Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 Il Koreano

Il Koreano

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 04 May 2010 - 02:07 PM

Hello, everybody!
My name is Andrea, and I'm from Italy.

As others, I have the Google Redirect virus on my PC. wacko.gif

Here's the log from HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.06.46, on 04/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32Ati2evxx.exe
C:ProgrammiAviraAntiVir Desktopsched.exe
C:ProgrammiFile comuniArcSoftConnection ServiceBinACService.exe
C:ProgrammiAviraAntiVir Desktopavguard.exe
C:ProgrammiApplication UpdaterApplicationUpdater.exe
C:ProgrammiBonjourmDNSResponder.exe
C:ProgrammiJavajre6binjqs.exe
C:ProgrammiFile comuniLightScribeLSSrvc.exe
C:ProgrammiFile comuniMicrosoft SharedVS7DEBUGMDM.EXE
C:ProgrammiMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:WINDOWSsystem32svchost.exe
C:ProgrammiVodafoneVodafone Mobile ConnectBinVMCService.exe
C:ProgrammiGoogleUpdate1.2.183.23GoogleCrashHandler.exe
C:WINDOWSExplorer.EXE
C:ProgrammiMicrosoft OfficeOffice12GrooveMonitor.exe
C:WINDOWSsystem32rundll32.exe
C:ProgrammiCyberLinkPowerDVD9PDVD9Serv.exe
C:ProgrammiCyberlinkShared Filesbrs.exe
C:ProgrammiFile comuniArcSoftConnection ServiceBinACDaemon.exe
C:ProgrammiAviraAntiVir Desktopavgnt.exe
C:WINDOWSRTHDCPL.EXE
C:ProgrammiDAEMON Tools Litedaemon.exe
C:WINDOWSsystem32ctfmon.exe
C:ProgrammiSUPERAntiSpywareSUPERAntiSpyware.exe
C:ProgrammiATI TechnologiesATI.ACECore-StaticMOM.exe
C:ProgrammiMSIArcSoft TotalMediaTMMonitor.exe
C:ProgrammiATI TechnologiesATI.ACECore-Staticccc.exe
C:ProgrammiMozilla Firefoxfirefox.exe
C:ProgrammiTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32NOTEPAD.EXE

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:Programmipdfforge ToolbarSearchSettings.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:ProgrammiFile comuniAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:ProgrammiMicrosoftSearch Enhancement PackSearch HelperSEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:ProgrammiMicrosoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:ProgrammiFile comuniMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:ProgrammiGoogleGoogleToolbarNotifier5.4.4525.1752swg.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:Programmipdfforge ToolbarIE1.1.2pdfforgeToolbarIE.dll
O2 - BHO: (no name) - {D509DD0D-DB6F-3E51-9E5D-F75986ABE897} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:ProgrammiJavajre6binjp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:ProgrammiGoogleGoogle GearsInternet Explorer0.5.36.0gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:ProgrammiWindows LiveToolbarwltcore.dll
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:Programmipdfforge ToolbarSearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:ProgrammiJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:ProgrammiWindows LiveToolbarwltcore.dll
O3 - Toolbar: (no name) - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - (no file)
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:Programmipdfforge ToolbarIE1.1.2pdfforgeToolbarIE.dll
O4 - HKLM..Run: [NeroFilterCheck] C:ProgrammiFile comuniNeroLibNeroCheck.exe
O4 - HKLM..Run: [GrooveMonitor] "C:ProgrammiMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [USB2Check] RUNDLL32.EXE "C:WINDOWSsystem32PCLECoInst.dll",CheckUSBController
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:ProgrammiAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM..Run: [RemoteControl9] C:ProgrammiCyberLinkPowerDVD9PDVD9Serv.exe
O4 - HKLM..Run: [PDVD9LanguageShortcut] C:ProgrammiCyberLinkPowerDVD9LanguageLanguage.exe
O4 - HKLM..Run: [BDRegion] C:ProgrammiCyberlinkShared Filesbrs.exe
O4 - HKLM..Run: [ArcSoft Connection Service] C:ProgrammiFile comuniArcSoftConnection ServiceBinACDaemon.exe
O4 - HKLM..Run: [MobileConnect] %programfiles%VodafoneVodafone Mobile ConnectBinMobileConnect.exe /silent
O4 - HKLM..Run: [avgnt] "C:ProgrammiAviraAntiVir Desktopavgnt.exe" /min
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [StartCCC] "C:ProgrammiATI TechnologiesATI.ACECore-StaticCLIStart.exe" MSRun
O4 - HKLM..Run: [SearchSettings] C:Programmipdfforge ToolbarSearchSettings.exe
O4 - HKLM..Run: [HitmanPro35] "C:ProgrammiHitman Pro 3.5HitmanPro35.exe" /scan:boot
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:ProgrammiFile comuniNeroLibNMBgMonitor.exe"
O4 - HKCU..Run: [DAEMON Tools Lite] "C:ProgrammiDAEMON Tools Litedaemon.exe" -autorun
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [EPSON Stylus DX4400 Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_FATICAE.EXE /FU "C:WINDOWSTEMPE_SB4.tmp" /EF "HKCU"
O4 - HKCU..Run: [SUPERAntiSpyware] C:ProgrammiSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUSS-1-5-19..Run: [MsnMsgr] "C:ProgrammiWindows LiveMessengerMsnMsgr.Exe" /background (User 'SERVIZIO LOCALE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:ProgrammiFile comuniAdobeCalibrationAdobe Gamma Loader.exe
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:ProgrammiMicrosoft OfficeOffice12ONENOTEM.EXE
O4 - Global Startup: TMMonitor.lnk = C:ProgrammiMSIArcSoft TotalMediaTMMonitor.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:ProgrammiGoogleGoogle GearsInternet Explorer0.5.36.0gears.dll
O9 - Extra 'Tools' menuitem: &Impostazioni di Google Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:ProgrammiGoogleGoogle GearsInternet Explorer0.5.36.0gears.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:ProgrammiMicrosoft OfficeOffice12GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:ProgrammiSUPERAntiSpywareSASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - C:ProgrammiFile comuniArcSoftConnection ServiceBinACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:ProgrammiFile comuniAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:ProgrammiAviraAntiVir Desktopsched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:ProgrammiAviraAntiVir Desktopavguard.exe
O23 - Service: Application Updater - Spigot, Inc. - C:ProgrammiApplication UpdaterApplicationUpdater.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:ProgrammiBonjourmDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:ProgrammiFile comuniMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c949076fc15ff4) (gupdate1c949076fc15ff4) - Google Inc. - C:ProgrammiGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:ProgrammiGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:ProgrammiFile comuniInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:ProgrammiJavajre6binjqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:ProgrammiFile comuniLightScribeLSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:ProgrammiFile comuniNeroLibNMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:WINDOWSsystem32driverspclepci.sys
O23 - Service: SageTV - Unknown owner - C:ProgrammiSageTVSageTVSageTVService.exe (file missing)
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:ProgrammiVodafoneVodafone Mobile ConnectBinVMCService.exe

--
End of file - 11562 bytes

Thanks to everyone!!! thumbup2.gif

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

For more info, here's the GooredFix log.

Log created at 23:47 on 04/05/2010 (Il Koreano)
Firefox version 3.6.3 (it)

========== GooredScan ==========


========== GooredLog ==========

C:ProgrammiMozilla Firefoxextensions
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:00 15/11/2008]
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [16:38 08/01/2009]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [17:49 08/01/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [00:38 04/04/2009]

[HKEY_LOCAL_MACHINESoftwareMozillaFirefoxExtensions]
"jqs@sun.com"="C:ProgrammiJavajre6libdeployjqsff" [17:49 08/01/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:WINDOWSMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension" [08:34 25/08/2009]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:ProgrammiGoogleGoogle GearsFirefox" [11:10 06/03/2010]

---------- Old Logs ----------
GooredFix[15.59.39_04-05-2010].txt
GooredFix[16.02.36_04-05-2010].txt
GooredFix[16.03.28_04-05-2010].txt

-=E.O.F=-

Edited by Budapest, 04 May 2010 - 04:57 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:12 AM

Posted 06 May 2010 - 08:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:12 AM

Posted 11 May 2010 - 06:15 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users