Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Problem...


  • This topic is locked This topic is locked
47 replies to this topic

#1 hoffja

hoffja

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 23 August 2009 - 03:21 PM

Hey there,

I have been trying to fix this issue of the google redirect problem for about a month now and I can not seem to get rid of it. It seems to be hidden somewhere that Spybot S&D, Malwarebytes, AVG, etc...can not find.

Is there anyone that will be able to help me with this issue? I will do anything that you guys ask me to in ridding the problem :thumbsup:

I am using Windows XP operating system and this redirecting problem is within Firefox.

Thanks,

Jason

Edited by hoffja, 23 August 2009 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 23 August 2009 - 04:29 PM

Moved from HJT to a more appropriate forum. Tw

#3 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  

Posted 25 August 2009 - 10:06 PM

I am still awaiting a reply and my computer still has problems! :thumbsup:

#4 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:16 PM

Posted 25 August 2009 - 11:10 PM

Just another member here... does Malwarebytes get stalled, or does it scan and give a clean report?
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:16 PM

Posted 25 August 2009 - 11:23 PM

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Chewy

No. Try not. Do... or do not. There is no try.

#6 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 26 August 2009 - 08:59 AM

Malwarebytes completes it's scan and if it finds something it is removed without fixing the problem (the first time I scanned), or it scans and finds nothing (more recently).

Here is the log from gooredfix.

GooredFix by jpshortstuff (12.07.09)
Log created at 08:57 on 26/08/2009 (Nicole)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:19 21/05/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [19:35 23/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [20:08 17/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:35 23/08/2009]

-=E.O.F=-

Thanks,

Jason

Edited by hoffja, 26 August 2009 - 10:47 PM.


#7 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 August 2009 - 10:48 PM

Awaiting further instrructions :thumbsup:

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:16 PM

Posted 26 August 2009 - 10:59 PM

Malwarebytes completes it's scan and if it finds something it is removed without fixing the problem


post that log please

and get a log from processexplorer

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#9 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 26 August 2009 - 11:23 PM

I am trying unzip the processorexplorer application and my "zipgenius" is telling me it is unable to process the application to a file location.

Here is the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3

8/16/2009 9:59:14 PM
mbam-log-2009-08-16 (21-59-14).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 176344
Time elapsed: 1 hour(s), 26 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@anti-leech.com/anti-leech plugin,version=1.0.1.8 (Trojan.AntiLeechPlugin) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Nicole\Application Data\AntiSpywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095158.rbf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095171.exe (Trojan.AntiLeechPlugin) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095176.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095179.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095181.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095189.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095191.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095196.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095197.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095198.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095199.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095201.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095203.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095204.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095205.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095206.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095207.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095208.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095209.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095210.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095211.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095212.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095213.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095222.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095184.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095200.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095273.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095274.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP978\A0095292.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.




I have two other scans on log that do not have any infections found.

Thanks!

Jason

Edited by hoffja, 26 August 2009 - 11:31 PM.


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:16 PM

Posted 26 August 2009 - 11:33 PM

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
Chewy

No. Try not. Do... or do not. There is no try.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:16 PM

Posted 26 August 2009 - 11:35 PM

Or just save the full exe

http://live.sysinternals.com/procexp.exe
Chewy

No. Try not. Do... or do not. There is no try.

#12 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 26 August 2009 - 11:37 PM

I am still getting the same error when trying to unzip the file:

"Unable to write to C:\Documents and Settings\Nicole\Application Data\ZipGenius\mainhst.zgh."

I click "Okay" and it proceeds to open ZipGenius.

#13 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 August 2009 - 11:39 PM

Here's the Process Explorer log:

Process PID CPU Description Company Name
System Idle Process 0 92.42
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 732 Windows NT Session Manager Microsoft Corporation
csrss.exe 804 Client Server Runtime Process Microsoft Corporation
winlogon.exe 828 Windows NT Logon Application Microsoft Corporation
services.exe 872 3.03 Services and Controller app Microsoft Corporation
svchost.exe 1052 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1108 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1356 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1440 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1808 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 216 Spooler SubSystem App Microsoft Corporation
svchost.exe 308 Generic Host Process for Win32 Services Microsoft Corporation
mainserv.exe 340 Battery backup management service American Power Conversion Corporation
avgwdsvc.exe 400 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 412 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgnsx.exe 512 AVG Network scanner Service AVG Technologies CZ, s.r.o.
defwatch.exe 416 Virus Definition Daemon Symantec Corporation
jqs.exe 456 Java™ Quick Starter Service Sun Microsystems, Inc.
SeaPort.exe 888 Microsoft SeaPort Search Enhancement Broker Microsoft Corporation
svchost.exe 1256 Generic Host Process for Win32 Services Microsoft Corporation
WLService.exe 1376 WLService GEMTEKS
WUSB54Gv42.exe 1508 Linksys
symwsc.exe 1572 Norton Security Center Service Symantec Corporation
alg.exe 2864 Application Layer Gateway Service Microsoft Corporation
svchost.exe 2152 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 884 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 696 1.52 Windows Explorer Microsoft Corporation
hkcmd.exe 2072 hkcmd Module Intel Corporation
avgtray.exe 2212 AVG Tray Monitor AVG Technologies CZ, s.r.o.
vptray.exe 2220 Norton AntiVirus Symantec Corporation
jusched.exe 2228 Java™ Platform SE binary Sun Microsystems, Inc.
TeaTimer.exe 2380 System settings protector Safer-Networking Ltd.
DLG.exe 2888 Digital Line Detection BVRP Software
firefox.exe 2876 3.03 Firefox Mozilla Corporation
procexp.exe 3564 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
apcsystray.exe 3116 PowerChute system tray power icon American Power Conversion Corporation

Edited by hoffja, 26 August 2009 - 11:42 PM.


#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:16 PM

Posted 26 August 2009 - 11:42 PM

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#15 hoffja

hoffja
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:16 PM

Posted 26 August 2009 - 11:44 PM

Sorry I reread your previous post and figured it out and edited my previous post :thumbsup: I'll read things more thoroughly now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users