28 replies to this topic

[mdina]

Sonething happened to may computer: when I use any standard search engine: google, yahoo, msn, the first two times I click on any link I am redirected to some bizzare page. The third and all after clicks work fine. altavista worksa fine. This happens only in the IE, Firefox does not show this problem. WinDefendrd, Spubot, AdAware don't find anything.
HiJackThis log looks normal. I recognize all program and processes. I am quite confused! anybody can help?

Logfile of HijackThis v1.99.1
Scan saved at 6:19:02 PM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\EZBackitup\EZBkuptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HighjackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Expand that LJ thread - file:/c:/LJ/threader.js
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[LDTate]

Hello mdina,

I don't see anything bad in your log. Lets see if this helps.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

[mdina]

Thanks LDTate, I just figured out the answer myself (indeed, just 5 min. ago). I checked adds-on installed in IE, that is Tools->Internet Options->Programs->Manage Add-ons, and found an add-on called SearchAssistantOC, listed as published by Microsoft. After I had disabled it, everything became normal. I am reasearching now what the heck this "SearchAssistant" is. I also found another add-on that I do not recognize, "Shell Name Space", also listed under "Microsoft". I have not disabled it yet, but wonder waht this beast is there for. Thanks again for your time.

[LDTate]

http://msdn.microsof...s/namespace.asp

Are you sure you ran Ad-Aware and SpyBot? They should have found SearchAssistant

[mdina]

Sorry - I rejoiced too early. The odd behavior is still there. A ran the ATF remover all right, cleaned al, still the same story. SearchAssistantOC is still disabled. Besides, I researched it and found that it is indeed a legit program from Microsoft, as opposed to some other search assistants. Apparently this is why AdAware and Spubot did not report it. Another interesting piece of information is that it happens only in one user account, not in any other.

[LDTate]

Can you do a file search and see if MIDADD-E.exe is found?

[mdina]

No, it was not there. I downloaded a new version, it found two coolwebserach reg entries. I ran CWshredder, but it had not found anything. I removed these entries, restarted IE, the same problem! Weird.

[LDTate]

Please download hoster from the link below.

http://www.funkytoad...load/hoster.zip

Unzip Hoster.zip
Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

[mdina]

Thanks again, LDTate! I had to leave the town for a week, just came back and am trying your advice. My host file is was unaltered compared to the original MS file, except for added comments, but I have restored it anyway (and changed to read-only afterwards). Interestingly, in the Windows\system32\drivers\etc directory I found a file called hosts-backup{some numbers}, which had the same content as the hosts file, but with an added host for autosearch. I removed this file, cleaned the recycle bin, and rebooted.
I post the new HT log. Interestingly, it now shows "R3 - Default URLSearchHook is missing". Otherwise, it looks entire clean to me. I am not sure why "InstallDriver Table Manager (IDriverT) - Macrovision Corporation " is coming up, despite being set to "manual", but I doubt it has any relevance to my case.

My computer behaves in exactly the same way as before. The first two (and only two!) hits returned by any search engine are redirected to sites like ebay, zapmeta, amazon, ezanga, upspiral, oldhetaira, www-search, cosavista, pctools, sunshinesearch and variety of other known and unknown sites.

I am going to fix the URLSearchHook through HT and reboot and I will post the result.

Logfile of HijackThis v1.99.1
Scan saved at 10:43:19 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\EZBackitup\EZBkuptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
c:\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Expand that LJ thread - file:/c:/LJ/threader.js
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[mdina]

I fixed the URLSearchHook, rebooted, now HT log does not show this problem any more. Yet, the search redirection still occurs.

[LDTate]

That is weird

Lets try this then:
If you download and double click on this small app, it will restore all the default search fuctions for IE.

http://www.spywarein...tools/IEFIX.reg

Save it to your desktop.

Right click on the file IEFIX.reg and select Merge.

[mdina]

The problem persists.

Interestingly, this bugs behaves as it is indeed a serach assistant, not if it is trying to divert me to totally irrelevant sites. For instance, I google for "spyware". The first hit that pops up is lawasoftusa.com. If I click on it I am redirected to "http://www.stopzilla...dre=&cid=1004". If I click it again, I end up on the same page but with URL "http://www.stopzilla...&dre=&cid=1005" (note the las number). If I click the third time, I come to the lavasoft site.
I repeat the search, and click again the lavasowt hit. Now I find myself at "http://www.cyber-def...fl=mygeek_001". Second time, I end up at "http://www.spywareva...ch/index.html". third time, no redirection.

I search for anothe term - "cruise". The first hit is "www.carnival.com/". Click there, go to "http://www.cruisedealership.com/" instead. Click again, "http://cheapicruise.com/".

Search for Canon. Here comes www.canon.com/. Click - "http://www.cameras2c...rce=looksmart". Click again - http://www.mlkstudios.com/ (a photography school website). Third time - I am at Canon's home!

It looks like some dumbass is intercepting ny google clicks and sends me instead to some other innocent site that this virtual idiots believes are more helpful to me! This whole story is the most bizzare thing I've ever seen, and I;ve seen a lot!

[LDTate]

Just for the heck of it, try using Yahoo search and see if the same thing happens.

[mdina]

It does happen in yahoo and msn searches, but does not happen in altavista. Neither does it happen if I use http://images.google.com to search images.

[LDTate]

Sorry I don't know what is causing that. I'll let you know if I find a fix for it.