Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches keep being redirected


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dee Gee

Dee Gee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 02 June 2011 - 06:20 PM

Hello, first time poster & I'm lost as far as what to try next. When I click on search results in Google, I randomly get redirected to a page other than the one I wanted to be on. What at first I thought was a fluke, is happening more and more. I searched for a solution and found your site - after I got redirected somewhere else. I have run numerous scans with NOD32 & Malwarebytes, but nothing shows up. I have also run registry cleaners to no avail.

Thank you.

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by You Dazz Dude!!! at 10:59:17 on 2011-06-02
.
============== Running Processes ===============
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Netdrive\ndsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\You Dazz Dude!!!\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\You Dazz Dude!!!\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\You Dazz Dude!!!\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\You Dazz Dude!!!\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\You Dazz Dude!!!\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRunOnce: [Index Washer] c:\program files\webroot\washer\WashIdx.exe "You Dazz Dude!!!"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{2EE90479-33E3-4954-8BE0-EFAE7DEB4A6E} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\you dazz dude!!!\application data\mozilla\firefox\profiles\et8uq3xz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R? avshws;Senstic PocketCam
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? DCamUSBUVT;ICM532A
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? mfeavfk;McAfee Inc. mfeavfk
R? mfebopk;McAfee Inc. mfebopk
R? mferkdk;McAfee Inc. mferkdk
R? mfesmfk;McAfee Inc. mfesmfk
R? ndfs;ndfs
R? PocketAudio;Senstic PocketAudio (WDM)
R? WinRM;Windows Remote Management (WS-Management)
R? WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/05 21:22:46]
S? ehdrv;ehdrv
S? ekrn;ESET Service
S? EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver
S? epfwtdir;epfwtdir
S? maestro;ESS Maestro Audio Driver (WDM)
S? mfehidk;McAfee Inc. mfehidk
S? ndsvc;NetDrive Service
S? TuneUp.UtilitiesSvc;TuneUp Utilities Service
S? TuneUpUtilitiesDrv;TuneUpUtilitiesDrv
S? WDHAALBA;WDHAALBAMiniPCI Winmodem
S? wwEngineSvc;Window Washer Engine
.
=============== Created Last 30 ================
.
2011-05-25 00:16:54 0 ----a-w- c:\windows\Xtivitegigusob.bin
2011-05-25 00:16:53 -------- d-----w- c:\documents and settings\you dazz dude!!!\local settings\application data\{AE6AF8DE-5C24-4992-BF01-4866D3F19766}
2011-05-25 00:14:51 -------- d-----w- c:\documents and settings\you dazz dude!!!\local settings\application data\ESET
2011-05-24 03:42:46 -------- d-----w- c:\program files\ESET
2011-05-23 20:16:10 -------- d-----w- c:\program files\Unlocker
2011-05-21 08:53:21 19 ----a-w- c:\documents and settings\you dazz dude!!!\application data\microsoft\internet explorer\quick launch\MEMORY.VBE
2011-05-19 17:43:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-12 04:08:18 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2011-05-12 03:52:44 -------- d-----w- c:\documents and settings\you dazz dude!!!\application data\Dropbox
.
==================== Find3M ====================
.
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 11:00:23.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Dee Gee

Dee Gee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 03 June 2011 - 04:53 AM

Fixed - found the culprit/s.

2011-05-25 00:16:54 0 ----a-w- c:\windows\Xtivitegigusob.bin

^Renamed it to Xtivitegigusob.old


2011-05-25 00:16:53 -------- d-----w- c:\documents and settings\you dazz dude!!!\local settings\application data\{AE6AF8DE-5C24-4992-BF01-4866D3F19766}

^Found a script file "_cfg.js" inside subfolder "content" of folder "Chrome"; renamed it to ".old". In the same folder was overlay.xu; also renamed to ".old".

No more redirects. I deleted some leftover McAfee services listed in the DDS log; the software was deleted a while back. THANKS.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 AM

Posted 03 June 2011 - 04:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users