Google links redirect

April 5, 2011 at 16:38:22
Specs: Windows XP
This does not happen every time I click a link from a Google search, but about 1 in 3. Sometimes I will get redirected to ad sites pertaining to what I searched for, but recently I have been brought to malicious sites instead, as Comodo pops up informing me that the site is laden with trojans.

I have run MBAM, and have posted the log below. Oddly enough, the redirect behavior was happening before I managed to detect these trojans, I feel like I scanned before and came up with nothing, but I am not sure. Anyway, after restarting, I used CCleaner to clean my temp files. If there is anything else I can do (run HJT, etc.) to make sure my machine is clean, please let me know.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6281

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/5/2011 7:20:52 PM
mbam-log-2011-04-05 (19-20-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 438433
Time elapsed: 2 hour(s), 12 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\null0.13677690554949085.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\jar_cache7431584229529030643.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\jar_cache3038605526786063957.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{3f85c315-1554-4552-b319-baf7c30baf1f}\RP2\A0002518.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\0.33162993296064036.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\0.47148402792748956.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


**EDIT: The behavior is still happening occasionally, after having scanned with MBAM.


See More: Google links redirect

Report •


#1
April 5, 2011 at 22:38:12
Hi,
Try downloading Rkill from this link:
http://www.bleepingcomputer.com/for...
Then download TDSSkiller from this link:
http://support.kaspersky.com/viruse...
Update and run your Malwarebytes:
Then download and run ESET online scanner, from this link:
http://www.eset.com/us/online-scanner

Then check your Host File settings for problems:
http://www.computing.net/howtos/sho...

Also check your Internet Proxy settings for redirections.


Report •

#2
April 6, 2011 at 12:59:47
Hello MrGoodguy, thank you for responding.

Ran Rkill, all it terminated was GoogleUpdater.exe

Ran TDSSkiller, seemed to find a file acting as a driver, deleted and removed.

Updated and ran Malwarebytes, it did not find anything.

Ran ESET Online Scan, it did not find anything either.

Checked hosts, only line was the default
127.0.0.1 localhost
No proxy settings enabled.

I am still getting the behavior, unfortunately. It happens infrequently, but it still happens.


EDIT: When attempting to boot into Safe Mode, the computer spontaneously restarts at the windows login screen, before I can even manage to type my password in.


Report •

#3
April 6, 2011 at 13:34:18
Hello MrGoodguy, thank you for responding.

Ran Rkill, all it terminated was GoogleUpdater.exe

Ran TDSSkiller, seemed to find a file acting as a driver, deleted and removed.

Updated and ran Malwarebytes, it did not find anything.

Ran ESET Online Scan, it did not find anything either.

Checked hosts, only line was the default
127.0.0.1 localhost
No proxy settings enabled.

I am still getting the behavior, unfortunately. It happens infrequently, but it still happens.


EDIT: When attempting to boot into Safe Mode, the computer spontaneously restarts at the windows login screen, before I can even manage to type my password in.

I also have a HijackThis log, posted below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:35:53 PM, on 4/6/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\Inventor 2011\Moldflow\bin\mitsijm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Program Files\RivaTuner v2.24\RivaTuner.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CAHS1Sound] RunDll32 CAHS1.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - S-1-5-18 Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.24\RivaTuner.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.24\RivaTuner.exe (User 'Default user')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.24\RivaTuner.exe
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Autodesk Moldflow Inventor Tool Suite Integration 2011 Job Manager (mitsijm2011) - Unknown owner - C:\Program Files\Autodesk\Inventor 2011\Moldflow\bin\mitsijm.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9563 bytes


Report •

Related Solutions

#4
April 6, 2011 at 16:07:11
first of all, just post your log into:
http://hijackthis.de/
Then google the questionable items. I did notice that you are using comodo security as well as AVG at the same time....use either one or the other...you CANNOT run 2 at the same time as they will conflict, that could be part of your problem

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#5
April 6, 2011 at 16:53:25
I used the link you posted, none of the items seemed very questionable.

I'm not running the whole Comodo security suite, just the firewall, does AVG have a firewall built in? Otherwise they shouldn't be conflicting?

Thank you for the help, is there anything else I should run? I still get redirected occasionally when clicking google links.


Report •

#6
April 6, 2011 at 17:06:33
try trojan remover and hitman pro, fix all they find

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#7
April 6, 2011 at 17:27:40
Trojan Remover found nothing, Hitman Pro got some tracking cookies and Rkill, which was mentioned earlier in this thread to kill active malware processes.

Sorry to be such a pain, thank you for all the help.


Report •

#8
April 6, 2011 at 17:52:00
ok, run combofix:
http://www.bleepingcomputer.com/com...
Follow the tutorial and you should be fine.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#9
April 6, 2011 at 19:21:45
I will run combofix shortly, however I will be away until Monday/Tuesday, I would be appreciative if this thread could be kept open so that I can post results when I return.

Report •

#10
April 6, 2011 at 22:24:11
Sorry Zhain,

Some people dont know how to read a HJT this log and tell everyone to use the checking website? Which doesn't help? As the log checking website misses a lot of things.
If you didn't set this proxy setting delete it:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

And delete this one:
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

You should be all good after that.


Report •

#11
April 6, 2011 at 22:26:03
the thread does not expire, we get notifications when anyone adds an answer

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#12
April 6, 2011 at 22:27:15
Also update WindowsXP SP2 to SP3, this will help with drive by viruses.

Report •

#13
April 7, 2011 at 08:55:39
Not a problem, I appreciate any and all help. I'm assuming the proxy override entry in the HJT log was causing the redirect then? The GameGuard was some leftover anti-hacking system for a free to play MMO I downloaded at some point.

I'll take care of the rest, and post back with results when I get back on Monday. Thanks again for the help.


Report •

#14
April 11, 2011 at 16:08:39
I think I am all taken care of, thank you both for all your help.

Report •

#15
April 11, 2011 at 17:44:48
Your most welcome, glad your pc running better. :-)

Report •


Ask Question