Google results re-direct to random websites (and computer is slow)

[ken545]

There in the System32/drivers folder

[spikyspud]

Hi,

Sorry when I referred to the system32 folder in my previous post i meant the system32/drivers folder. I still can't find the files. Sorry if I missing something obvious??

[ken545]

Sometimes programs like Combofix may have removed them but not shown it.

Lets do this.



Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

[spikyspud]

Ok, I ran malwarebytes, the log file is below.

Thanks again for your assitance.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8291

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

02/12/2011 17:36:03
mbam-log-2011-12-02 (17-36-03).txt

Scan type: Quick scan
Objects scanned: 166455
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[ken545]

Great,


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

[spikyspud]

Hi,

ESET scan run, log below...

C:\Windows\csauie1.ocx probably a variant of Win32/Agent.EBBYIBO trojan


Thanks

[ken545]

Good so far, lets run this fix, also tell me how you think your computer is behaving right now ???


Open OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :processes
  killallprocesses
  
  :OTL
  
  
  
  :Services
  
  :Reg
  
  :Files
  C:\Windows\csauie1.ocx	
  
  
  
  
  
  :Commands
  [purity]
  [CLEARALLRESTOREPOINTS] 
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top. <--Not run Scan
• Let the program run unhindered, reboot when it is done
• Then post the results of the log it produces

[spikyspud]

Hi,

I ran OTL (log at the end), on reboot I tested google search results and the random re-direct appears to have stopped!



Please let me know if there is anything else that I should so do as a final check/clean up?

Thanks again.

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\csauie1.ocx moved successfully.
========== COMMANDS ==========


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sandra
->Temp folder emptied: 138328 bytes
->Temporary Internet Files folder emptied: 313589576 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 11858 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6965 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 299.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12032011_000537

Files\Folders moved on Reboot...
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ILR48TUS\1122708[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ILR48TUS\if[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ILR48TUS\like[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ILR48TUS\trade_gothic_condensed_18-webfont[1].eot moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D5AULC02\login_status[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUMUAWJA\sh69[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9107NN5X\dis[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9107NN5X\showthread[1].php moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YUVGIVK\hub[1].html moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6KZDKEIZ\online-scanner[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21TTYSMC\1122708[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21TTYSMC\1122708[2].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21TTYSMC\afrCAN1SII2.htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21TTYSMC\audience-science[1].htm moved successfully.
C:\Users\Sandra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21TTYSMC\tradegothicltstd-bdcn20-webfont[1].eot moved successfully.
File move failed. C:\Windows\temp\CLDigitalHome\CLMS_AGENT_LOG1.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\CLDigitalHome\PCMMediaServer.log scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[ken545]

No other problems ??

[spikyspud]

Hi,

Not that I can tell everything seems to be working as normal.

Thanks again for all of your help.