Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google keeps redirecting home screen to Trovi

  • This topic is locked This topic is locked
4 replies to this topic

#1 stbonita


  • Members
  • 3 posts
  • Local time:01:13 PM

Posted 11 October 2014 - 09:46 PM

Checking the list of programs to delete that was recommended, I also noticed Itibiti RBC and wasn't sure if that was a related issue.


Here's my dds.txt

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 6.0.2900.2180
Run by Agnes Marlar at 21:26:04 on 2014-10-11
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.2037.1361 [GMT -5:00]
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* 
============== Running Processes ================
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
============== Pseudo HJT Report ===============
uStart Page = hxxps://www.yahoo.com/?fr=hp-avast&type=odc179
uSearch Bar = hxxps://www.yahoo.com/?fr=hp-avast&type=odc179
uSearch Page = hxxps://search.yahoo.com/yhs/search?type=odc179&hspart=avast&hsimp=yhs-001&p={searchTerms}
mStart Page = hxxps://www.yahoo.com/?fr=hp-avast&type=odc179
mSearch Bar = hxxps://www.yahoo.com/?fr=hp-avast&type=odc179
mSearch Page = hxxps://search.yahoo.com/yhs/search?type=odc179&hspart=avast&hsimp=yhs-001&p={searchTerms}
uProxyOverride = <-loopback>
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
dURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>
BHO: click-n-mark: {55A12443-7A54-DE91-BFD5-CDAC03527190} - c:\program files\-click-n-mark-soft\174.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120705214257.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: ChromeFrame BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - c:\program files\google\chrome frame\application\32.0.1700.107\npchrome_frame.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ImageBigBang4500] c:\program files\cyberlink\powerdvd dx\mm\usercapproduct.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRunServices: [DynamicHWCommun] c:\program files\cyberlink\powerdvd dx\mm\usercapproduct.exe
mRunServices: [WinProcUser] c:\program files\cyberlink\powerdvd dx\mm\usercapproduct.exe
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "c:\windows\system32\config\systemprofile\application data\SearchProtect"
dRunOnce: [Del93627484] cmd.exe /Q /D /c del "c:\windows\temp\86104.del"
dRunOnce: [Del215788593] cmd.exe /Q /D /c del "c:\windows\temp\0.del"
dRunOnce: [Del993389187] cmd.exe /Q /D /c del "c:\windows\temp\0.del"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\agnes marlar\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1361998743390
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - 
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer =
TCP: Interfaces\{A265580C-7D5B-4894-90C9-69B312DB2685} : DHCPNameServer =
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:\documents and settings\agnes marlar\local settings\temp\65.tmp
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\32.0.1700.107\npchrome_frame.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.107\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
============= SERVICES / DRIVERS ===============
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 464304]
R1 {4b422a53-5e7a-4d97-99eb-c01c5d49b9d6}Gt;{4b422a53-5e7a-4d97-99eb-c01c5d49b9d6}Gt;c:\windows\system32\drivers\{4b422a53-5e7a-4d97-99eb-c01c5d49b9d6}Gt.sys [2014-9-15 55096]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-6-1 89792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-1 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-1 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-1 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-1 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-1 166320]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-6-1 161664]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-1 151912]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-6-1 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-1 180848]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-1 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-6-1 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-6-1 83856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SMUpd;Search Module Update;c:\program files\common files\goobzo\gbupdate\smu.exe /service --> c:\program files\common files\goobzo\gbupdate\smu.exe  [?]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-4-4 30976]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-4 107736]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-6-1 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-1 87656]
S3 SMUpdd;Search Module UpdateD;\??\c:\program files\common files\goobzo\gbupdate\smw.sys --> c:\program files\common files\goobzo\gbupdate\smw.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2014-10-11 23:36:22 -------- d-----w- C:\sfzone_profile
2014-10-11 23:11:05 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2014-10-11 22:57:41 -------- d-----w- c:\program files\Advanced Fix
2014-09-15 14:21:18 55096 ----a-w- c:\windows\system32\drivers\{4b422a53-5e7a-4d97-99eb-c01c5d49b9d6}Gt.sys
==================== Find3M  ====================
2014-10-11 23:38:47 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-06 03:02:16 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-06 03:02:15 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
============= FINISH: 21:26:28.03 ===============

Attached Files

BC AdBot (Login to Remove)


#2 StanFF


  • Malware Response Team
  • 1,172 posts
  • Gender:Male
  • Local time:10:13 PM

Posted 12 October 2014 - 06:36 AM

Hello stbonita,

I will be helping you in this case. Please, let me take a look at the logs you provided and I will be back with further instructions.

I want to inform you that I'm still in my training program so my posts must be reviewed by an instructor. This may lead to a slight delay in my answers.




"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford






#3 StanFF


  • Malware Response Team
  • 1,172 posts
  • Gender:Male
  • Local time:10:13 PM

Posted 12 October 2014 - 03:16 PM

Hello stbonita,

I'm Stan and I will be helping you for this problem.

First of all I want to clear some things about the malware removal process:

  • Do not run any tools on your own. This may affect the process of removal and may cause both slowdown and additional problems.
  • Read carefully the steps that I suggest you to do. Any mismatch will prolong this case.
  • Copy any scripts carefully so they stay exactly the same with the original. Otherwise the script may not work and we will need to rerun/recreate it.
  • Feel free to copy all the steps in offline environment. They may be easier to read and follow in this way.
  • Feel free to ask any questions about the malware removal process. I'm here to help you so nothing must be hidden or misunderstood.
  • Share with me any problems/changes you experience while working with the current system.
  • Please, do not use any quotes or code boxes when you post logs.

I want to inform you that I will be able to respond in the evenings - 07:00 P.M - 11:00 P.M. (UTC + 02:00) - since I'm working during most of the daytime. If I haven't posted anything for 48 hours straight, please, feel free to send me a personal message. I will bump the topic if there is no response from you for 3 days. After 5 days of inactivity, the topic will be closed.


First, I want to ask you a couple of questions so I can get more information about the system.

  • Do the redirecting problems appear in every browser installed on the system or are they limited to a single one?
  • Have you used any specific tools before posting here for help? Information about that can give me additional light over this case.
  • Do you actively use this kind of software - http://www.imvu.com/ ?


Please, go to VirusTotal.

  • Press the Choose File button.
  • Navigate through the directories and locate the following file:
C:\Program Files\Cyberlink\PowerDVD DX\mm\usercapproduct.exe
  • Upload the file for inspection by pushing the Scan It! button. When the results are ready, please, provide a link so I can take a look at them.

Note: If you receive a window, telling you that the file has already been analyzed, please, choose Reanalyze.


Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. In your case, it should be 32-bit version.

  • Right-click FRST then click "Run as administrator".(XP users: click Run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.

Please copy and paste the log in your next reply.

Note : The first time the tool is run it generates another log - Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

In your next post, I will be waiting for:

  • Answers to my questions above.
  • Link for the results from VirusTotal scan.
  • FRST.txt
  • Addition.txt




"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford






#4 StanFF


  • Malware Response Team
  • 1,172 posts
  • Gender:Male
  • Local time:10:13 PM

Posted 15 October 2014 - 02:50 PM

Hello stbonita,


It has been 3 days since my last post in the topic. Do you still need help? Please, consider that after 48 more hours without an answer from you, the topic will be closed.




"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford






#5 whoabuddy


    Bleepin' Verbose

  • Malware Response Instructor
  • 2,053 posts
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:13 AM

Posted 18 October 2014 - 07:41 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users