I've exercised a number of cleaners, concentrating mostly on Trend-Micro
tools. But no matter what I do, I cannot seem to detect or correct this
behavior.

Here's what is happening:
I perform a search using a well-known search engine. The results page is
returned. I click the hyper-link of the result I'm interested in, and ...
the address bar goes through a few quick changes (barely visible they occur
so quickly), and I end up on a web page that is an ad of some sort; but
definitely not the URL that was associated with my original search result.

There is other 'suspicious' behavior on my PC as well; but for sake of
simplicity I thought I'd try to confine my question to this one item.

Any help with regard to this specific type of behavior is appreciated.

From: "./dz" <./dz@discussions.microsoft.com>

| I've exercised a number of cleaners, concentrating mostly on Trend-Micro
| tools. But no matter what I do, I cannot seem to detect or correct this
| behavior.
|
| Here's what is happening:
| I perform a search using a well-known search engine. The results page is
| returned. I click the hyper-link of the result I'm interested in, and ...
| the address bar goes through a few quick changes (barely visible they occur
| so quickly), and I end up on a web page that is an ad of some sort; but
| definitely not the URL that was associated with my original search result.
|
| There is other 'suspicious' behavior on my PC as well; but for sake of
| simplicity I thought I'd try to confine my question to this one item.
|
| Any help with regard to this specific type of behavior is appreciated.

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thank you David. I think I've received advice from you before on some
entirely different threads, in an entirely different community, and they've
always been very useful. I wasn't able to 'discover' within the limits of my
patience how to 'rate' your reply, but when I find out how to, I shall do so.
In the meantime, this comment will have to suffice. Thanks again.
../dz

"David H. Lipman" wrote:

> From: "./dz" <./dz@discussions.microsoft.com>
>
> | I've exercised a number of cleaners, concentrating mostly on Trend-Micro
> | tools. But no matter what I do, I cannot seem to detect or correct this
> | behavior.
> |
> | Here's what is happening:
> | I perform a search using a well-known search engine. The results page is
> | returned. I click the hyper-link of the result I'm interested in, and ...
> | the address bar goes through a few quick changes (barely visible they occur
> | so quickly), and I end up on a web page that is an ad of some sort; but
> | definitely not the URL that was associated with my original search result.
> |
> | There is other 'suspicious' behavior on my PC as well; but for sake of
> | simplicity I thought I'd try to confine my question to this one item.
> |
> | Any help with regard to this specific type of behavior is appreciated.
>
> Please download, install and update the following software...
>
> Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
>
> SpyBot Search and Destroy v1.4
> http://security.kolla.de/
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
> that may be on the PC.
>
> BHODemon
> http://www.definitivesolutions.com/bhodemon.htm
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "./dz" <dz@discussions.microsoft.com>

| Thank you David. I think I've received advice from you before on some
| entirely different threads, in an entirely different community, and they've
| always been very useful. I wasn't able to 'discover' within the limits of my
| patience how to 'rate' your reply, but when I find out how to, I shall do so.
| In the meantime, this comment will have to suffice. Thanks again.
| ./dz


I don't ask that you "rate" my advice.
Just PLEASE follow it !

The combination of the three free applications I provided you are very effective, together,
in removing *many* forms of adware/spyware types of malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave:
I downloaded all (3) of the utilities. I ran the lavasoft utility many,
many times. The first time it showed evidence of some 'CoolWeb' variants and
some other stuff -- all of which were removed. Subsequent runs have turned
up no more of that stuff.

I then ran SpyBot S&D 1.4 and it found absolutely nothing (I did get the
most recent updates before running it).

I then ran the BHODemon and it found only (4) things; all of which are
marked as benign (e.g., AcroIEHelper.dll, SDHelper.dll, and a couple of
SpywareDoctor references that it is tagged as 'file is missing' - I'm
assuming this is a leftover from some uninstall I did of that 'tool').

So effectively, these utilities determine nothing is wrong. YET !! and this
is the annoying thing -- the Web redirection persists. I've even tried a
different search engine (I used MSN.com instead of GOOGLE) -- but when I
click the hyperlink for the result of the search, off it goes to some ad
site.

Any other ideas??? Is it possible to uninstall/re-install IE, and if so,
would that help?
(By the way, I do not have any distribution disk with IE on it, so either
it's lying around on my PC somewhere in a .cab and I don't know what I'm
looking at, or I got it off the web directly from MS at some point).

In any case, if you can help -- I'm still very interested. The really nasty
thing about this is that my kids use the computer and it has on occassion
brought up some really crude porn sites. Not only that, but even the
non-porn sites sometimes, if you're not careful, you don't realize that you
were redirected and can accidentally ask for things (which of course makes
the problem worse).
../dz

"David H. Lipman" wrote:

> From: "./dz" <dz@discussions.microsoft.com>
>
> | Thank you David. I think I've received advice from you before on some
> | entirely different threads, in an entirely different community, and they've
> | always been very useful. I wasn't able to 'discover' within the limits of my
> | patience how to 'rate' your reply, but when I find out how to, I shall do so.
> | In the meantime, this comment will have to suffice. Thanks again.
> | ./dz
>
>
> I don't ask that you "rate" my advice.
> Just PLEASE follow it !
>
> The combination of the three free applications I provided you are very effective, together,
> in removing *many* forms of adware/spyware types of malware.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "./dz" <dz@discussions.microsoft.com>

| Dave:
| I downloaded all (3) of the utilities. I ran the lavasoft utility many,
| many times. The first time it showed evidence of some 'CoolWeb' variants and
| some other stuff -- all of which were removed. Subsequent runs have turned
| up no more of that stuff.
|
| I then ran SpyBot S&D 1.4 and it found absolutely nothing (I did get the
| most recent updates before running it).
|
| I then ran the BHODemon and it found only (4) things; all of which are
| marked as benign (e.g., AcroIEHelper.dll, SDHelper.dll, and a couple of
| SpywareDoctor references that it is tagged as 'file is missing' - I'm
| assuming this is a leftover from some uninstall I did of that 'tool').
|
| So effectively, these utilities determine nothing is wrong. YET !! and this
| is the annoying thing -- the Web redirection persists. I've even tried a
| different search engine (I used MSN.com instead of GOOGLE) -- but when I
| click the hyperlink for the result of the search, off it goes to some ad
| site.
|
| Any other ideas??? Is it possible to uninstall/re-install IE, and if so,
| would that help?
| (By the way, I do not have any distribution disk with IE on it, so either
| it's lying around on my PC somewhere in a .cab and I don't know what I'm
| looking at, or I got it off the web directly from MS at some point).
|
| In any case, if you can help -- I'm still very interested. The really nasty
| thing about this is that my kids use the computer and it has on occassion
| brought up some really crude porn sites. Not only that, but even the
| non-porn sites sometimes, if you're not careful, you don't realize that you
| were redirected and can accidentally ask for things (which of course makes
| the problem worse).
| ./dz
|
| "David H. Lipman" wrote:
|
>> From: "./dz" <dz@discussions.microsoft.com>
>>
|>> Thank you David. I think I've received advice from you before on some
|>> entirely different threads, in an entirely different community, and they've
|>> always been very useful. I wasn't able to 'discover' within the limits of my
|>> patience how to 'rate' your reply, but when I find out how to, I shall do so.
|>> In the meantime, this comment will have to suffice. Thanks again.
|>> ./dz


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.


C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave:
I know it's been a while, but I've been looking at it.

It's nearly impossible to give a complete blow-by-blow account of everything
I did, but here's an attempt ...........

I did do the things you suggested in your last response. In fact, several
times. I don't recall that any specific bad things other than tracking
cookies were found. And the behavior I described with respect to redirection
persisted anyway.

A couple of days ago, I downloaded the Microsoft Spyware thing; and it found
a couple of items (I do not know whether or not they were directly related to
the IE redirection problem or not - but the problem appeared to go away .....
for a while). But it's back.

The behavior is a little more visible however. Here's what's happening in
case you recognize this as a well-known malware hack of some sort. When I
open IE, using the icon in the quick tray, using the desktop icon, or even
from the program menu directly; it takes a while for it to appear. While it
is 'initializing', the 'wavy flag' appears in the middle of what will
eventually become the menu bar. But when don 'initializing', the menu bar is
completely blank (except for the little flag icon off to the right in its
usual spot).

The 'bar' that normally shows up immediately beneath the menu bar (and
immediately above the address bar), [the bar with the 'back', 'forward'
group; the 'search', 'favorites' group; and one other group of miscellaneous
icons] is missing entirely.

Only the address bar appears (and a blank menu bar).

But .... If I go directly to my Favorites folder in Explorer and click on
one of the shortcuts, IE comes up looking normal.

Does this behavior tell you anything that would help?

../dz

"David H. Lipman" wrote:

> From: "./dz" <dz@discussions.microsoft.com>
>
> | Dave:
> | I downloaded all (3) of the utilities. I ran the lavasoft utility many,
> | many times. The first time it showed evidence of some 'CoolWeb' variants and
> | some other stuff -- all of which were removed. Subsequent runs have turned
> | up no more of that stuff.
> |
> | I then ran SpyBot S&D 1.4 and it found absolutely nothing (I did get the
> | most recent updates before running it).
> |
> | I then ran the BHODemon and it found only (4) things; all of which are
> | marked as benign (e.g., AcroIEHelper.dll, SDHelper.dll, and a couple of
> | SpywareDoctor references that it is tagged as 'file is missing' - I'm
> | assuming this is a leftover from some uninstall I did of that 'tool').
> |
> | So effectively, these utilities determine nothing is wrong. YET !! and this
> | is the annoying thing -- the Web redirection persists. I've even tried a
> | different search engine (I used MSN.com instead of GOOGLE) -- but when I
> | click the hyperlink for the result of the search, off it goes to some ad
> | site.
> |
> | Any other ideas??? Is it possible to uninstall/re-install IE, and if so,
> | would that help?
> | (By the way, I do not have any distribution disk with IE on it, so either
> | it's lying around on my PC somewhere in a .cab and I don't know what I'm
> | looking at, or I got it off the web directly from MS at some point).
> |
> | In any case, if you can help -- I'm still very interested. The really nasty
> | thing about this is that my kids use the computer and it has on occassion
> | brought up some really crude porn sites. Not only that, but even the
> | non-porn sites sometimes, if you're not careful, you don't realize that you
> | were redirected and can accidentally ask for things (which of course makes
> | the problem worse).
> | ./dz
> |
> | "David H. Lipman" wrote:
> |
> >> From: "./dz" <dz@discussions.microsoft.com>
> >>
> |>> Thank you David. I think I've received advice from you before on some
> |>> entirely different threads, in an entirely different community, and they've
> |>> always been very useful. I wasn't able to 'discover' within the limits of my
> |>> patience how to 'rate' your reply, but when I find out how to, I shall do so.
> |>> In the meantime, this comment will have to suffice. Thanks again.
> |>> ./dz
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "./dz" <dz@discussions.microsoft.com>

| Dave:
| I know it's been a while, but I've been looking at it.
|
| It's nearly impossible to give a complete blow-by-blow account of everything
| I did, but here's an attempt ...........
|
| I did do the things you suggested in your last response. In fact, several
| times. I don't recall that any specific bad things other than tracking
| cookies were found. And the behavior I described with respect to redirection
| persisted anyway.
|
| A couple of days ago, I downloaded the Microsoft Spyware thing; and it found
| a couple of items (I do not know whether or not they were directly related to
| the IE redirection problem or not - but the problem appeared to go away .....
| for a while). But it's back.
|
| The behavior is a little more visible however. Here's what's happening in
| case you recognize this as a well-known malware hack of some sort. When I
| open IE, using the icon in the quick tray, using the desktop icon, or even
| from the program menu directly; it takes a while for it to appear. While it
| is 'initializing', the 'wavy flag' appears in the middle of what will
| eventually become the menu bar. But when don 'initializing', the menu bar is
| completely blank (except for the little flag icon off to the right in its
| usual spot).
|
| The 'bar' that normally shows up immediately beneath the menu bar (and
| immediately above the address bar), [the bar with the 'back', 'forward'
| group; the 'search', 'favorites' group; and one other group of miscellaneous
| icons] is missing entirely.
|
| Only the address bar appears (and a blank menu bar).
|
| But .... If I go directly to my Favorites folder in Explorer and click on
| one of the shortcuts, IE comes up looking normal.
|
| Does this behavior tell you anything that would help?
|
| ./dz
|
|

Download HiJack This! (HJT)
http://www.merijn.org/files/hijackthis.zip

Create a HJT Log and post the log to one of the following forums...

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/i...hp?showforum=5

{ borrowed from the alt.privacy.spyware News Group }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm