer for my mother from a friend. She got rid of it because of this searchwebway8. I thought in my head, "easy fix." Wrong. I have tried AVG, Adaware, Malwarebytes' Anti-Malware and ComboFix to no avail. Now I am trying GMER per ASJ112's advice. Here is the log. Thanks in advance!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-02 08:18:13
Windows 5.1.2600 Service Pack 3
Running: lwqxo5om.exe; Driver: C:\DOCUME~1\ANNIEL~1\LOCALS~1\Temp\kwdoapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763687E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7636BFE]

Code \??\C:\DOCUME~1\ANNIEL~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? jjubhmh.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7939760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7005F80]
? C:\DOCUME~1\ANNIEL~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Fastfat \Fat ED6D4D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Solitaire

Avast scan followed by a CCleaner run might remove it, but you're still at some risk of reinfection and will be showing symptoms in your web browser unless you flush the DNS and reset the defiled Hosts file.

The Music Man

Okay, so I ran ComboFix one more time just for fun. Finally managed to completely disable AVG so it wouldn't interrupt. It worked and deleted the file! So I downloaded CCleaner, ran it, and then flushed the DNS. The only thing I don't know how to do is "reset the defiled Hosts file." What do you mean exactly? And thanks for all the help, really excited to see most of this taken care of.

ASJ112

can you post the combofix log, it should be in C:\

The Music Man

Here it is, ASJ112:

ComboFix 10-04-01.02 - annie lockhart 04/02/2010 10:10:42.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.592 [GMT -4:00]
Running from: c:\documents and settings\annie lockhart\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\AcAdProc.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-04-02 12:38 . 2010-04-02 12:38

---

d

---

w- c:\documents and settings\annie lockhart\Application Data\MSNInstaller
2010-04-02 01:06 . 2010-04-02 01:06

---

d

---

w- c:\documents and settings\annie lockhart\Application Data\Malwarebytes
2010-04-02 01:06 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 01:06 . 2010-04-02 01:06

---

d

---

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-02 01:06 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 01:06 . 2010-04-02 01:06

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 00:52 . 2010-04-01 22:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-01 22:30 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-01 22:30 . 2010-04-01 22:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-01 22:28 . 2010-04-01 22:28

---

dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-01 22:27 . 2010-04-01 22:30

---

d

---

w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-01 22:27 . 2010-04-01 22:28

---

d

---

w- c:\program files\Lavasoft
2010-04-01 21:58 . 2010-04-01 21:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 06:11 . 2009-10-23 15:28 3558912

---

w- c:\windows\system32\dllcache\moviemk.exe
2010-03-04 13:56 . 2010-03-04 13:56

---

d

---

w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 22:32 . 2010-03-13 14:56 439816 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\setup.exe
2010-04-01 21:59 . 2010-04-01 21:59 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-01 21:59 . 2010-04-01 21:59 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-01 21:59 . 2010-04-01 21:59 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-01 21:58 . 2008-05-02 17:02 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-01 21:58 . 2008-05-02 17:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-01 21:58 . 2008-05-02 17:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-01 21:56 . 2005-11-27 18:09

---

d

---

w- c:\program files\Common Files\Sonic Shared
2010-04-01 21:52 . 2008-06-03 02:48

---

d

---

w- c:\documents and settings\annie lockhart\Application Data\Move Networks
2010-04-01 20:47 . 2008-05-02 16:28

---

d

---

w- c:\documents and settings\All Users\Application Data\HP
2010-04-01 20:35 . 2008-06-07 23:49

---

d

---

w- c:\program files\Google
2010-04-01 20:31 . 2005-11-27 18:07

---

d

---

w- c:\documents and settings\All Users\Application Data\AOL
2010-03-13 23:01 . 2010-03-13 22:59 20841968 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-13 22:59 . 2010-03-13 22:59 8405312 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-13 22:58 . 2010-03-13 22:58 149000 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-13 22:58 . 2010-03-13 22:58 10309448 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-13 22:57 . 2010-03-13 22:57 283280 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-13 22:57 . 2010-03-13 22:57 181768 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-13 22:57 . 2010-03-13 22:57 79368 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-13 22:57 . 2010-03-13 22:57 64000 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-13 22:57 . 2010-03-13 22:57 52288 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-13 22:57 . 2010-03-13 22:57 50688 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-13 22:57 . 2010-03-13 22:57 49152 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-13 22:57 . 2010-03-13 22:57 118784 ----a-w- c:\documents and settings\annie lockhart\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 12:38 . 2004-08-10 18:51 832512

---

w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 18:50 17408

---

w- c:\windows\system32\corpol.dll
2010-02-04 15:53 . 2010-04-01 22:28 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2009-12-23 23:46 . 2008-08-13 15:14 56 --sh--r- c:\windows\system32\540F334CEC.sys
2009-12-23 23:46 . 2008-08-13 15:14 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-08 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-01 21:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=&quot;Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoToAssist"=3 (0x3)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"NetSvc"=3 (0x3)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/1/2010 6:30 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2008 1:02 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2008 1:02 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/1/2010 5:58 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/1/2010 5:58 PM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:30]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\annie lockhart\Application Data\Mozilla\Firefox\Profiles\9ej063cp.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: network.proxy.type - 2

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 10:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\COMRes.dll

- - - - - - - > 'explorer.exe'(2392)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
.

---

Other Running Processes

---

.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-04-02 10:23:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 14:23
ComboFix2.txt 2010-04-02 02:13

Pre-Run: 63,536,173,056 bytes free
Post-Run: 63,505,690,624 bytes free

- - End Of File - - 69960657270B0EE491ADD43CB623EA7F

ASJ112

one final scan

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases

[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

ShamanEFOH

The problem, if it persists after using numerous products to scan for malware and viruses, resides in the HOSTS file. your HOSTS file should be in the windows\system32\drivers\etc folder. open it with notepad, and DELETE all the entries pertaining to google, yahoo, etc. save changes and exit. voila. if you have used a product such as Spybot Search and Destroy, be careful not to remove any of the entries NOT pertaining to your favorite search engines. S&D puts a ton of entries into the HOSTS file to block access to malicious websites.

Hogzy

I think i also have this virus. Affects nearly all search engines on Firefox/IE and Chrome.
Very annoying, gonna try out the above soon.

ShamanEFOH

good luck. make sure the computer is free from viruses before you clear out the HOSTS file...or it will just write them back in. whatever caused it was cleaned by me with Malwarebytes and symantec antivirus, so you shouldnt have to much trouble removing it. i like to run them in safe mode, just to be "safe" lol.

Hogzy

Got rid of it, ran malwarebytes, spybot and Hijackthis, then checked my startups in msconfig and there were strange files starting. Stopped them from startup, ran ccleaner and all is well

didier9

I had the same problem. I ran Spybot, Lavasoft and Malwarebytes and the Google searches were still being redirected. I eventually found the host file was corrupted. I removed all the entries pointing the various Google sites to the malware server, rebooted and all was good.

Cfarmer

Here are my files Please help this is driving me nuts.