Solved GooGle Search Redirect

broni · 2009/12/03

Still redirecting?
If so, I'd like to know, if same thing happens in IE.

Adashu · 2009/12/03

yes it still happens in firefox but in IE does not seem to occur

broni · 2009/12/04

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
:dir
C:\Program Files\Mozilla Firefox\searchplugins
C:\Program Files\Mozilla Firefox\components
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Adashu · 2009/12/04

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:29 on 04/12/2009 by Administrator (Administrator - Elevation successful)

========== dir ==========

C:\Program Files\Mozilla Firefox\searchplugins - Parameters: "(none) "

---Files---
amazondotcom.xml --a--- 1394 bytes [01:33 29/11/2009] [02:47 29/11/2009]
answers.xml --a--- 2193 bytes [01:33 29/11/2009] [02:47 29/11/2009]
creativecommons.xml --a--- 1534 bytes [01:33 29/11/2009] [02:47 29/11/2009]
eBay.xml --a--- 2344 bytes [01:33 29/11/2009] [02:47 29/11/2009]
google.xml --a--- 2371 bytes [01:33 29/11/2009] [02:47 29/11/2009]
wikipedia.xml --a--- 1178 bytes [01:33 29/11/2009] [02:47 29/11/2009]
yahoo.xml --a--- 792 bytes [01:33 29/11/2009] [02:47 29/11/2009]

---Folders---
None found.

C:\Program Files\Mozilla Firefox\components - Parameters: "(none) "

---Files---
aboutCertError.js --a--- 3013 bytes [01:33 29/11/2009] [02:47 29/11/2009]
aboutPrivateBrowsing.js --a--- 2645 bytes [01:33 29/11/2009] [02:47 29/11/2009]
aboutRights.js --a--- 2925 bytes [01:33 29/11/2009] [02:47 29/11/2009]
aboutRobots.js --a--- 2927 bytes [01:33 29/11/2009] [02:47 29/11/2009]
aboutSessionRestore.js --a--- 2644 bytes [01:33 29/11/2009] [02:47 29/11/2009]
browser.xpt --a--- 363533 bytes [01:33 29/11/2009] [02:47 29/11/2009]
browserdirprovider.dll --a--- 23512 bytes [01:33 29/11/2009] [02:47 29/11/2009]
brwsrcmp.dll --a--- 137176 bytes [01:33 29/11/2009] [02:47 29/11/2009]
compreg.dat --a--- 146927 bytes [03:05 29/11/2009] [03:05 29/11/2009]
FeedConverter.js --a--- 25783 bytes [01:33 29/11/2009] [02:47 29/11/2009]
FeedProcessor.js --a--- 66215 bytes [01:33 29/11/2009] [02:47 29/11/2009]
FeedWriter.js --a--- 49659 bytes [01:33 29/11/2009] [02:47 29/11/2009]
fuelApplication.js --a--- 39422 bytes [01:33 29/11/2009] [02:47 29/11/2009]
jsconsole-clhandler.js --a--- 1497 bytes [01:33 29/11/2009] [02:47 29/11/2009]
NetworkGeolocationProvider.js --a--- 9562 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsAddonRepository.js --a--- 11724 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsBadCertHandler.js --a--- 3104 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsBlocklistService.js --a--- 37310 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsBrowserContentHandler.js --a--- 33072 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsBrowserGlue.js --a--- 42910 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsContentDispatchChooser.js --a--- 5005 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsContentPrefService.js --a--- 30890 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsDefaultCLH.js --a--- 6345 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsDownloadManagerUI.js --a--- 5737 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsExtensionManager.js --a--- 344537 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsHandlerService.js --a--- 53725 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsHelperAppDlg.js --a--- 42953 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsLivemarkService.js --a--- 36576 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsLoginInfo.js --a--- 4920 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsLoginManager.js --a--- 51295 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsLoginManagerPrompter.js --a--- 44596 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsMicrosummaryService.js --a--- 77053 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsPlacesDBFlush.js --a--- 13166 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsPlacesTransactionsService.js --a--- 39719 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsPostUpdateWin.js --a--- 21420 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsPrivateBrowsingService.js --a--- 17500 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsProxyAutoConfig.js --a--- 13682 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSafebrowsingApplication.js --a--- 25569 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSearchService.js --a--- 123367 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSearchSuggestions.js --a--- 24228 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSessionStartup.js --a--- 9167 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSessionStore.js --a--- 106276 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSetDefaultBrowser.js --a--- 2854 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsSidebar.js --a--- 12371 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsTaggingService.js --a--- 21084 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsTryToClose.js --a--- 3268 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsUpdateService.js --a--- 107468 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsUrlClassifierLib.js --a--- 50945 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsUrlClassifierListManager.js --a--- 20058 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsURLFormatter.js --a--- 3107 bytes [01:33 29/11/2009] [02:47 29/11/2009]
nsWebHandlerApp.js --a--- 6920 bytes [01:33 29/11/2009] [02:47 29/11/2009]
pluginGlue.js --a--- 3142 bytes [01:33 29/11/2009] [02:47 29/11/2009]
storage-Legacy.js --a--- 52873 bytes [01:33 29/11/2009] [02:47 29/11/2009]
storage-mozStorage.js --a--- 56155 bytes [01:33 29/11/2009] [02:47 29/11/2009]
txEXSLTRegExFunctions.js --a--- 6667 bytes [01:33 29/11/2009] [02:47 29/11/2009]
WebContentConverter.js --a--- 33925 bytes [01:33 29/11/2009] [02:47 29/11/2009]
xpti.dat --a--- 101571 bytes [03:04 29/11/2009] [03:04 29/11/2009]

---Folders---
None found.

-=End Of File=-

broni · 2009/12/04

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

Adashu · 2009/12/04

I'm having trouble with this dr web program.
The log below is from the 4th scan
Before the 4th scan, it detected some files infected and i click yes to all and i just left it and sleep after that.I did not save the log because my pc is reboot.

i notice that now my LAN is missing from network connection. i dont know when it happen. i think it happen between all the task you give me. i tried to install driver but it not fix.

A0006378.bat;C:\System Volume Information\_restore{DA5FE7FF-C5B1-45E3-959F-87B9F6E642AE}\RP12;Probably BATCH.Virus;;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:13 AM, on 12/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CE100 Dialer\ICard.exe
C:\Program Files\CE100 Dialer\IdleMng.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CE100 Dialer\PcxSvr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HaierDcService] C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{426DCFD6-E3FB-4A80-BDAE-176E41F9BC02}: NameServer = 10.17.3.244 10.17.3.252
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 6440 bytes

broni · 2009/12/04

i notice that now my LAN is missing from network connection
Click to expand...

Is it causing any actual problems?

Are you familiar with [HaierDcService] C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe ?

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
- O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
- O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
- O17 - HKLM\System\CCS\Services\Tcpip\..\{426DCFD6-E3FB-4A80-BDAE-176E41F9BC02}: NameServer = 10.17.3.244 10.17.3.252

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
- O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
- O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
- O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
- O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
- O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
- O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

Adashu · 2009/12/04

"broni said: ↑

Is it causing any actual problems?
Click to expand...

No its not a big issue for me
It's just I want to try transfer data to netbook using lan cable and from what i heard is you need to change some ip properties on LAN from network connection

Right now im using Wireless Internet Broadband connection but before it i used to connect using adsl connection which need that lan connection thing ( i think, im not sure actually ).so im just a little worried that my lan is not there. I've got this problem before and i solved it with reinstalling windows.

"broni said: ↑

Are you familiar with [HaierDcService] C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe ?
Click to expand...

yes i recognize that. its from my ISP .I connected trough internet using that

here's the hijack log and i still have this google redirect thing
How about i install new firefox is that allright?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:52 PM, on 12/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\CE100 Dialer\ICard.exe
C:\Program Files\CE100 Dialer\IdleMng.exe
C:\Program Files\CE100 Dialer\PcxSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HaierDcService] C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{426DCFD6-E3FB-4A80-BDAE-176E41F9BC02}: NameServer = 10.17.3.244 10.17.3.252
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 5777 bytes

broni · 2009/12/04

I assume, the redirection is still there?
If so....

Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Same thing?

Adashu · 2009/12/05

well in safe mode the links on google works fine it doesn't change

broni · 2009/12/05

Start FF in normal mode.
Disable all add-ons.
Restart FF.
No redirection?
If so, re-enable ONE add-on.
Restart FF.
Still OK?
Re-enable another one and so on, until you'll find the culprit.

Main suspects - toolbars.

Adashu · 2009/12/05

XULCache{1.0}.xpi ah i found it finally...really tired on this task

so i just choose uninstall?

broni · 2009/12/05

Whatever that extension is, uninstall it.

Adashu · 2009/12/05

ok it's done. So nothing left to do?
If it so then thanks for your time i'd really appreciate it

broni · 2009/12/05

If there are no redirections anymore, we need to perform final steps....

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

Adashu · 2009/12/06

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:04 PM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CE100 Dialer\ICard.exe
C:\Program Files\CE100 Dialer\IdleMng.exe
C:\Program Files\CE100 Dialer\PcxSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HaierDcService] C:\Program Files\CE100 Dialer\Driver\HaierDcService.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{426DCFD6-E3FB-4A80-BDAE-176E41F9BC02}: NameServer = 10.17.3.244 10.17.3.252
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 5742 bytes

My pc works fine, didnt know so many malware infect my computer too.
thanks again broni

broni · 2009/12/06

You're very welcome
Happy surfing

Log in or Sign up

Solved GooGle Search Redirect

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved GooGle Search Redirect

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Adashu Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches