Tech Support Forum - View Single Post - Search results being redirected in ANY web browser

Gunsmith_Cat · 11-13-2008, 01:14 PM

Here are the contents of the requested quarantine log:

2008-11-12 19:56:39 A------- 108 C:\Qoobox\Quarantine\catchme.log
2008-11-12 20:01:57 A------- 6,025 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-12 20:07:18 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-12 20:07:18 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-12 20:07:18 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat

That was all that was in the log. As for your question about whether I am still getting redirected... the answer is no. This stopped after I installed a program called Malwarebytes' Anti-Malware which was recently recommended to me. It found the remains of the boot.com/resycled worm that I thought I had completely removed manually from some instructions I found online about how to manually remove it from the registry in regedit.
Ever since I ran Malwarebytes' program the links have stopped redirecting.

I just want to be sure that everything harmful has now been removed.

I am running Kaspersky Internet Security, and it seems to detect a lot of things as being "Very Dangerous"... such as things called Patchers and Staging Areas (what are those?). Those were detected on 6th November though, when I was getting web redirection trouble. I ran a full scan with Kaspersky on 6th November and it found the following issues (which I will add have not been detected on my system since):

Full Scan: completed 06/11/2008 03:15:45 (events: 12, objects: 241826, time: 00:21:50)
06/11/2008 02:52:05 Task started
06/11/2008 02:53:05 Task stopped
06/11/2008 02:53:55 Task started
06/11/2008 02:53:56 Detected: Worm.Win32.AutoRun.nuu C:\$Recycle.Bin\S-1-5-21-2649147853-2438116765-369401869-1000\$RXY1UHZ.inf
06/11/2008 02:53:56 Untreated: Worm.Win32.AutoRun.nuu C:\$Recycle.Bin\S-1-5-21-2649147853-2438116765-369401869-1000\$RXY1UHZ.inf Postponed
06/11/2008 03:06:11 Detected: Trojan.Win32.Agent.akwc C:\Users\Nat\AppData\Local\Temp\tmp208A.tmp
06/11/2008 03:06:11 Untreated: Trojan.Win32.Agent.akwc C:\Users\Nat\AppData\Local\Temp\tmp208A.tmp Postponed
06/11/2008 03:06:11 Detected: Trojan-Downloader.Win32.Agent.ahcg C:\Users\Nat\AppData\Local\Temp\tmpAACF.tmp
06/11/2008 03:06:11 Untreated: Trojan-Downloader.Win32.Agent.ahcg C:\Users\Nat\AppData\Local\Temp\tmpAACF.tmp Postponed
06/11/2008 03:15:43 Detected: Trojan.Win32.Agent.akwc C:\Users\Nat\AppData\Local\Temp\tmp208A.tmp
06/11/2008 03:15:45 Detected: Trojan-Downloader.Win32.Agent.ahcg C:\Users\Nat\AppData\Local\Temp\tmpAACF.tmp

P.S. What is the Qoobox folder? Did it install with that last program you asked me to run? You will have to tell me what files and/or folders would have installed on my C: drive from all of these programs you have been asking me to install and/or run, so that I can remove everything no longer needed when I am confirmed to be in the clear... if you don't mind. :)

11-13-2008, 01:14 PM	#10 (permalink)
Gunsmith_Cat Registered User Join Date: Nov 2008 Posts: 20 OS: Windows Vista x64 SP1	Re: Search results being redirected in ANY web browser Here are the contents of the requested quarantine log: 2008-11-12 19:56:39 A------- 108 C:\Qoobox\Quarantine\catchme.log 2008-11-12 20:01:57 A------- 6,025 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-11-12 20:07:18 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-11-12 20:07:18 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-11-12 20:07:18 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat That was all that was in the log. As for your question about whether I am still getting redirected... the answer is no. This stopped after I installed a program called Malwarebytes' Anti-Malware which was recently recommended to me. It found the remains of the boot.com/resycled worm that I thought I had completely removed manually from some instructions I found online about how to manually remove it from the registry in regedit. Ever since I ran Malwarebytes' program the links have stopped redirecting. I just want to be sure that everything harmful has now been removed. I am running Kaspersky Internet Security, and it seems to detect a lot of things as being "Very Dangerous"... such as things called Patchers and Staging Areas (what are those?). Those were detected on 6th November though, when I was getting web redirection trouble. I ran a full scan with Kaspersky on 6th November and it found the following issues (which I will add have not been detected on my system since): Full Scan: completed 06/11/2008 03:15:45 (events: 12, objects: 241826, time: 00:21:50) 06/11/2008 02:52:05 Task started 06/11/2008 02:53:05 Task stopped 06/11/2008 02:53:55 Task started 06/11/2008 02:53:56 Detected: Worm.Win32.AutoRun.nuu C:\$Recycle.Bin\S-1-5-21-2649147853-2438116765-369401869-1000\$RXY1UHZ.inf 06/11/2008 02:53:56 Untreated: Worm.Win32.AutoRun.nuu C:\$Recycle.Bin\S-1-5-21-2649147853-2438116765-369401869-1000\$RXY1UHZ.inf Postponed 06/11/2008 03:06:11 Detected: Trojan.Win32.Agent.akwc C:\Users\Nat\AppData\Local\Temp\tmp208A.tmp 06/11/2008 03:06:11 Untreated: Trojan.Win32.Agent.akwc C:\Users\Nat\AppData\Local\Temp\tmp208A.tmp Postponed 06/11/2008 03:06:11 Detected: Trojan-Downloader.Win32.Agent.ahcg C:\Users\Nat\AppData\Local\Temp\tmpAACF.tmp 06/11/2008 03:06:11 Untreated: Trojan-Downloader.Win32.Agent.ahcg C:\Users\Nat\AppData\Local\Temp\tmpAACF.tmp Postponed 06/11/2008 03:15:43 Detected: Trojan.Win32.Agent.akwc C:\Users\Nat\AppData\Local\Temp\tmp208A.tmp 06/11/2008 03:15:45 Detected: Trojan-Downloader.Win32.Agent.ahcg C:\Users\Nat\AppData\Local\Temp\tmpAACF.tmp P.S. What is the Qoobox folder? Did it install with that last program you asked me to run? You will have to tell me what files and/or folders would have installed on my C: drive from all of these programs you have been asking me to install and/or run, so that I can remove everything no longer needed when I am confirmed to be in the clear... if you don't mind. :) Last edited by Gunsmith_Cat; 11-13-2008 at 01:20 PM.