tonight, whenever i click on a site from google, or bing, it takes me to an ad first. i have to click back, then click on the link again to get the actual page. anyone else experiencing this problem, or know what is going on with it? it started tonight when i got home from work, earlier today everything was fine with the search engines
search engine ad problem
- Thread starter elmer91
- Start date
linkin
VIP Member
sounds like you are infected with adware. please download and run Malwarebytes, install and update it. keep clicking update until it tells you that you've got the latest version, then run a full scan. post the log here so we can diagnose, and try to brosw some search engines again.
i am running that program right now. i noticed something with the searching and ads today, the ads are never anything bad, they are legit sites that pop up, like yellowpages, yahoo hotjobs, and such. also, if i right click and tell it to open in a new tab, the ad does not appear.
EDIT: i did find this in an side ad, dont know if it means anything. "c13.adv.net/ad" there looked like there was more, i just couldnt see it.
Last edited:
i did tell it to remove them. i got the list first. it restarted my computer, and i search on google, the first two sites had no problems, but after that, the ads started to appear again.
Post a hijackthis log.
Hello, please download and post a log with HiJackThis.
Click here to download HJTsetup.exe
Hello, please download and post a log with HiJackThis.
Click here to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Double click on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
- Click Save to save the log file and then the log will open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Please uninstall these entries.
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Viewpoint Media Player
Then download the latest version of java here.
http://www.java.com/en/download/index.jsp
You might want to scan your system with Superantispyware as well.
http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Make sure you update it before running it.
Let me know if that catches anything. There is one more program we can run, but i'll wait until I hear back from you.
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Viewpoint Media Player
Then download the latest version of java here.
http://www.java.com/en/download/index.jsp
You might want to scan your system with Superantispyware as well.
http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html
Make sure you update it before running it.
Let me know if that catches anything. There is one more program we can run, but i'll wait until I hear back from you.
removed those items and ran superantispyware. it only came up with one result, application.powerreg scheduler
Have you ever heard of a program called Hitman Pro 3.5? i googled my problem, despite the ads, and found a site that pointed me towards this, and the guy who posted it said every single program you have mentioned, plus some, have not worked, but this one did.
Have you ever heard of a program called Hitman Pro 3.5? i googled my problem, despite the ads, and found a site that pointed me towards this, and the guy who posted it said every single program you have mentioned, plus some, have not worked, but this one did.
Last edited:
i downloaded and ran hitman pro 3.5. it found two
http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en
atapi.sys seems the be the problem, and it is a rootkit(whatever that is, never heard of it). the site that told me to use hitman pro said this was a nasty one to properly remove, and i didnt quite understand the way they guy put it. here is a link
http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en
i havent deleted it yet, from as far down as i read on that post, the people were saying this file needed to be fixed or replaced and not deleted. i dont know where i could get another copy to replace it, since my computer is the only one in my house running XP.
OK, do this.. this will tell us if there is a problem with atapi.sys.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
In your next reply please post:
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
- Download this file here :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Then double click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
In your next reply please post:
- The ComboFix log
- A fresh HiJackThis log
- An update on how your computer is running
That file, atapi.sys, seems to have been the problem. i went to google and bing and searched for random stuff, and everything was ad free. thanks a lot for you help!
here is the combofix log
and here is the hijackthis log
here is the combofix log
ComboFix 10-02-01.02 - Administrator 02/01/2010 15:41:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.136 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100201-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-583907252-1993962763-682003330-1003
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.
2010-02-01 01:45 . 2010-02-01 01:45 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-01 01:45 . 2010-02-01 01:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2010-02-01 01:45 . 2010-02-01 01:45 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-31 22:55 . 2010-01-31 22:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-01-31 22:55 . 2010-01-31 22:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-31 22:55 . 2010-01-31 22:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-31 22:54 . 2010-01-31 22:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-31 22:52 . 2010-01-31 22:52 -------- d-----w- c:\program files\Common Files\Java
2010-01-31 22:51 . 2010-01-31 22:51 -------- d-----w- c:\program files\Java
2010-01-25 22:55 . 2010-01-25 22:55 -------- d-----w- c:\program files\Trend Micro
2010-01-24 22:46 . 2010-01-24 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-24 22:46 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 22:46 . 2010-01-24 22:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-01-24 22:46 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-24 22:46 . 2010-01-25 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 21:55 . 2010-01-24 21:55 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-24 21:55 . 2010-01-24 21:55 -------- d-----w- c:\program files\MSBuild
2010-01-24 21:53 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-24 21:52 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-24 21:52 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-24 21:52 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-24 21:52 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-24 21:52 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-24 21:52 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-24 21:52 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-24 21:52 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-24 21:52 . 2010-01-24 21:54 -------- d-----w- C:\fa9f6f5edc49215f45bca0
2010-01-24 21:44 . 2010-01-24 22:10 -------- d-----w- C:\a8814a0ae3a1f314d8
2010-01-22 21:41 . 2010-01-22 21:41 -------- d-----w- c:\program files\Paint.NET
2010-01-22 21:41 . 2010-01-26 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Paint.NET
2010-01-22 21:39 . 2010-01-22 21:39 -------- d-----w- c:\program files\Reference Assemblies
2010-01-22 21:35 . 2010-01-22 21:35 -------- d-----r- C:\AHCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 22:51 . 2009-10-13 00:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-31 22:48 . 2007-08-13 20:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2010-01-28 02:18 . 2007-08-21 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-01-26 00:05 . 2007-07-15 13:48 69856 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-21 02:05 . 2009-12-21 02:05 -------- d-----w- c:\program files\Simnet
2009-11-24 23:54 . 2009-04-29 19:41 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-29 19:41 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-29 19:41 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-29 19:41 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-29 19:41 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-29 19:41 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-29 19:41 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-29 19:41 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-29 19:41 97480 ----a-w- c:\windows\system32\AvastSS.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2007-07-25 53248]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-27 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-02-01 4955456]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NETGEAR\\WPN311\\wlancfg5.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabled
xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/29/2009 2:41 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/29/2009 2:41 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/12/2004 7:38 PM 396480]
S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys --> c:\windows\system32\DRIVERS\v90drv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]
2009-06-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
2010-02-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-21 02:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1lwy8zxl.default\
FF - prefs.js: browser.startup.homepage - hxxp://broadband.zoomtown.com/
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKCU-Run-Simple Sticky Notes - c:\program files\Simnet\Simple Sticky Notes\ssn.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 15:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\VTTimer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\acs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2010-02-01 16:03:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-01 21:03
Pre-Run: 26,361,675,776 bytes free
Post-Run: 26,642,259,968 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 3D24AE373CFA131F692046A638F59177
and here is the hijackthis log