The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Google redirect issue
Rear Admiral Choco
I wanna be an owl, Jerry!Owl York CityRegistered User regular
I wanna be an owl, Jerry!Owl York CityRegistered User regular
So I'm running across something very strange with my browser. In Chrome, every so often when I click any given link (most commonly on threads on the forums since I've been spending my time on here) a new tab will open that either ends up loading google.ca or something like results [dot] google-analytics [dot] com, if I recall correctly.
I strongly suspect a virus, but scanning has turned up no results thus far.
Help?
I strongly suspect a virus, but scanning has turned up no results thus far.
Help?
Rear Admiral Choco on
0
Posts
i think it's caused by a registry trojan
I'm scanning the computer right now, but any tips for safely removing this thing?
i think there's a bunch of programs actually designed to go after the redirect thing by itself
one which i can remember was called HitMan Pro
although i remember it not working for me and i THINK i did a system restore and that fixed it
it was like 9 months ago so i might be foggy
Malware Byte
Spybot S_D
etc.
Well, did that. I figure I might as well post the log here since the problem still seems to be around, even after running Search and Destroy and Malware Bytes beforehand, as well.
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100621-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Recent\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.
2010-06-21 18:17 . 2010-06-21 19:02
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-21 18:17 . 2010-06-21 18:20
d
w- c:\program files\Spybot - Search & Destroy
2010-06-21 16:47 . 2010-06-21 16:47
d
w- c:\documents and settings\User\Application Data\Malwarebytes
2010-06-21 16:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 16:47 . 2010-06-21 16:47
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-21 16:47 . 2010-06-21 16:47
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-06-21 16:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 20:51 . 2010-06-11 20:51 244008 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-02 03:37 . 2010-06-02 03:37 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-116c47cd-n\msvcp71.dll
2010-06-02 03:37 . 2010-06-02 03:37 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-116c47cd-n\jmc.dll
2010-06-02 03:37 . 2010-06-02 03:37 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-116c47cd-n\msvcr71.dll
2010-05-25 04:45 . 2010-05-25 04:45
d
w- C:\Riot Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 18:05 . 2008-06-05 05:16
d
w- c:\program files\Steam
2010-06-07 17:43 . 2009-10-16 07:06 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-07 03:46 . 2008-07-14 15:56
d
w- c:\documents and settings\User\Application Data\gtk-2.0
2010-06-03 07:39 . 2010-04-23 07:42
d
w- c:\program files\StarCraft II Beta
2010-05-27 00:05 . 2009-07-13 05:18
d
w- c:\program files\World of Warcraft
2010-05-25 04:45 . 2008-06-02 18:18
d--h--w- c:\program files\InstallShield Installation Information
2010-05-25 04:18 . 2010-03-29 05:48
d
w- c:\documents and settings\All Users\Application Data\PMB Files
2010-05-10 20:20 . 2010-05-10 20:20
d
w- c:\documents and settings\All Users\Application Data\2DBoy
2010-05-10 20:20 . 2010-05-10 20:19
d
w- c:\program files\WorldOfGoo
2010-05-09 04:01 . 2010-05-05 14:54
d
w- c:\program files\Google
2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 18:07 . 2008-08-25 06:49
d
w- c:\documents and settings\User\Application Data\uTorrent
2010-04-24 10:52 . 2009-06-02 07:01 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2010-04-23 07:48 . 2009-08-24 03:23
d
w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-04-23 07:48 . 2008-06-06 00:10
d
w- c:\program files\Common Files\Blizzard Entertainment
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-23 21:50 . 2008-06-05 03:51 62000 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-05-12 1238352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-29 2937528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-16 149280]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-04-22 1236992]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-06-18 647216]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-06-24 1366064]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-06-19 472112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\captaincass\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\chocokinesis\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15097\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15133\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15250\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15343\\SC2.exe"=
"c:\\Program Files\\StarCraft II Beta\\Versions\\Base15392\\SC2.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18724:TCP"= 18724:TCP:*:Disabled:BitComet 18724 TCP
"18724:UDP"= 18724:UDP:*:Disabled:BitComet 18724 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"67:UDP"= 67:UDP:DHCP Discovery Service
"56201:TCP"= 56201:TCP:Pando Media Booster
"56201:UDP"= 56201:UDP:Pando Media Booster
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/5/2008 1:06 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/5/2008 1:06 AM 20560]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/1/2008 2:25 PM 717296]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2010 10:54 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
2010-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 12:54]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 12:54]
2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1078081533-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 15:47]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1078081533-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 15:47]
.
.
Supplementary Scan
.
uStart Page = hxxp://google.atcomet.com/b/
uInternet Settings,ProxyOverride = *.local
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lquj5dhk.default\
FF - prefs.js: browser.startup.homepage - penny-arcade.com
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-AVI Codec Pack - c:\program files\AVI Codec Pack\uninstall.exe
AddRemove-Collab - c:\program files\Image-Line\Collab\uninstall.exe
AddRemove-Fallout 2 Restoration Project_is1 - c:\program files\BlackIsle\Fallout2\unins001.exe
AddRemove-Fallout 2 Unofficial Patch_is1 - c:\program files\BlackIsle\Fallout2\unins000.exe
AddRemove-FL Studio 8 - c:\program files\Image-Line\FL Studio 8\uninstall.exe
AddRemove-Game Maker 7.0 - c:\program files\Game_Maker7\Uninstal.exe
AddRemove-ICCup Launcher_is1 - c:\program files\ICCup\Launcher\unins000.exe
AddRemove-IL Download Manager - c:\program files\Image-Line\Downloader\uninstall.exe
AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe
AddRemove-Mount&Blade - c:\program files\Mount&Blade\uninstall.exe
AddRemove-On the Rain-Slick Precipice of Darkness, Episode One - c:\program files\Hothead Games\Precipice of Darkness\uninstall.exe
AddRemove-Phantasy Star Online Blue Burst_is1 - c:\program files\Phantasy Star Online Blue Burst\unins000.exe
AddRemove-PoiZone - c:\program files\Image-Line\PoiZone\uninstall.exe
AddRemove-Toxic Biohazard - c:\program files\Image-Line\Toxic Biohazard\uninstall.exe
AddRemove-Warhammer Online - Age of Reckoning - c:\program files\Electronic Arts\Warhammer Online - Age of Reckoning\uninst2.exe
AddRemove-You Don't Know Jack - The Ride - c:\progra~1\JELLYV~1\YOUDON~1\Setup.exe
AddRemove-{1446A30C-6DAF-461E-96B1-31C554870082}_is1 - c:\program files\Tag\unins000.exe
AddRemove-{1AEA77CA-025F-4826-9300-727143B8075D}_is1 - c:\program files\Strange Attractors 2\unins000.exe
AddRemove-Noitu Love 2: Devolution - c:\program files\Noitu Love 2\Uninstal.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 15:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-06-21 15:48:00
ComboFix-quarantined-files.txt 2010-06-21 19:47
Pre-Run: 2,967,089,152 bytes free
Post-Run: 4,490,432,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - BB1F937D2888040246793A14F84E0406
Spybot, AVG, Avira and Kaspersky all let me down. For Spybot and Kaspersky I couldn't connect to the update server, which may have led to their ultimate failure.
I used HiJackThis from Trend Micro (was going to use their online scan service) and checked just about every box that I wasn't familiar with. After a restart, all my problems were solved.
Good luck.
Subtle difference, but the thing that clued me in was a copy of svchost.exe in each.
Would I be right to be suspicious here?
Now if you've gone into Windows Explorer and physically seen the two folders (make sure you have hidden files/folders off in Admin mode), that's a different story.
Otherwise, this is probably just the difference between a registry entry typed as "system32" as opposed to "System32".
I did a little snooping and I couldn't find much. I'll take a look after work.
God help us if you ever find a mouse in your house.