BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Google Redirect Help (New Case)
   
BullGuard Antivirus Forum > Virus information > Alerts & New Threats > Google Redirect Help (New Case)  
Forum Quick Jump
 
You cannot post new topics in this forum. Post reply to : Google Redirect Help (New Case) Printable version of : Google Redirect Help (New Case)
[ << Previous Thread | Next Thread >> ]

SuperFlyBoy
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 1/20/2012 12:49 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
Hi all,

Just today I noted that both SpyBot and the Astrill setup program (VPN proxy software) reported that IE was open and to shut it down.

I had in fact shut down my laptop right before booting up, unplugged it, taken out the battery for about 10 minutes and then restarted it when I noted this occurring.

I then saw 2 entries for IE open in Task Manager - 1 showing the home page (blank) and the other with an entry: "C\Program Files (x86)\Internet Explorer\iexplore.exe SCODEF:9362 CREDAT:71937".

I would say that this only occured in the past 4-7 days, as I had updated SpyBot once earlier in the week as well and done a full scan.

I have now updated SpyBot, run a full scan, but nothing has been found. I think hosts files are always innoculated by Spybot, so I would have thought I was protected.

Also running Malwarebytes now after update and nothing found.

Resident AV is ESET NOD32 64-bit for business.

Using Comodo Firewall free after ZoneAlarm's interface became too simplified.

One interesting point of note is that I was forced to use WebEx with one of SonicWall's Indian engineers in the past few days, which required the use of Internet Explorer activeX permissions as well as Windows permissions-could this be the problem?? Comodo identified and blocked some files, such as: atasinst.exe, atasctrl.dll, but the session went ahead properly. However, that does not say that something may have been allowed by my allowing that application to execute in Windows!

Downloaded the TrendMicro version of HiJackThis, v.2.0.4 (why doesn't it allow me to have an option to "Run as Administrator"?), and here are the results, after noting that it was denied access to the Hosts files, which are being appended using the notepad instructions from the HiJackThis program. It also advised that I should Run as Admin, but their is no option when right-clicking!

Here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:17:05, on 20-Jan-12
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\CounterPath\X-Lite\x-lite.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Wireless Manager\WirelessManager.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files (x86)\PFU\ScanSnap\CardMinder\CardLauncher.exe
C:\Program Files (x86)\network-activity-indicator\NetworkIndicator.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\United MileagePlus Shopping Assistant\UnitedMPS.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files (x86)\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files (x86)\Infineon\Security Platform Software\SpTna.exe
C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files (x86)\Sharp\Sharpdesk\FTPServer.exe
C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files (x86)\Sharp\Sharpdesk\nsapp.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10x_ActiveX.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: BHOHOOK - {030AC7B6-E7EC-40F1-8FB2-C0FD344DE0B9} - C:\Program Files\TOSHIBA\TFPU\x86\TFPUPWDBankBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: United MileagePlus Shopping Assistant - {89867A4A-BDEE-4259-964A-B8E87C4892F3} - C:\Program Files (x86)\United MileagePlus Shopping Assistant\UnitedMPSIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\DNK\AppData\Roaming\Mozilla\Firefox\Profiles\vk46qwm3.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.85.dll (file missing)
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
O3 - Toolbar: United MileagePlus Shopping Assistant - {EF91116F-DE92-4286-9087-093085152182} - C:\Program Files (x86)\United MileagePlus Shopping Assistant\UnitedMPSIE.dll
O4 - HKLM\..\Run: [IFXSPMGT] "C:\Program Files (x86)\Infineon\Security Platform Software\ifxspmgt.exe" /NotifyLogon
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files (x86)\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SharpTray.exe] "C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files (x86)\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [IndexTray.exe] "C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe" /n
O4 - HKLM\..\Run: [ScanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files (x86)\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [WirelessManager] C:\Program Files (x86)\Toshiba\TOSHIBA Wireless Manager\WirelessManager.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ReadyNAS Remote] C:\Program Files (x86)\NETGEAR ReadyNAS\Remote\bin\ReadyNASRemote.exe
O4 - HKCU\..\Run: [Mobile Partner] C:\Program Files (x86)\T-Mobile Wireless Pointer\T-Mobile Wireless Pointer
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: CardMinder Viewer.lnk = ?
O4 - Global Startup: Conversion to PDF with ScanSnap Organizer.lnk = ?
O4 - Global Startup: CrashPlan Tray.lnk = C:\Program Files\CrashPlan\CrashPlanTray.exe
O4 - Global Startup: NetworkIndicator.exe - Shortcut.lnk = C:\Program Files (x86)\network-activity-indicator\NetworkIndicator.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
O4 - Global Startup: UnitedMPS.lnk = C:\Program Files (x86)\United MileagePlus Shopping Assistant\UnitedMPS.exe
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {64964764-1101-4bbd-8891-B56B1A53B9B3} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://systemrequirementslab.com.s3.amazonaws.com/iduu/bin/srldetect_intel.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FEHardcastle.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CBCC7E6-8496-459E-931D-206F92F02CE8}: NameServer = 10.11.230.3 10.11.230.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{79B933FD-6580-4D8F-B5E2-84B988FCC36E}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F054990-C491-4BE8-9DD9-A6D37B8D7C05}: NameServer = 192.168.200.144,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7C142CC-7506-4A08-AC98-485D6D6BEF6C}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FEHardcastle.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FEHardcastle.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: leaf - {3C4A8A13-029E-430D-B8C1-46E834D20B31} - mscoree.dll (file missing)
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Acronis Nonstop Backup Service (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atashost.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\ATService.exe
O23 - Service: CDMA Device Service - Unknown owner - C:\Program Files (x86)\Samsung\USB Drivers\26_VIA_driver2\amd64\VIAService.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: ConfigFree Gadget Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CrashPlan Backup Service (CrashPlanService) - CrashPlan - C:\Program Files\CrashPlan\CrashPlanService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Program Files (x86)\Infineon\Security Platform Software\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Program Files (x86)\Infineon\Security Platform Software\ifxtcs.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\personalVPN\bin\openvpnserv.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files (x86)\Infineon\Security Platform Software\IfxPsdSv.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEService64.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Acronis Sync Agent Service (syncagentsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - Unknown owner - C:\Windows\system32\ThpSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
O23 - Service: 3G RF Power Control Utility (TW3GSVC) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\3GUty\tw3gsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Mobile Broadband Service (WMCoreService) - Ericsson AB - C:\Program Files (x86)\TOSHIBA\Mobile Broadband Device\WMCore\mini_WMCore.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Program Files\WTouch\WTouchService.exe

--
End of file - 22048 bytes

Here's the Hosts file, having deleted most of the entries that SpyBot made (Don't think that this was affected):

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
...........
127.0.0.1 mastercard-kundensicherheit.de
# End of entries inserted by Spybot - Search & Destroy

Any help on what I should do here to eliminate the IE problem?

Thanks!

Post Edited (SuperFlyBoy) : 20-01-2012 10:32:40 GMT

Back to Top
 

solomon
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 1/26/2012 5:03 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
I found a definite solution for google redirect on my computer, at least. I got this virus 2 days ago. If I clicked on any search item found by google, I got redirected to a page showing a puma and another search engine. I did NOT use it at all. That would invite problems. I ran through a bunch of possible browser solutions, none of which worked. Malwarebyte and AVG did not find the problem. Kaspersky TDSS killer and one or two other standalone rootkit things didn't find it, but one of them found a rootkit that resolved another issue I had which was a just-in-time debugging window that kept appearing. And perhaps that rootkit also came along with the redirect - I cannot know. So I do advise using the Kaspersky program too.

I kept reading and looking at youtube for solutions all day yesterday. I examined my hosts file but it was ok, as this has been a solution in the past. By the way, one can bypass the redirect, or mine at least, by pasting the web address into the search line and going to the site that way. That was the only way I could even view these sites and look for solutions.

Today I started again. First I got rid of all cookies and cleaned out the cache and all temporary files from both my firefox and IE8 browsers. This didn't solve the problem, but my memory is hazy on that. It might have because I did something else. Next I searched on third-party browser extension and I disabled that. That might have done some good. Again, I can't know because I did a third thing, and this might be what worked. The thrid-party search led me to a microsoft website with a page of possible aids. One was to run sfc /scannow. This could be what solved the problem.

You go to START. Then to RUN. Then you type in sfc /scannow. (There is a space after sfc.) This will ask you to insert your original CD that installs windows. Luckily I had it. This program examines all the windows files and makes sure they are all right. It apparently replaces any ones that are corrupted or altered. The program takes 10-15 minutes to complete. (I got a window from the CD asking me what I wanted to do and I simply exited it while the program kept running underneath.)

Afterwards, I rebooted. Voila! The !!!! redirect was gone! I could not believe it, but it's gone. Where did it come from? Probably from some site with links to movie downloads, but who really knows? I suspect www.avaxhome.

This redirect virus I got seems to alter not the hosts file but the atapi.sys file which is in the system32 drivers folder. I could not open that in readable form and even if I did I would have been guessing how to fix it. I found out about atapi.sys from a google forum.

On that forum, there seemed good evidence that the atapi.sys file was being altered by this version of a redirect virus. One person solved the problem by importing a read only atapi.sys file from a clean computer. I couldn't do that, and I was reluctant to try combofix by myself and so I looked for another solution.

I do hope that using sfc /scannow or that in combination with the other easy steps I took, which were to remove all cookies, clean the cache, clean the download history, clean the form history, clean the temporary files, and disable third party browser extension in IE.
Back to Top
 

solomon
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 1/26/2012 8:16 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
I find now that sfc /scannow does repair all the system files and then one should reboot. See here pcsupport.about.com/od/toolsofthetrade/ht/sfc-scannow.htm

This had to be what worked for me. I hope this works for many of you
Back to Top
 

SuperFlyBoy
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 1/27/2012 5:42 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
I did this just now, but nothing found:

C:\Windows\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

(I am not *actually* being redirected, but the other IE windows are opening in task manager, with coded commands...so something is monitoring/compromised in my system!)

Post Edited (SuperFlyBoy) : 27-01-2012 15:53:19 GMT

Back to Top
 

solomon
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 1/27/2012 11:40 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
I'm no computer expert, mind you, but the web materials on that hosts file that you show suggest to me that it needs fixing up. If you can alter the hosts file, I'd eliminate all the spybot comments and insertions. I'd eliminate starting from the line

# localhost name resolution is handled within DNS itself.

all the way down.

At the bottom of the pruned file, I'd insert the one line that is needed, and that line is

127.0.0.1 localhost

There should not be a # sign in this line, as it is an instruction, not a comment.

This advice is based on reading about 5 advisories about this file and how it should look.

I opened my hosts file using notepad and altered it. But I was unable to replace the existing file, but maybe you can.
Back to Top
 

Andreea-Luciana Ostache
Forum Moderator




Date Joined Aug 2010
Total Posts : 520
 
   Posted 1/31/2012 11:21 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
Please allow me to inform you that redirect infections can be written in multiple ways. You should keep in mind though that there is always a solution.

Run hijackthis and place a checkmark by this entry:

R3 - URLSearchHook: (no name) - - (no file)

Then, go to Start, type regedit in the search box and press Enter.

Go to the following folders, using the navigation pane on the left:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes

Once you have expanded the SearchScopes, select each of the folders beneath, one at a time and check what it is written on the right. If the name you find on the left is not Bing, Yahoo, Google, (or another search engine you know and use), with that folder selected on the left, press Delete on your keyboard and confirm.

Lastly, make sure to reset your IE to default. (Start > type Internet Options > Enter > select the Advanced tab > press "Reset..." > check "Delete personal settings" > confirm).

Take note that multiple IE processes are normal if you are watching movies, or playing games, or if you have multiple tabs open.


Andreea-Luciana Ostache
Senior Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!

Back to Top
 

SuperFlyBoy
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 2/1/2012 8:10 AM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
Andreea-Luciana Ostache said...
Please allow me to inform you that redirect infections can be written in multiple ways. You should keep in mind though that there is always a solution.

Run hijackthis and place a checkmark by this entry:

R3 - URLSearchHook: (no name) - - (no file)

Then, go to Start, type regedit in the search box and press Enter.

Go to the following folders, using the navigation pane on the left:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes

Once you have expanded the SearchScopes, select each of the folders beneath, one at a time and check what it is written on the right. If the name you find on the left is not Bing, Yahoo, Google, (or another search engine you know and use), with that folder selected on the left, press Delete on your keyboard and confirm.

Lastly, make sure to reset your IE to default. (Start > type Internet Options > Enter > select the Advanced tab > press "Reset..." > check "Delete personal settings" > confirm).

Take note that multiple IE processes are normal if you are watching movies, or playing games, or if you have multiple tabs open.


Please note that this is not normal, is it?: "C\Program Files (x86)\Internet Explorer\iexplore.exe SCODEF:9362 CREDAT:71937".

Could this be a result of the United Airlines search tool/program?

However, I will first try to uninstall it and post the Hijackthis log.

Thanks so much!

Post Edited (SuperFlyBoy) : 01-02-2012 07:24:51 GMT

Back to Top
 

Andreea-Luciana Ostache
Forum Moderator




Date Joined Aug 2010
Total Posts : 520
 
   Posted 2/1/2012 6:37 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
The SCODEF parameter for each tab refers to the PID of its frame process.

If you download Process Explorer from here live.sysinternals.com/procexp.exe you can expand iexplore.exe and see exactly what windows are running and if you double-click on an entry, you will see the path and command for the process.

Let me know if you have taken the other steps I advised you to take and let us know if you find anything new with Process Explorer.


Andreea-Luciana Ostache
Senior Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!

Back to Top
 

SuperFlyBoy
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 2/2/2012 11:32 AM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
Andreea-Luciana Ostache said...
Go to the following folders, using the navigation pane on the left:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes

One comes back to Bing.

Another comes back to "Web Search", http://search.freecause.com/favicon.ico - which is the search function of the United Airlines toolbar/search tool, something that is normally running on my machine, but I doubt that the SCODEF/CREDAT is due to that program.

Andreea-Luciana Ostache said...
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes

Only one, comes back to Bing.

Take note that multiple IE processes are normal if you are watching movies, or playing games, or if you have multiple tabs open.

Curently IE is open with 2 instances, none of which I had selected or opened - I show no IE window open on my machine, but yet TaskManager shows these 2 open, one of which has the SCODEF / CREDAT active.

Post Edited (SuperFlyBoy) : 02-02-2012 08:44:31 GMT

Back to Top
 

SuperFlyBoy
New Member


Date Joined Jan 2012
Total Posts : 5
 
   Posted 2/2/2012 11:43 AM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
Andreea-Luciana Ostache said...
The SCODEF parameter for each tab refers to the PID of its frame process.

If you download Process Explorer from here live.sysinternals.com/procexp.exe you can expand iexplore.exe and see exactly what windows are running and if you double-click on an entry, you will see the path and command for the process.

Let me know if you have taken the other steps I advised you to take and let us know if you find anything new with Process Explorer.

ProcessExplorer shows these 2 iexplore.exe instances running under the United tool, as under:

UnitedMPS.exe United MileagePlus Shopping Assistant (Billeo, Inc.)
-> iexplore.exe
-> iexplore.exe

So I gather I am not infected then...but who knows what they are monitoring!

Thanks again for your help Andreea-Luciana!
Back to Top
 

Andreea-Luciana Ostache
Forum Moderator




Date Joined Aug 2010
Total Posts : 520
 
   Posted 2/2/2012 4:23 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
I generally recommend against using toolbars, simply because they can have a multitude of security vulnerabilities, that can get exploited. Make sure to keep your Antivirus up to date!

You are most welcome! Keep us informed of any new developments, if any.


Andreea-Luciana Ostache
Senior Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!

Back to Top
 

JoshTodd
New Member




Date Joined Apr 2012
Total Posts : 1
 
   Posted 4/6/2012 1:59 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
Hey guys, check this out: www.reallyhowto.com/24-minutes-google-redirect-virus-removal

Worked like a charm!
Back to Top
 

stanleywan
New Member


Date Joined Jan 2012
Total Posts : 35
 
   Posted 6/5/2012 3:00 PM (GMT +3)    Quote: Google Redirect Help (New Case)Alert an admin about: Google Redirect Help (New Case)
You may try checking if you were hit by DNS changer virus or not, by simply enter this:

http://dns-ok.us/

in your browser.

If green, you are good. If red, you've been infected.
Back to Top
 
You cannot post new topics in this forum. Post reply to : Google Redirect Help (New Case) Printable version of : Google Redirect Help (New Case)
 
Forum Information
Currently it is Friday, April 25, 2014 9:17 AM (GMT +3)
There are a total of 60,380 posts in 13,279 threads.
In the last 3 days there were 5 new threads and 12 reply posts. View Active Threads
Who's Online
This forum has 35792 registered members. Please welcome our newest member, dulc88.
1 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Kitchen Design Lancashire Reviews (1)4/25/2014 1:22:36 AM (VegemiteKid)
Bullguard not shutting off Windows Firewall (2)4/25/2014 1:18:30 AM (VegemiteKid)
HOW TO REMOVE WIN32:SALITY VIRUS (3)4/25/2014 1:02:27 AM (dulc88)
Fitted Kitchens Glasgow (0)4/24/2014 4:15:09 PM (Tambah)
Stil Haus Kitchens Vance Miller (0)4/24/2014 12:22:24 PM (seneennn9)