Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google Hijack/Redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 Adam213

Adam213

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 16 October 2010 - 09:22 PM

Hi all,

I see others have posted recently with Google hijack/redirect problems. It must be going around, because I have a similar problem.

I have a Dell Vostro 1500 running Windows XP. I use Firefox for web browsing. When I search Google, I get my results as normal. However, sometimes (not always) when I click one of the links that comes up in the results, I will instead be taken to another page. It seems that these pages are normally on InternetCorkboard.com, but I've also seen URLs within the guide-1.net domain and others. This has been going on for about a week or so for me.

I have run Malwarebytes a few times over the past week or so since this began. On a couple occassions it did find some malware which I removed (restarting afterwards), but this problem persists. When I ran it today no Malware was found.

Ironically, I didn't really notice any other problems until today, just as I was searching for help on this issue. Perhaps the virus/malware/whatever is smart enough to realize that when I start searching for the domains which it is redirecting me to plus words like "virus" and "malware" that I am onto it, and thus it wants to ramp up its efforts, I don't know. At any rate, just about 20 minutes ago I began getting error messages every time I tried to run a program, and then when I tried to shut down I got a "Blue Screen of Death" saying:

QUOTE
STOP! c000021a {Fatal System Error}
The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)
The system has been shut down


I was able to reboot successfully. Since I'm not sure how long it will take to get a response here, I decided to try using System Restore to restore my computer to a previous date (went back about 2 1/2 - 3 weeks). Whether or not this solved the problem I do not know yet since I just did it. My guess is that it won't.

I just ran DDS AFTER doing the System Restore, and I am pasting the log below and attaching the Attach.txt as per the "Preparation Guide"

I will try to attach ark.txt in a subsequent message, but that program seems to be having some trouble when I try to run it.

Thanks in advance for any help!


DDS (Ver_10-10-10.03) - NTFSx86
Run by Adam at 22:01:32.06 on Sat 10/16/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1488 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\DELL Webcam Manager\DellWMgr.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\Thunderbird-Tray\TBTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
StartupFolder: c:\docume~1\adam\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\adam\startm~1\programs\startup\epromp~1.lnk - c:\program files\eprompter\ePrompter.exe
StartupFolder: c:\docume~1\adam\startm~1\programs\startup\tb-tray.lnk - c:\program files\thunderbird-tray\TBTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232354467140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: pcehke.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
Hosts: 209.44.111.62 surety.microsoft.com
Hosts: 209.44.111.62 aware-protect.com
Hosts: 209.44.111.62 www.aware-protect.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adam\applic~1\mozilla\firefox\profiles\9k3bo90r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-19 24652]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2009-5-27 102400]
S2 gupdate1c9e99e86a78580;Google Update Service (gupdate1c9e99e86a78580);c:\program files\google\update\GoogleUpdate.exe [2009-6-10 133104]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-5-24 11520]

=============== Created Last 30 ================

2010-10-17 01:31:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-17 01:31:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 01:30:31 -------- d--h--w- c:\documents and settings\adam\Recent(2)
2010-10-13 00:21:21 -------- d-----w- c:\docume~1\adam\applic~1\Softland
2010-10-13 00:20:39 -------- d-----w- c:\program files\Softland
2010-10-13 00:15:42 -------- d-----w- c:\docume~1\adam\applic~1\PrimoPDF
2010-10-13 00:15:01 -------- d-----w- c:\program files\Nitro PDF
2010-10-08 06:03:31 -------- d-----w- c:\docume~1\adam\locals~1\applic~1\HP
2010-10-08 06:02:40 -------- d-----w- c:\program files\common files\HP
2010-10-08 05:37:50 -------- d-----w- c:\program files\common files\Hewlett-Packard
2010-10-08 05:35:48 -------- d-----w- c:\program files\HP
2010-10-07 03:57:58 0 ----a-w- c:\windows\Ixomadiruvupo.bin
2010-10-07 03:57:56 -------- d-----w- c:\docume~1\adam\locals~1\applic~1\{76E7F7E4-B149-46C7-AAD8-9D57C4865625}
2010-10-03 18:45:52 -------- d-----w- c:\program files\Free DVD Ripper

==================== Find3M ====================

2010-09-18 21:38:19 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-09-18 21:38:19 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

============= FINISH: 22:02:22.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Adam213

Adam213
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 18 October 2010 - 02:01 AM

I started this thread yesterday. I have since decided to back up my files and reformat with a fresh install of Windows. I like to do this occasionally just to keep things running smoothly, and I'm about due for one anyway, so I decided that this is a good time.

Mods: Please close this thread so that no one wastes any time with it.

Thank you.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 18 October 2010 - 04:19 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users