Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect, Log Included


  • This topic is locked This topic is locked
6 replies to this topic

#1 Cesar81

Cesar81

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 05 November 2007 - 08:52 AM

Hi all,
seem to have a problem with this Google redirect thing, usually sending me to the usual suspects (loans, dating and porn) but mostly I just get sent to a google search results page, even if it's for the website I'm trying to find.
I'm on Vista and the hijackthis log is the following:
(thanks in advance for any help received!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:34:37, on 04/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Users\Cesar\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ppmate] C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14CB8B11-F05E-469D-9EF4-F7E02B86D5BF}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CCS\Services\Tcpip\..\{5291AF49-A5C9-4154-90AC-597BAF10F533}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A3C526E-CB2D-46AE-9485-C0999FFCDE33}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{14CB8B11-F05E-469D-9EF4-F7E02B86D5BF}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.126
O17 - HKLM\System\CS2\Services\Tcpip\..\{14CB8B11-F05E-469D-9EF4-F7E02B86D5BF}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.126
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8398 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 05 November 2007 - 12:11 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O17 - HKLM\System\CCS\Services\Tcpip\..\{14CB8B11-F05E-469D-9EF4-F7E02B86D5BF}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CCS\Services\Tcpip\..\{5291AF49-A5C9-4154-90AC-597BAF10F533}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A3C526E-CB2D-46AE-9485-C0999FFCDE33}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.126
O17 - HKLM\System\CS1\Services\Tcpip\..\{14CB8B11-F05E-469D-9EF4-F7E02B86D5BF}: NameServer = 85.255.116.78,85.255.112.126
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.126
O17 - HKLM\System\CS2\Services\Tcpip\..\{14CB8B11-F05E-469D-9EF4-F7E02B86D5BF}: NameServer = 85.255.116.78,85.255.112.126


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Go to the Control Panel.
If you are using Windows XP's "Category View", select the Network and Internet Connections category. If you are in "Classic View", go to the next step .
Double click the Network Connections icon
Right click the Local Area Connection icon and select 'Properties'.
Highlight 'Internet Protocol (TCP/IP)' and click the 'Properties' button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

Go to Start | Run and type in cmd
Click OK.
This will open a command prompt window.
Copy and paste the following line into the window:

ipconfig /flushdns

Hit 'Enter'.
Exit the command window.

Please download Fixwareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
Save it to your Desktop and run it by double clicking.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer, please do so.
Your system may take longer than usual to load; this is normal.
Once the Desktop loads save the text that will open (report.txt) and post it in your next reply.

Please include the report.txt along with a new HijackThis log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Cesar81

Cesar81
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 08 November 2007 - 08:25 AM

Hi there,
thanks very very much for your help!
I deleted all the lines you quoted and that immediately did the trick.. I did have trouble with the command line part and the fixwareout, niether of those steps were completed but nonetheless my redirect problem has gone so I guess that's only a good thing?
thanks again for your help
andy

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 08 November 2007 - 11:25 AM

What do you mean that neither of the other two mentioned steps were completed? Did you have a problem with them?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Cesar81

Cesar81
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 11 November 2007 - 11:20 AM

yup neither worked :thumbsup: the command prompt said i'd done something wrong and the fixwareout simply didn't work! it said "unsupported windows version" and switched off

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 11 November 2007 - 12:30 PM

Don't worry about it; can I just have a new HijackThis log?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 07 December 2007 - 03:06 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users