Solved Google Redirect Issue

quirkymac · 2010/03/25

Kapersky keeps giving me an error saying that it cannot access the updates

broni · 2010/03/26

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

quirkymac · 2010/03/26

hmmmm. I cannot open that webpage either. Similar error.

quirkymac · 2010/03/26

The only other thing I can think of is to install another browser and try from there? Would that be ok?

quirkymac · 2010/03/26

no go just tried chrome and firefox with the same result.

quirkymac · 2010/03/26

Redirecting issue and popup are present again :-(

broni · 2010/03/26

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

quirkymac · 2010/03/26

OTL logfile created on: 27/03/2010 7:39:42 AM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Milne Clan\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 45.04 Gb Free Space | 30.22% Space Free | Partition Type: NTFS
Drive D: | 3.72 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 6.83 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MILNECLAN-PC
Current User Name: Milne Clan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/26 10:52:23 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/10/31 16:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/28 16:27:18 | 000,144,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2009/08/24 13:43:54 | 000,038,176 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe
PRC - [2009/08/20 09:38:30 | 000,062,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
PRC - [2009/07/15 10:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2009/07/14 12:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/08 20:12:06 | 000,337,184 | ---- | M] (Lenovo.) -- C:\Windows\System32\TpShocks.exe
PRC - [2009/05/18 13:28:04 | 001,314,816 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2009/03/13 17:32:46 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2009/02/02 18:04:08 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2008/07/15 13:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE

========== Modules (SafeList) ==========

MOD - [2010/03/26 10:52:23 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
MOD - [2009/07/14 12:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 12:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 12:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 12:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 12:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 12:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 12:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 12:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 12:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 12:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 12:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/03/12 04:17:23 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/10/19 17:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2009/09/09 03:05:00 | 000,075,040 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE -- (Power Manager DBC Service)
SRV - [2009/08/24 13:43:54 | 000,038,176 | ---- | M] (Lenovo) [Auto | Running] -- C:\Windows\System32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2009/07/15 10:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/07/14 12:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 12:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 12:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 12:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 12:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 12:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/14 12:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 12:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 12:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 12:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 12:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 12:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 12:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 12:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 12:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 12:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 12:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 12:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 12:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 12:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 12:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 12:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/07/14 12:14:17 | 000,276,480 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\diskraid.exe -- (Vhdmhervm)
SRV - [2009/07/03 18:47:08 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2009/06/29 13:51:00 | 000,039,976 | ---- | M] (Lenovo.) [On_Demand | Stopped] -- C:\Windows\System32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2008/07/15 13:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
SRV - [2004/01/18 10:59:18 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: ([2010/03/27 07:35:20 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TpShocks] C:\Windows\System32\TpShocks.exe (Lenovo.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (systempropertiesperformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 08:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/11/23 23:05:40 | 006,321,456 | R--- | M] (Codemasters Software Co.) - E:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2009/09/29 00:23:06 | 000,000,068 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/26 20:46:26 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\AppData\Local\Mozilla
[2010/03/26 20:44:48 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\Documents\Downloads
[2010/03/26 15:38:35 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/03/26 13:23:26 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/26 10:52:08 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
[2010/03/26 10:13:09 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\AppData\Roaming\Malwarebytes
[2010/03/26 10:13:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/26 10:13:03 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/26 10:13:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/26 10:13:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/26 10:11:56 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Milne Clan\Desktop\mbam-setup.exe
[2010/03/26 07:33:37 | 000,044,567 | ---- | C] (jpshortstuff) -- C:\Users\Milne Clan\Desktop\Kenco.exe
[2010/03/26 07:02:52 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\Desktop\converted
[2010/03/26 06:36:30 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/03/26 06:36:28 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/26 06:36:28 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\AppData\Local\temp
[2010/03/26 05:42:49 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/03/25 12:32:15 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/25 07:48:13 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/03/25 05:53:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/24 06:32:31 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\Desktop\New folder
[2010/03/24 06:27:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/03/24 06:27:34 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/03/21 08:56:03 | 000,000,000 | R--D | C] -- C:\Users\Milne Clan\Documents\Scanned Documents
[2010/03/21 08:56:03 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\Documents\Fax
[2010/03/18 23:18:50 | 000,000,000 | ---D | C] -- C:\Users\Milne Clan\AppData\Roaming\vlc
[2010/03/18 23:18:23 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN

========== Files - Modified Within 14 Days ==========

[2010/03/27 07:37:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/27 07:37:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/27 07:37:22 | 1577,816,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/27 07:35:51 | 001,572,864 | -HS- | M] () -- C:\Users\Milne Clan\NTUSER.DAT
[2010/03/27 07:35:20 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2010/03/26 22:03:33 | 001,000,000 | ---- | M] () -- C:\Users\Milne Clan\Desktop\1meg.test
[2010/03/26 13:36:07 | 000,014,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/26 13:36:07 | 000,014,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/26 13:31:50 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat
[2010/03/26 13:21:56 | 003,761,257 | ---- | M] () -- C:\Users\Milne Clan\Documents\Thomas And Friends_ABC2_2010_02_08_16_10_38.txp4
[2010/03/26 10:52:23 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
[2010/03/26 10:18:57 | 002,273,328 | -H-- | M] () -- C:\Users\Milne Clan\AppData\Local\IconCache.db
[2010/03/26 10:13:08 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/26 10:11:57 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Milne Clan\Desktop\mbam-setup.exe
[2010/03/26 07:33:40 | 000,044,567 | ---- | M] (jpshortstuff) -- C:\Users\Milne Clan\Desktop\Kenco.exe
[2010/03/26 06:35:14 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/26 05:42:47 | 296,780,985 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/03/25 18:55:13 | 000,206,581 | ---- | M] () -- C:\Users\Milne Clan\Documents\windows internet security.jpg
[2010/03/25 12:32:15 | 000,002,039 | ---- | M] () -- C:\Users\Milne Clan\Desktop\HiJackThis.lnk
[2010/03/25 07:46:07 | 001,401,344 | ---- | M] () -- C:\Users\Milne Clan\Desktop\HijackThis.msi
[2010/03/25 06:29:51 | 000,525,824 | ---- | M] () -- C:\Users\Milne Clan\Desktop\dds.scr
[2010/03/24 06:27:52 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/03/23 07:51:58 | 000,621,772 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/23 07:51:58 | 000,108,912 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/23 07:51:57 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

========== Files Created - No Company Name ==========

[2010/03/26 22:03:25 | 001,000,000 | ---- | C] () -- C:\Users\Milne Clan\Desktop\1meg.test
[2010/03/26 13:31:50 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/03/26 13:21:56 | 003,761,257 | ---- | C] () -- C:\Users\Milne Clan\Documents\Thomas And Friends_ABC2_2010_02_08_16_10_38.txp4
[2010/03/26 10:13:08 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/26 05:42:47 | 296,780,985 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/03/25 18:55:11 | 000,206,581 | ---- | C] () -- C:\Users\Milne Clan\Documents\windows internet security.jpg
[2010/03/25 07:48:15 | 000,002,039 | ---- | C] () -- C:\Users\Milne Clan\Desktop\HiJackThis.lnk
[2010/03/25 07:45:54 | 001,401,344 | ---- | C] () -- C:\Users\Milne Clan\Desktop\HijackThis.msi
[2010/03/25 06:29:40 | 000,525,824 | ---- | C] () -- C:\Users\Milne Clan\Desktop\dds.scr
[2010/03/24 06:27:51 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/02/21 07:46:27 | 000,014,115 | ---- | C] () -- C:\Windows\twspmm.ini
[2010/02/01 15:08:46 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2010/01/25 08:01:52 | 000,000,539 | ---- | C] () -- C:\Users\Milne Clan\AppData\Local\CastleLinkProps.dat
[2010/01/04 17:19:59 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/10/07 08:24:22 | 000,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009/07/14 10:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 10:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2005/05/06 19:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

========== LOP Check ==========

[2010/03/09 17:48:42 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\LEAPS
[2010/02/01 15:11:32 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Leawo
[2010/01/07 20:00:28 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\OpenOffice.org
[2010/03/09 17:46:07 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Pegasys Inc
[2010/01/18 15:45:22 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Red Alert 3
[2010/03/25 06:08:21 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\uTorrent
[2009/07/14 15:53:46 | 000,010,168 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

broni · 2010/03/26

When you run OTL script, it should produce pop-up log, which I'd like to see also every time along with QuickScan log. That's for the future.
We still have some leftovers....

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

[color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

quirkymac · 2010/03/27

part way through the scan and Drweb is saying that the hosts file may have been modified and do I want to replace it with a default copy.
Do I?

quirkymac · 2010/03/27

I did let drweb replace the hosts file. The scan has finished but neither the quick nor the complete scans found any infections.
HJT log to follow

quirkymac · 2010/03/27

HJT log after reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:41 PM, on 27/03/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\GetRight\GetRight.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5644 bytes

quirkymac · 2010/03/27

btw....the download for drweb cureit kept on losing focus so I ended up having to download a trial version of getright to allow me to get the 33mb install file. I had tried that download around 20 times before resorting to the download manager.
It is still installed....let me know if I should remove it. I hope that doesn't muck things up. But without it I could not download that scanner software.

quirkymac · 2010/03/27

Another symptom just appeared...not sure if it is related.
I tried to click a link in one of the webpages I visit regularly and the link opened perfectly fine, but another tab also opened (which is NOT normal) to this
http://results.google-analytics.com/

When I go back to the page now and try that same link it only opens the page I am expecting.

QK

broni · 2010/03/27

Yeah, you can uninstall GetRight.

When I go back to the page now and try that same link it only opens the page I am expecting.
Click to expand...

Are you saying, that the redirection stopped all of sudden?

Let's check one more thing...

Download and save HelpAsst_mebroot_fix.exe to your desktop.

Close all open programs.

Double click HelpAsst_mebroot_fix.exe to run it.

Pay attention to the running tool.

If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.

After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

Click Start>Run and copy and paste the following command, then hit Enter:

mbr -f

Repeat the above step one more time

Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.

Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

quirkymac · 2010/03/27

When I tried to run helpasst_mebroot_fix.exe it states it is not compatible with my system.

quirkymac · 2010/03/27

Hi, to explain the symptoms a bit better. The first time I click on a link I get redirected but if I click that link a second time I get taken to the actual link I am expecting.

I just did a google.com.au search for Sydney Swans (so my wife could find out how her team did last night) the first link in the results was to the place I wanted to go (the sydney swans team homepage) but when I clicked on it I got taken first to
http://results.overture.com/ then as I watched that page load it then moved onto
http://au.yahoo.com/?p=us

neither of which I wanted!!

When I then clicked on the link to Sydney Swans a 2nd time it took me to the correct website.

The issue I tried to describe in post 55 above was

In a page I go to regularly there are some links I can follow, normally these work perfectly. I just opened that page and tried to follow the link and got taken to
http://search.google-analytics.com/ on the first click
and the correct page on the 2nd click.

Weird!!

broni · 2010/03/27

What browser is getting redirected?
All of them?

quirkymac · 2010/03/27

I have unistalled chrome and firefox now so just ie

broni · 2010/03/27

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns

Restart computer.

Log in or Sign up

Solved Google Redirect Issue

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Google Redirect Issue

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches