Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Website redirectors. HiJack This log posted. please help

29 Aug 2011   #1
211

Windows 7 Ultimate x64
 
 
Google Re-directs. HiJack This log posted. please help

My computer is recently seeing lots of internet redirectors. I ran Malware Bytes and it found and attempted to remove a trojan, also at the same time MWB was running Microsoft Security detected something and removed it.
I did not have the forethought to write down the trojans; sorry.

Either way, I'm still seeing random website redirects. Usually it happens if I click a link from a Google search result. The site it sends me to is leterally "redirect". If I right click the link and Open in New Tab, it seems to go straight to the web site.

Can someone look at this log and tell me if it's clean?

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:35 PM, on 8/29/2011
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:51406
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~2\FlashFXP\IEFlash.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Odin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1444077050-2669533408-1348104756-1003\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Melanie')
O4 - HKUS\S-1-5-21-1444077050-2669533408-1348104756-1004\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Kids')
O4 - S-1-5-21-1444077050-2669533408-1348104756-1003 Startup: Dropbox.lnk = Melanie\AppData\Roaming\Dropbox\bin\Dropbox.exe (User 'Melanie')
O4 - S-1-5-21-1444077050-2669533408-1348104756-1003 User Startup: Dropbox.lnk = Melanie\AppData\Roaming\Dropbox\bin\Dropbox.exe (User 'Melanie')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ArcGIS v10 - Flexera Software, Inc. - C:\Program Files (x86)\ArcGIS\Desktop10.0\Bin\lmgrd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9589 bytes



My System SpecsSystem Spec
.
15 Sep 2011   #2
FranzB

Windows 7 Home Premium 32bit, Linux Mint Julia, in dual boot mode
 
 

Your best bet would be to post the log at the highjackthis forum.
Google for it and click on AnalyzeThis.
Many experts who can give you advice.
My System SpecsSystem Spec
15 Sep 2011   #3
FranzB

Windows 7 Home Premium 32bit, Linux Mint Julia, in dual boot mode
 
 

I did some searching and found that Hitmanpro 3.5 removes redirects.
Google for it and download it from a trusted site (e.g. CNET). Be sure to take the right version, i.e.
32bit or 64bit.
It is free, at least for a trial period of 30 days.
I just downloaded (i used to have Hitmanpro some time ago on my previous OS, viz. XP) and ran it. No problems.
Greetings.
My System SpecsSystem Spec
.

15 Sep 2011   #4
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 

Running your security programs in safe mode without internet connection helps to detect more, try Superantispyware too.
My System SpecsSystem Spec
15 Sep 2011   #5
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi,

Please try the following:

Confirm that Malwarebytes no longer finds any malware by doing a FULL scan. Once you have confirmed this, then please do the following:

1. Open Notepad.
2. Copy and paste the following exactly as shown into the empty Notepad:

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

3. Now save the file to your desktop as FLUSH.BAT
4. On your desktop, find the flush.bat file you just saved, then righ-click on it and Run as administrator
5. This will flush your DNS cache, hopefully removing the redirections, and it will automatically shut down your PC.

Now reboot your PC as normal, and open your web browser and see if you still get the site redirections.

Regards,
Golden
My System SpecsSystem Spec
15 Sep 2011   #6
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Hi, 211.

HijackThis really isn't of much value and hasn't been updated in a long time. However, since it is already installed, we can use another tool which will provide additional information to complement HijackThis.

Please do the following:

1. Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  • Click the Start Scan button. Do not use the computer during the scan!
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2. Launch Malwarebytes and copy/paste your log from the scan that found the trojan. You can find it in the the Logs tab in MBAM.

3. Please download Random's System Information Tool (RSIT) by random/random and save it to your desktop:
  • Windows 32-bit systems: here
  • Windows 64-bit systems: here
Double-click RSIT.exe to run RSIT.
  1. Click Continue at the disclaimer screen.
  2. Once it has finished, two logs will open. You will need to post (do not attach) the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
My System SpecsSystem Spec
15 Sep 2011   #7
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

*** Follow Golden's advice to flush the DNS cache and retore MS's Hosts file with the FLUSH.BAT

Then follow Corinne's instructions!
My System SpecsSystem Spec
16 Sep 2011   #8
FranzB

Windows 7 Home Premium 32bit, Linux Mint Julia, in dual boot mode
 
 

Somewhere on a forum, i think it was on 'bleeping computer', i saw a remark twice that the OS 64bit is not as susceptible to infections of this type as the 32bit; they even said that is was highly unlikely.
What are your opinions on this?
Greetings.
My System SpecsSystem Spec
16 Sep 2011   #9
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

The 64 bit OS used to be fairly safe, however as more people are moving to that OS, so are the virus/malware writers. Every day more variants come out that target the 64 bit system. It's prudent to exercise caution & common sense no matter what OS your using. Using 64 bit still gives you a margin of safety, although that margin is sure to decrease.
Quote:
During the first half of 2010, approximately three out of every 1,000 32-bit computers running Windows 7 were infected by malware. This increased to more than four in 1,000 in the second half of the year, according to Computerworld.

According to the report, 64-bit Windows 7 installations fared better, with approximately 2.5 per 1,000 machines experiencing a malware infection over the entire duration of 2010.
And this note...

Quote:
Meanwhile the infection rate for Windows XP dropped by more than 20 percent. However, Windows 7′s infection rates are five times lower than a XP SP3, even when fully patched.
My System SpecsSystem Spec
16 Sep 2011   #10
FranzB

Windows 7 Home Premium 32bit, Linux Mint Julia, in dual boot mode
 
 

Right, Borg, thanks. I almost figured that would be the case.

Greetings to the cat......................
My System SpecsSystem Spec
Reply

 Website redirectors. HiJack This log posted. please help




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Word 2010: paste from website into word, retaining website font
I wanted to determine the color and font of text from a website. I cut and pasted a paragraph into Word 2010, but Word 2010 pasted using my default font. Is there a way to disable this, temporarily?
Microsoft Office
The download button in MS Website got covered by its website!
This is what happens when I tried to download ANYTHING from Microsoft (most of them are free applications): http://img.photobucket.com/albums/v484/Shirai/microsoftwebsite_zps504d99b5.png I've tried to uninstalled silverlight and re-installed it. I've also tried with updating graphic driver,...
Browsers & Mail
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability
Not sure if anyone has posted on this tool (or similar tools) yet, but security Exploded makes incredible tools, especially Anti Rootkit tools and Root kit detection tools, so I was happy to learn about this: rmhsCBMIJnA
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 19:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App