|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Google Redirects
I frequently experience redirects when clicking on a google link. I have run various spyware/malware removal products but still encounter the problem. Pasted below is a log from HijackThis:
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 7:41:47 AM, on 4/28/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyS ervice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\DLP\Agent\fcags.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\DLP\Agent\fcagswd.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Oracle\ora92\bin\omtsreco.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\timesync.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\WINDOWS\system32\nutsrv4.exe C:\Program Files\Citrix\ICA Client\ssonsvr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\McAfee\Common Framework\udaterui.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy. exe C:\Program Files\UnHackMe\hackmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Program Files\UnHackMe\gwebupdate.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\PROGRA~1\ULTRAE~1\UEDIT32.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.worldnet.ml.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O1 - Hosts: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl {\f0\fswiss\fcharset0 Arial;}} O1 - Hosts: {\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\f0\fs20 127.0.0.1 localhost\par O1 - Hosts: } O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Privilege Manager Browser Helper - {0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB} - C:\WINDOWS\system32\pmbho.dll O2 - BHO: Updater For Comcast Toolbar 3.5 - {164d3751-cac6-4a6d-becd-ea67df61d232} - C:\Program Files\comcasttb\auxi\comcastAu.dll O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe O4 - HKLM\..\Run: [ICA Client9.00.32649] "C:\Program Files\Citrix\ICA Client\ICAClient Config.EXE" O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy. exe" /hide O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ramwreck5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.ml.com/ O15 - Trusted Zone: http://*.aost.ml.com O15 - Trusted Zone: http://*.corp.ml.com O15 - Trusted Zone: http://*.dats.ml.com O15 - Trusted Zone: http://*.ffsdev.ml.com O15 - Trusted Zone: http://*.mlpc.privnet.us.ml.com O15 - Trusted Zone: *.privnet.us.ml.com O15 - Trusted Zone: http://*.purchasing.ml.com O15 - Trusted Zone: *.qa.ml.com O15 - Trusted Zone: http://*.qa.ml.com O15 - Trusted Zone: http://*.somerset.ml.com O15 - Trusted Zone: http://*.tgadev.privnet.us.ml.com O15 - Trusted Zone: http://*.tgaqa.privnet.us.ml.com O15 - Trusted Zone: aost.ml.com O15 - Trusted Zone: corp.ml.com O15 - Trusted Zone: dats.ml.com O15 - Trusted Zone: ffsdev.ml.com O15 - Trusted Zone: mlpc.privnet.us.ml.com O15 - Trusted Zone: purchasing.ml.com O15 - Trusted Zone: somerset.ml.com O15 - Trusted Zone: us.ml.com O15 - Trusted Zone: worldnet.ml.com O15 - Trusted Zone: http://www.worldnet.ml.com O15 - Trusted Zone: *.motive30 O15 - Trusted Zone: *.motive40 O15 - Trusted Zone: http://*.askmerrill.com (HKLM) O15 - Trusted Zone: http://*.fundsforinstitutions.com (HKLM) O15 - Trusted Zone: *.ml.com (HKLM) O15 - Trusted Zone: http://*.mymerrill.com (HKLM) O15 - Trusted Zone: http://*.salesforce.com (HKLM) O15 - Trusted Zone: http://*.totalmerrill.com (HKLM) O15 - Trusted Zone: ml.webex.com (HKLM) O15 - Trusted IP range: 127.0.0.1 O15 - Trusted IP range: 169.242.54.68 O15 - Trusted IP range: 127.0.0.1 (HKLM) O15 - Trusted IP range: 169.242.54.68 (HKLM) O20 - Winlogon Notify: FCAGWL - fcagwl.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyS ervice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe O23 - Service: McAfee DLP Agent Service (McAfeeDLPAgentService) - McAfee Inc. - C:\Program Files\McAfee\DLP\Agent\fcags.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Program Files\Oracle\ora92\bin\omtsreco.exe O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\Program Files\Oracle\ora92\bin\ONRSD.EXE O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: TimeSync - Intellisoft AG, Switzerland - C:\WINDOWS\system32\timesync.exe O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe -- End of file - 13790 bytes |
#2
|
||||
|
||||
Hello David Smith,
No malware, but some odd links in your HijackThis log, like this sorta innocent one. But the redirects indicate malware, so let's take a look. To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed. Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button. If RSIT downloads/installs HijackThis be sure to agree to the install of that. Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt. RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt). You can break logs into parts and use separate posts here when replying and posting the log files, if needed. If RSIT errors during the scan, OK the message, but still check if the C:\rsit\log.txt was created. -------------- Click here and download the installer for Gmer to your desktop, then click that file to run Gmer. Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. ------------- Also download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe). Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each: cd\ mbr.exe -t Then type exit and press Enter to close the command window. The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please. A lot of posting, but a good comprehensive look at things there. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Bad Imaage error with Google Redirects | tonz0phun | Malware Removal | 5 | November 11th, 2010 03:31 AM |
Google Redirects + explorer.exe and winlogon.exe infected | ksqd2010 | Malware Removal | 14 | August 24th, 2010 01:20 PM |
Google redirects links | ballrd | Malware Removal | 1 | June 27th, 2010 02:58 AM |
Firefox slow and Google redirects | dex_nc | Malware Removal | 30 | October 31st, 2009 05:36 AM |
Google Searches Redirects To Other Sites | TIMEZONEC | Malware Removal | 14 | August 21st, 2009 04:23 PM |
All times are GMT +1. The time now is 07:40 PM.