Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting


  • This topic is locked This topic is locked
2 replies to this topic

#1 onefifty

onefifty

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 28 November 2009 - 02:04 PM

I am having the same problem. I click on valid google links, yet I am redirected to random websites, and occasionally sites will open on their own. Here is my Hijackthis log. I have tried everything, from Malwarebytes, Superantispyware, TFC, Vundo, and nothing works.... HELP!!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:20 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesApointApoint.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesSonyHotKey UtilityHKserv.exe
C:Program FilesQuickTimeqttask.exe
C:WINDOWSSystem32ezSP_Px.exe
C:program filessupport.comclientbintgcmd.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesSonyHotKey UtilityHKWnd.exe
C:Program FilesHewlett-PackardToolbox2.0Apache Tomcat 4.0webappsToolboxStatusClientStatusClient.exe
C:Program FilesApointApntex.exe
C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe
C:WINDOWSsystem32ctfmon.exe
C:Documents and SettingsMadisonApplication DataSanDiskSansa UpdaterSansaDispatch.exe
C:Program FilesHewlett-PackardToolbox2.0JavasoftJRE1.3.1binjavaw.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesPowerPanelProgramPcfMgr.exe
C:Documents and SettingsMadisonLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsMadisonLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsMadisonLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsMadisonLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsMadisonLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesMozilla Firefoxfirefox.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecure2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecure2009.com
O1 - Hosts: 91.212.127.227 www.winsecure2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~1MI1933~1Office12GRA8E1~1.DLL
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKLM..Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM..Run: [HKSERV.EXE] C:Program FilesSonyHotKey UtilityHKserv.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [ezShieldProtector for Px] C:WINDOWSSystem32ezSP_Px.exe
O4 - HKLM..Run: [VAIOSurvey] c:program filessonyvaio surveysurveysa.exe
O4 - HKLM..Run: [ZTgServerSwitch] "c:program filessupport.comclientbintgcmd.exe" /server
O4 - HKLM..Run: [VAIO Recovery] C:WindowsSonysysVAIO RecoveryPartSeal.000
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [StatusClient] C:Program FilesHewlett-PackardToolbox2.0Apache Tomcat 4.0webappsToolboxStatusClientStatusClient.exe /auto
O4 - HKLM..Run: [TomcatStartup] C:Program FilesHewlett-PackardToolbox2.0hpbpsttp.exe
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKLM..Run: [Malwarebytes' Anti-Malware] "C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe" /starttray
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SansaDispatch] C:Documents and SettingsMadisonApplication DataSanDiskSansa UpdaterSansaDispatch.exe
O4 - HKCU..Run: [Google Update] "C:Documents and SettingsMadisonLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
O4 - Global Startup: Billminder.lnk = C:Program FilesQuickenbillmind.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:Program FilesQuickenbagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:Program FilesQuickenQWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MI1933~1Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MI1933~1Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MI1933~1Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254768655034
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLMSystemCCSServicesTcpip..{33059536-701E-491A-B0E5-879C9EBDBB47}: NameServer = 66.28.0.45,66.28.0.61
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:PROGRA~1MI1933~1Office12GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:PROGRA~1COMMON~1SONYSH~1AVLibSptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerMusicSSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPhotoappsrvPhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerVideoGPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe

--
End of file - 10467 bytes

Oh, I forgot to mention that one of the URLs that I see when the browser is hijacked is "directrdr.com" . I have also posted below the Malwarebytes log after a scan a few days ago. The Hijackthis log posted above is AFTER this scan and removal of the infected items. I am still having the same problems however. I am just posting this to help figure out what irus this is and how I can fix it.
Malwarebytes' Anti-Malware 1.41
Database version: 3130
Windows 5.1.2600 Service Pack 3

11/8/2009 4:03:51 PM
mbam-log-2009-11-08 (16-03-51).txt

Scan type: Quick Scan
Objects scanned: 101640
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:WINDOWSsystem32iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTCLSID{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREAvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRuntjraqfio (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRuntjraqfio (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoFind (Hijack.Find) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:WINDOWSsystem32iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:Documents and SettingsMadisonLocal SettingsApplication Datamrwfwpvybksysguard.exe (Trojan.FakeAlert.N) -> Delete on reboot.

Merged posts. ~ OB

Edited by Orange Blossom, 01 December 2009 - 10:04 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:01 PM

Posted 03 December 2009 - 04:16 AM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:01 PM

Posted 09 December 2009 - 03:49 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users