Search engine redirecting to random pages

panchogianza · 10-30-2009, 05:59 PM

Hi, Thanks for the help in advance!

When I am on on the search engines, most casually on google, by clicking on one of the results, I get redirected to a random site that has nothing to do with the link I wanted. Usually the redirected sites are advertisements of some kind. Also, this past days I haven't been able to update my antivirus, Avira. Im not sure why (neither if its relevant) it just stays on "scan for uptades."

I run Windows xp. I am not in possession of any boot cd.

I have tried to find any malware, scanning with Avira, and using panda scan online, but have not found anything.

Here is the DDS report,

DDS (Ver_09-10-26.01) - NTFSx86
Run by Francisco at 0:08:15,09 on 31/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1012.477 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\COMODO\COMODO Internet Security\cfp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxext.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\DOCUME~1\FRANCI~1\IMPOST~1\Temp\RtkBtMnt.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Francisco Gianzanti\Documenti\File ricevuti\dds(2).scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\programmi\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programmi\file comuni\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\programmi\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Google Desktop Search] "c:\programmi\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
mRun: [GrooveMonitor] "c:\programmi\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\programmi\quicktime\QTTask.exe" -atboottime
mRun: [COMODO Internet Security] "c:\programmi\comodo\comodo internet security\cfp.exe" -h
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\programmi\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\guard32.dll
SSODL: DhcpQuarantine - {9b4d1b14-dcfa-46d4-8e3a-88aa9c52f613} - c:\programmi\file comuni\dhcp\DhcpQuarantine.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\programmi\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\franci~1\datiap~1\mozilla\firefox\profiles\hbnjxji3.default\
FF - prefs.js: browser.startup.homepage - www.economist.com
FF - plugin: c:\documents and settings\francisco gianzanti\dati applicazioni\mozilla\firefox\profiles\hbnjxji3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\programmi\google\picasa3\npPicasa3.dll
FF - plugin: c:\programmi\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-23 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-11 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-11 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2009-4-18 108289]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]
S0 qwlcyljo;qwlcyljo;c:\windows\system32\drivers\monsqwuc.sys --> c:\windows\system32\drivers\monsqwuc.sys [?]
S2 gupdate1c9e2f0a79afab0;Google Update Service (gupdate1c9e2f0a79afab0);c:\programmi\google\update\GoogleUpdate.exe [2009-6-1 133104]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\programmi\google\google desktop search\GoogleDesktop.exe [2009-2-27 24064]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-2-27 96856]
S4 ASKService;ASKService;c:\programmi\askbardis\bar\bin\askservice.exe --> c:\programmi\askbardis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\programmi\askbardis\bar\bin\askupgrade.exe --> c:\programmi\askbardis\bar\bin\ASKUpgrade.exe [?]

=============== Created Last 30 ================

2009-10-23 12:33:06 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-17 22:51:06 0 d-----w- c:\programmi\file comuni\Dhcp
2009-10-13 19:23:57 3532 ----a-w- C:\drmHeader.bin

==================== Find3M ====================

2009-10-17 01:21:36 85914 ----a-w- c:\windows\system32\perfc010.dat
2009-10-17 01:21:36 493802 ----a-w- c:\windows\system32\perfh010.dat
2009-09-22 10:47:27 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-22 10:47:24 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-22 10:47:23 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-11 14:17:34 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:04 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:31 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 21:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 17:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 17:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 08:59:33 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 17:26:06 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:26:03 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-02-27 17:40:09 32768 --sha-w- c:\windows\system32\config\systemprofile\impostazioni locali\cronologia\history.ie5\mshist012009022720090228\index.dat
2008-08-20 19:26:24 32768 --sha-w- c:\windows\system32\config\systemprofile\impostazioni locali\dati applicazioni\microsoft\feeds cache\index.dat

============= FINISH: 0:09:03,93 ===============

**chemist** · 11-03-2009, 09:54 AM

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I need to see a gmer log in order to help you.

Download GMER Rootkit Scanner from here and Save it to your Desktop.

Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------

panchogianza · 11-04-2009, 02:31 AM

Hello! Thanks for your answer. I have just read it. I subscribed now for the instant notification. I am not in my house for today, which means i wont have acces to my computer today. I will reply with the attached "Gmer.txt" log as soon as I am able to get my hands on my pc. That will be tomorrow evening. Thanks again!

panchogianza · 11-05-2009, 01:12 PM

Hi again!
Here it is the gmer.txt file attached.
Thanks for the help!

**chemist** · 11-05-2009, 01:57 PM

Hello panchogianza.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

panchogianza · 11-05-2009, 03:55 PM

Hello chemist, here is the post.
Thanks!

ComboFix 09-11-05.01 - Francisco 05/11/2009 23:08.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1012.561 [GMT 1:00]
Eseguito da: c:\documents and settings\Francisco Gianzanti\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\HeroCodec
c:\windows\struct~.ini
c:\windows\system32\autorun.ini
c:\windows\system32\gxvxccounter

.
((((((((((((((((((((((((( Files Creati Da 2009-10-05 al 2009-11-05 )))))))))))))))))))))))))))))))))))
.

2009-11-02 20:27 . 2009-11-02 20:32 -------- d-----w- c:\documents and settings\Francisco Gianzanti\Impostazioni locali\Dati applicazioni\Temp
2009-10-23 12:33 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-17 22:51 . 2009-10-17 22:51 -------- d-----w- c:\programmi\File comuni\Dhcp
2009-10-13 19:23 . 2009-10-16 15:08 3532 ----a-w- C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 18:58 . 2009-04-11 16:41 -------- d-----w- c:\documents and settings\Francisco Gianzanti\Dati applicazioni\Azureus
2009-11-05 18:04 . 2008-08-21 09:17 85914 ----a-w- c:\windows\system32\perfc010.dat
2009-11-05 18:04 . 2008-08-21 09:17 493802 ----a-w- c:\windows\system32\perfh010.dat
2009-11-03 11:16 . 2009-02-27 13:18 -------- d-----w- c:\documents and settings\Francisco Gianzanti\Dati applicazioni\Skype
2009-11-03 09:05 . 2009-02-27 13:20 -------- d-----w- c:\documents and settings\Francisco Gianzanti\Dati applicazioni\skypePM
2009-10-27 01:04 . 2009-02-27 12:00 92336 ----a-w- c:\documents and settings\Francisco Gianzanti\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-10-27 00:42 . 2008-08-20 19:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-10-27 00:38 . 2008-08-20 19:53 -------- d-----w- c:\programmi\Microsoft Works
2009-10-16 17:35 . 2009-04-11 16:27 -------- d-----w- c:\programmi\Vuze
2009-10-13 06:38 . 2009-07-31 11:17 -------- d-----w- c:\programmi\DivX
2009-10-12 20:50 . 2009-09-30 16:27 -------- d-----w- c:\programmi\iTunes
2009-10-12 20:49 . 2009-04-11 18:03 10686001 ----a-w- c:\documents and settings\Francisco Gianzanti\Dati applicazioni\Azureus\plugins\azump\mplayer.exe
2009-10-07 11:04 . 2009-05-17 21:08 -------- d-----w- c:\programmi\File comuni\DVDVideoSoft
2009-10-07 11:04 . 2009-05-17 21:07 -------- d-----w- c:\programmi\DVDVideoSoft
2009-09-30 16:28 . 2009-09-30 16:28 -------- d-----w- c:\programmi\iPod
2009-09-30 16:28 . 2009-02-27 14:51 -------- d-----w- c:\programmi\File comuni\Apple
2009-09-30 16:17 . 2009-09-30 16:17 79144 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-25 17:17 . 2009-02-27 17:55 -------- d-----w- c:\programmi\Google
2009-09-22 10:47 . 2009-08-11 12:33 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-22 10:47 . 2009-08-11 12:33 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-22 10:47 . 2009-08-11 12:33 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-22 10:47 . 2009-08-11 12:33 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-22 09:36 . 2009-09-22 09:36 -------- d-----w- c:\documents and settings\Francisco Gianzanti\Dati applicazioni\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-09-15 19:54 . 2009-02-27 14:54 -------- d-----w- c:\documents and settings\Francisco Gianzanti\Dati applicazioni\Apple Computer
2009-09-15 18:25 . 2009-09-15 18:22 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 18:15 . 2009-09-15 18:13 -------- d-----w- c:\programmi\QuickTime
2009-09-15 18:04 . 2009-09-15 18:04 -------- d-----w- c:\programmi\GCH Guitar academy
2009-09-11 14:17 . 2008-04-13 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 01:01 . 2009-09-09 23:05 -------- d-----w- c:\programmi\uusee
2009-09-04 21:03 . 2008-04-13 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:26 . 2007-08-13 16:54 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:26 . 2008-04-13 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:26 . 2008-04-13 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-13 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-08 00:09 . 2009-04-18 22:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\programmi\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\programmi\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"Google Desktop Search"="c:\programmi\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-27 24064]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\programmi\QuickTime\QTTask.exe" [2009-09-04 417792]
"COMODO Internet Security"="c:\programmi\COMODO\COMODO Internet Security\cfp.exe" [2009-09-22 1799952]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DhcpQuarantine"= {9b4d1b14-dcfa-46d4-8e3a-88aa9c52f613} - c:\programmi\File comuni\Dhcp\DhcpQuarantine.dll [2009-10-17 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^Francisco Gianzanti^Menu Avvio^Programmi^Esecuzione automatica^Ritaglio schermata e avvio di OneNote 2007.lnk]
path=c:\documents and settings\Francisco Gianzanti\Menu Avvio\Programmi\Esecuzione automatica\Ritaglio schermata e avvio di OneNote 2007.lnk
backup=c:\windows\pss\Ritaglio schermata e avvio di OneNote 2007.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Vuze\\Azureus.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [23/10/2009 13:33 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/08/2009 13:33 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/08/2009 13:33 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\Avira\AntiVir Desktop\sched.exe [18/04/2009 23:37 108289]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [05/05/2008 17:01 254976]
S0 qwlcyljo;qwlcyljo;c:\windows\system32\drivers\monsqwuc.sys --> c:\windows\system32\drivers\monsqwuc.sys [?]
S2 gupdate1c9e2f0a79afab0;Google Update Service (gupdate1c9e2f0a79afab0);c:\programmi\Google\Update\GoogleUpdate.exe [01/06/2009 20:39 133104]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\programmi\Google\Google Desktop Search\GoogleDesktop.exe [27/02/2009 18:55 24064]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [27/02/2009 13:01 96856]
S4 ASKService;ASKService;c:\programmi\AskBarDis\bar\bin\AskService.exe --> c:\programmi\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\programmi\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\programmi\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contenuto della cartella 'Scheduled Tasks'

2009-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-01 19:39]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-01 19:39]

2009-10-25 c:\windows\Tasks\SmartDefrag.job
- c:\programmi\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-31 07:22]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Francisco Gianzanti\Dati applicazioni\Mozilla\Firefox\Profiles\hbnjxji3.default\
FF - prefs.js: browser.startup.homepage - www.economist.com
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Francisco Gianzanti\Dati applicazioni\Mozilla\Firefox\Profiles\hbnjxji3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\programmi\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-M3000Mnt - M3000Rmv.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 23:19
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WININET.dll
c:\programmi\File comuni\Dhcp\DhcpQuarantine.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\COMODO\COMODO Internet Security\cmdagent.exe
c:\programmi\Avira\AntiVir Desktop\avguard.exe
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\programmi\iPod\bin\iPodService.exe
c:\docume~1\FRANCI~1\IMPOST~1\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Ora fine scansione: 2009-11-05 23:24 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-11-05 22:24

Pre-Run: 118.302.662.656 byte disponibili
Post-Run: 118.226.538.496 byte disponibili

WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 08FFFC6F498FAEA39E091B6F11735000

**chemist** · 11-05-2009, 05:44 PM

Hello again, panchogianza. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete qwlcyljo

A DOS window will open and close again, this is normal.

Repeat for each of these commands:

sc delete ASKService

sc delete ASKUpgrade

------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 12 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at any Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

panchogianza · 11-07-2009, 06:59 AM

Hello Chemist.

I followed your instructions.
Had no problem on deleting the files, and I runned successfully ATF-Cleaner.

However, when I tried to uptade Java, by clicking on the icon in the control panel, a window appeared saying that the registry key did not longer existed. Therefore, I downloaded from the Java official webpage Java Runtime Environment Version 6 Update 17. Now the icon works fine.

Also, the Kapersky online scanner is not currently available since they are uptading it. As soon as it is available, I will run it and send you the report.

As of now, I have tried several search, mainly in google, and had still been redirected to random pages instead of the one i clicked on. Avira was successfully uptaded.

Will post again as soon as possible with the report of Kapersky and another report of my system.

Thanks a lot for your help, its really appreciated!

**chemist** · 11-07-2009, 09:53 AM

Hello again, panchogianza. I just tried Kaspersky and it worked. If it still won't work, try this one:

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here to run an online scannner from ESET and Save the file to your Desktop.

If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
Turn off the real-time scanner of any existing antivirus program while performing the online scan.
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install.
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Next to 'Current scan targets: Operating memory, Local drives, click the Change.. button.
Tick all the boxes that correspond to your external/inserted drives.
Click Scan
Wait for the scan to finish.
Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Copy/paste that log as a reply to this topic and also let me know how things are now.

------------------------------------------------------

If you have trouble with your computer blocking the ActiveX, go here and temporarily turn the feature off:

http://www.windowsreference.com/inte...the-publisher/

Remember to turn it back on after the scan!

------------------------------------------------------

panchogianza · 11-07-2009, 04:29 PM

Hi again, Chemist,

ESET worked perfectly, here i post the report.

Thanks a lot!

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=3e66d50f3e62a54fb374a16b64fbdf37
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-07 10:47:24
# local_time=2009-11-07 11:47:24 (+0100, ora solare Europa occidentale)
# country="Italy"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 16614729 16614729 0 0
# compatibility_mode=1797 16775141 100 100 0 34061490 230591 0
# compatibility_mode=3073 16777213 80 89 4000338 7623067 0 0
# compatibility_mode=8192 67108863 100 0 4377 4377 0 0
# compatibility_mode=9217 16777214 0 9 15026167 25908792 0 0
# scanned=240586
# found=2
# cleaned=0
# scan_time=16998
F:\Users\Pancho\AppData\Local\hssnuc.exe probably a variant of Win32/Adware.NaviPromo application 00000000000000000000000000000000 I
F:\Users\Pancho\Downloads\TuneUp Utilities 2008\TuneUp-Utilities-2008-v7.0.8002.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

**chemist** · 11-07-2009, 07:15 PM

Hello again, panchogianza. Ensure your F: drive is inserted.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"F:\Users\Pancho\AppData\Local\hssnuc.exe"
"F:\Users\Pancho\Downloads\TuneUp Utilities 2008\TuneUp-Utilities-2008-v7.0.8002.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------

Go to Add or Remove Programs, and uninstall Java(TM) 6 Update 12 if is still there.

------------------------------------------------------

Unfortunately, nothing else is showing in your logs.

Are you still being redirected? Are you redirected in IE as well as Firefox?

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy/Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------

panchogianza · 11-09-2009, 04:05 AM

Hello Chemist. Sorry for the waiting.

I have followed your instructions.

When I opened the fix.bat file, Avira has prompted a window saying it has detected an unwanted infection and asking me what action to take, i click on put on quarantine, then ok. After that the window from the file fix.bat showed deletion successful.

Then, I have installed Malwarebytes' Anti-Malware, and successfully performed a quick scan. The report is posted here.

I have tried several searchings and so far have not been redirected. Good news! Thanks a lot! One more question, do you have any advise on how to prevent an infection like this one from happening again?

Thanks again for your help!

Malwarebytes' Anti-Malware 1.41
Database version: 3132
Windows 5.1.2600 Service Pack 3

09/11/2009 11:26:54
mbam-log-2009-11-09 (11-26-54).txt

Scan type: Quick Scan
Objects scanned: 103129
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9b4d1b14-dcfa-46d4-8e3a-88aa9c52f613} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dhcpquarantine (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Programmi\File comuni\Dhcp\DhcpQuarantine.dll (Trojan.FakeAlert.H) -> Delete on reboot.

**chemist** · 11-09-2009, 05:39 AM

Hello again, panchogianza. I will give you some links for prevention when we are done.

Quote:

Files Infected:
C:\Programmi\File comuni\Dhcp\DhcpQuarantine.dll (Trojan.FakeAlert.H) -> Delete on reboot.

Have you rebooted yet? If not, please do so. If you are not experiencing any more problems, let me know and I will give you some final instructions.

------------------------------------------------------

panchogianza · 11-09-2009, 08:07 AM

Hello Chemist.

Yes I have rebooted the system. When the scan was completed, I clicked on show results, and removed the selected files. Then it said that in order to delete one of the files it was needed to reboot the system, so it did.

So far, no more problems are being experienced. The system seems to be working fine.

Thanks again!

**chemist** · 11-09-2009, 10:33 AM

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable Avira before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

How Did I Get Infected In The First Place? by TonyKlein
How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an add-on available for both Firefox and IE.
SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
- Download Host.zip and Save it to your Desktop.
- Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
- Follow the prompts and click 'Finish'.
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

panchogianza · 11-09-2009, 03:54 PM

Great, perfect! Chemist, thanks a lot for your time. I really appreciate it!

**chemist** · 11-09-2009, 06:13 PM

You're very welcome, panchogianza! Glad to have helped.

11-03-2009, 09:54 AM	#2 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages Hello and Welcome to TSF. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed. ------------------------------------------------------ I need to see a gmer log in order to help you. Download GMER Rootkit Scanner from here and Save it to your Desktop. Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop, and attach it to your next reply. Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

11-04-2009, 02:31 AM	#3 (permalink)
panchogianza Registered User Join Date: Oct 2009 Posts: 9 OS: xp	Re: Search engine redirecting to random pages Hello! Thanks for your answer. I have just read it. I subscribed now for the instant notification. I am not in my house for today, which means i wont have acces to my computer today. I will reply with the attached "Gmer.txt" log as soon as I am able to get my hands on my pc. That will be tomorrow evening. Thanks again!

11-05-2009, 01:57 PM	#5 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages Hello panchogianza. Please visit this webpage for download links, and instructions for running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix. Get help here Please post the C:\ComboFix.txt in your next reply for further review. Please re-enable your antivirus before posting the ComboFix.txt log. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

11-05-2009, 05:44 PM	#7 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages Hello again, panchogianza. Please tell us how your system is behaving. Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Go Start > Run and copy/paste the following single-line command into the Run box and click OK: sc delete qwlcyljo A DOS window will open and close again, this is normal. Repeat for each of these commands: sc delete ASKService sc delete ASKUpgrade ------------------------------------------------------ Your Java is out of date. Java(TM) 6 Update 12 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. Make sure you untick the box next to whatever free program they prompt you to install, unless you want it. ------------------------------------------------------ Please download ATF-Cleaner by Atribune and Save it to your Desktop. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ------------------------------------------------------ Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan. Establish an internet connection & perform an online scan at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at any Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. Note To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. ------------------------------------------------------ Please post the following in your next reply: Kaspersky report report on system behavior __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

11-07-2009, 06:59 AM	#8 (permalink)
panchogianza Registered User Join Date: Oct 2009 Posts: 9 OS: xp	Re: Search engine redirecting to random pages Hello Chemist. I followed your instructions. Had no problem on deleting the files, and I runned successfully ATF-Cleaner. However, when I tried to uptade Java, by clicking on the icon in the control panel, a window appeared saying that the registry key did not longer existed. Therefore, I downloaded from the Java official webpage Java Runtime Environment Version 6 Update 17. Now the icon works fine. Also, the Kapersky online scanner is not currently available since they are uptading it. As soon as it is available, I will run it and send you the report. As of now, I have tried several search, mainly in google, and had still been redirected to random pages instead of the one i clicked on. Avira was successfully uptaded. Will post again as soon as possible with the report of Kapersky and another report of my system. Thanks a lot for your help, its really appreciated!

11-07-2009, 09:53 AM	#9 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages Hello again, panchogianza. I just tried Kaspersky and it worked. If it still won't work, try this one: Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan. Go here to run an online scannner from ESET and Save the file to your Desktop. If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'. Turn off the real-time scanner of any existing antivirus program while performing the online scan. Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the ActiveX control to install. Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings and ensure these options are ticked: Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology Next to 'Current scan targets: Operating memory, Local drives, click the Change.. button. Tick all the boxes that correspond to your external/inserted drives. Click Scan Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Copy/paste that log as a reply to this topic and also let me know how things are now. ------------------------------------------------------ If you have trouble with your computer blocking the ActiveX, go here and temporarily turn the feature off: http://www.windowsreference.com/inte...the-publisher/ Remember to turn it back on after the scan! ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

11-07-2009, 04:29 PM	#10 (permalink)
panchogianza Registered User Join Date: Oct 2009 Posts: 9 OS: xp	Re: Search engine redirecting to random pages Hi again, Chemist, ESET worked perfectly, here i post the report. Thanks a lot! ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=3e66d50f3e62a54fb374a16b64fbdf37 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-11-07 10:47:24 # local_time=2009-11-07 11:47:24 (+0100, ora solare Europa occidentale) # country="Italy" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 16614729 16614729 0 0 # compatibility_mode=1797 16775141 100 100 0 34061490 230591 0 # compatibility_mode=3073 16777213 80 89 4000338 7623067 0 0 # compatibility_mode=8192 67108863 100 0 4377 4377 0 0 # compatibility_mode=9217 16777214 0 9 15026167 25908792 0 0 # scanned=240586 # found=2 # cleaned=0 # scan_time=16998 F:\Users\Pancho\AppData\Local\hssnuc.exe probably a variant of Win32/Adware.NaviPromo application 00000000000000000000000000000000 I F:\Users\Pancho\Downloads\TuneUp Utilities 2008\TuneUp-Utilities-2008-v7.0.8002.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

11-07-2009, 07:15 PM	#11 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages Hello again, panchogianza. Ensure your F: drive is inserted. Open Notepad and copy/paste the entire contents of the codebox below into Notepad: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "F:\Users\Pancho\AppData\Local\hssnuc.exe" "F:\Users\Pancho\Downloads\TuneUp Utilities 2008\TuneUp-Utilities-2008-v7.0.8002.exe" ) do ( del /a/f/q %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause del %0 Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file. It should look like this: Double-click on fix.bat to run it. Tell me what it says in your next reply. Press any key to continue. ------------------------------------------------------ Go to Add or Remove Programs, and uninstall Java(TM) 6 Update 12 if is still there. ------------------------------------------------------ Unfortunately, nothing else is showing in your logs. Are you still being redirected? Are you redirected in IE as well as Firefox? ------------------------------------------------------ Please download Malwarebytes' Anti-Malware and Save it to your Desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy/Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

11-09-2009, 04:05 AM	#12 (permalink)
panchogianza Registered User Join Date: Oct 2009 Posts: 9 OS: xp	Re: Search engine redirecting to random pages Hello Chemist. Sorry for the waiting. I have followed your instructions. When I opened the fix.bat file, Avira has prompted a window saying it has detected an unwanted infection and asking me what action to take, i click on put on quarantine, then ok. After that the window from the file fix.bat showed deletion successful. Then, I have installed Malwarebytes' Anti-Malware, and successfully performed a quick scan. The report is posted here. I have tried several searchings and so far have not been redirected. Good news! Thanks a lot! One more question, do you have any advise on how to prevent an infection like this one from happening again? Thanks again for your help! Malwarebytes' Anti-Malware 1.41 Database version: 3132 Windows 5.1.2600 Service Pack 3 09/11/2009 11:26:54 mbam-log-2009-11-09 (11-26-54).txt Scan type: Quick Scan Objects scanned: 103129 Time elapsed: 8 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{9b4d1b14-dcfa-46d4-8e3a-88aa9c52f613} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dhcpquarantine (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Programmi\File comuni\Dhcp\DhcpQuarantine.dll (Trojan.FakeAlert.H) -> Delete on reboot.

11-09-2009, 08:07 AM	#14 (permalink)
panchogianza Registered User Join Date: Oct 2009 Posts: 9 OS: xp	Re: Search engine redirecting to random pages Hello Chemist. Yes I have rebooted the system. When the scan was completed, I clicked on show results, and removed the selected files. Then it said that in order to delete one of the files it was needed to reboot the system, so it did. So far, no more problems are being experienced. The system seems to be working fine. Thanks again!

11-09-2009, 10:33 AM	#15 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages Congratulations. Well done! Your logs appear clean. You should be good to go. Please disable Avira before uninstalling ComboFix and then re-enable it after doing so. Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK: combofix /uninstall This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point. Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already. You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix. ------------------------------------------------------ MICROSOFT UPDATES It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. SPYWARE PREVENTION This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: How Did I Get Infected In The First Place? by TonyKlein How to Prevent Malware by miekiemoes To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an add-on available for both Firefox and IE. SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here Download Host.zip and Save it to your Desktop. Right-click hosts.zip and select 'Extract all files' or 'Extract files...'. Follow the prompts and click 'Finish'. This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. Keep your antivirus program and antispyware programs updated and scan with them on a regular basis. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

11-09-2009, 03:54 PM	#16 (permalink)
panchogianza Registered User Join Date: Oct 2009 Posts: 9 OS: xp	Re: Search engine redirecting to random pages Great, perfect! Chemist, thanks a lot for your time. I really appreciate it!

11-09-2009, 06:13 PM	#17 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,647 OS: XP SP3	Re: Search engine redirecting to random pages You're very welcome, panchogianza! Glad to have helped. __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE