TechSpot

Browser/google redirect links, please help

By knighce
Feb 2, 2010
Topic Status:
Not open for further replies.
  1. Hello,

    I have been experiencing this problem for days now. Google search results redirect links to some other random websites. I did the 8-steps (done it more than once actually), but still experiencing the same problem. Anti- virus/malware/spyware keeps finding virus/malware etc everytime I run them. I attached the latest logs.

    Looking around this forum, it seems there are quite a lot of people experiencing the same problem as mine and got helped out. I hope you can help me with my problem too. Thanks in advance.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    knighce,
    I have noticed that you have multiple antivirus programs running.
    Avira
    AVG

    You should decide which you want to keep and remove the others for the following reasons:
    • Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • Multiple antivirus programs can also slow down the system.

      If you are using a paid program, Consider removing the free programs. If you are using a Trial of a paid program, please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful:
    • AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
    • To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.

    [/LIST]
    Note:Security programs are best removed while in Safe Mode. Download the removal tool and save to your desktop. Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Please reboot the system when you have made the change.

    Your Hoist files have been hijacked and malware has instralled itself in your Trusted Zone:

    Please ropen HijackThis to 'do system scan only[/b] and check the following if present:
    Note: Do not click on Fix checked untill all of the entries have been checked.

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mssque32.exe,
    O1 - Hosts: 78.159.110.36 www.google.no
    O1 - Hosts: 78.159.110.36 www.google.com.mx
    O1 - Hosts: 78.159.110.36 www.google.co.za
    O1 - Hosts: 78.159.110.36 www.google.fi
    O1 - Hosts: 78.159.110.36 www.google.dk
    O1 - Hosts: 78.159.110.36 www.google.es
    O1 - Hosts: 78.159.110.36 www.google.se
    O1 - Hosts: 78.159.110.36 www.google.be
    O1 - Hosts: 78.159.110.36 www.google.com
    O1 - Hosts: 78.159.110.36 www.google.at
    O1 - Hosts: 78.159.110.36 www.google.it
    O1 - Hosts: 78.159.110.36 www.google.com.au
    O1 - Hosts: 78.159.110.36 search.yahoo.com
    O1 - Hosts: 78.159.110.36 www.google.com.br
    O1 - Hosts: 78.159.110.36 www.google.ca
    O1 - Hosts: 78.159.110.36 uk.search.yahoo.com
    O1 - Hosts: 78.159.110.36 www.google.ch
    O1 - Hosts: 78.159.110.36 www.google.pt
    O1 - Hosts: 78.159.110.36 www.google.gr
    O1 - Hosts: 78.159.110.36 www.google.de
    O1 - Hosts: 78.159.110.36 www.google.ie
    O1 - Hosts: 78.159.110.36 www.google.co.jp
    O1 - Hosts: 78.159.110.36 www.google.nl
    O1 - Hosts: 78.159.110.36 www.google.fr
    O1 - Hosts: 78.159.110.36 us.search.yahoo.com
    O1 - Hosts: 78.159.110.36 www.google.co.uk
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
    O15 - Trusted Zone: http://*.buy-internet-security10.com
    O15 - Trusted Zone: http://*.is-soft-download.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://*.broadband.o2.co.uk
    O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll


    Close all Windows except HijackThis and click on "Fix Checked."

    When you have finished, run the following:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Rescan with HijackThis when finished.

    Please attach Combofix report and new HJT log to your next reply.
     
  3. knighce

    knighce TS Rookie Topic Starter

    Hi Bobbye,

    Thank you for your quick response.

    I have followed all your instructions, although I wasn't able to install the Windows Recovery Console because I didnt notice the note that says "This requires an active internet connection." and just clicked Yes. Though it asked me to connect to the internet which I did, when I thought I was connected to the internet, I clicked Ok. But then I wasn't, and the Combo Fix continued its proccess.

    I hope it won't really matter. Moving on, I ran HijackThis again and attached the log together with the Combo Fix report.

    Please let me know if my system is clean.
    Thanks again.
     

    Attached Files:

  4. knighce

    knighce TS Rookie Topic Starter

    Hi, again

    I ran a system scan on Avira after re-installing it. The result said, it has found 2 viruses. I attached the report log of Avira and the latest HiJack This log after the Avira scan.
     

    Attached Files:

  5. knighce

    knighce TS Rookie Topic Starter

    bump*
    Please confirm.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Note, please: your thread is only one day old. You were fortunate that I was able to pick it up early. Now you must practice patience, because while you were busy bumping the thread, I was helping someone else.

    I'll be back as soon as I can.
     
  7. knighce

    knighce TS Rookie Topic Starter

    Sorry about that.
    Thankyou for the reply, I will wait patiently.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thanks. We get backed up here when the moon is full and people click on everything that pops-up!

    I'd like you to submit a file for identification. It's been getting removed and keeps coming back:

    Please go to http://virusscan.jotti.org/en to upload a suspicious file for analysis.
    • Copy this file and paste it in the Submit box:

      C:\WINDOWS\system32\mssque32.exe,
    • Click on Submit.
    • Wait for the scan. Paste the results in your next reply.

    Avira names it TR/Crypt.ZPACK.Gen and states generic and unknown variant. That's too vague.userinit specifies the programs that Winlogon runs when a user logs on.
    -------------
    Please download OTMovit by Old Timer and save to your desktop.

    Important: before you run OTMoveIt, you will need to unhide files:
    Control Panel> Folder Options> View tab> Uncheck 'do not show hidden files and folders'> Check 'show hidden files and folders'> Uncheck 'hide protected operating system files-Recommended'> Uncheck 'hide extensions of known file types'> Apply> OK.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      c:\windows\system32\GameMon.des
      
      :Reg
      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]"AB141C35E9F4BF344B9FC010BB17F68A"=""
      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]"AB141C35E9F4BF344B9FC010BB17F68A"=""
      
      :Files  
      c:\docume~1\Trias\LOCALS~1\Temp\NBV158.tmp 
      c:\windows\system32\GameMon.des -service 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------
    Please go back a hide the files and folders

    When you have finished, rescan with HijackThis and leave the new log. Virus ID and OTMoveIT..
    We'll go from there.
     
  9. knighce

    knighce TS Rookie Topic Starter

    Hi, Thanks for the reply.

    I followed all your instructions. I went to the website (http://virusscan.jotti.org/en) you gave and tried to upload file C:\WINDOWS\system32\mssque32.exe but it returned "File is empty (0 bytes)!". I first looked for the file manually but it wasn't there. So I browsed it from the website, it was there. I clicked open, then submit file. It returned file is empty. I attached an image showing this.

    The next instructions were done. I attached the log of OTMoveIT and the latest HiJack This log.

    Thanks again.
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please submit this instead o the virus scan instead:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.

    Have HijackThis remove these 2 entries if present:
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) (AVG link scanner)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

    Close and click on Fix Checked

    Please run Notepad and copy the following text into a new file:

    Code:
    sc config npggsvc start= disabled
    sc stop npggsvc
    sc delete npggsvc
    
    • Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
    • Locate remove.bat on the Desktop and double-click on it to run it.
    • A DOS box will open and close, that is normal.
    • If any errors errors encountered please post.
    • When done you can delete the remove.bat file.

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Have you noticed any improvement on the host problem? When we're through, I'm going to give you a new host file to install on the system.
     
  11. knighce

    knighce TS Rookie Topic Starter

    Hi,

    I have done all the instructions. VirSCAN didn't give the link but the whole report itself into the clipboard. I saved it into notepad instead. I attached the VirSCAN report together with Eset Online Scanner log and the latest HiJack This log.

    About the host problem. Google seems to work fine now. It doesn't redirect links anymore.

    Thanks.
     

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have pirated software:
    BitTorrent\New Folder\Nero 9.2.5.0+Keygen[h33t]MasterUploader\Setup\Nero-9.2.5.0.exe

    It will have to be removed for continued support.
     
  13. knighce

    knighce TS Rookie Topic Starter

    Hi,

    The software has been removed. I attached the log of Eset Online Scanner and the latest log of HiJack This.

    Thanks.
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Regarding the following: mRouter 3 is the software used to connect many Symbian smartphones to PC's. Part of Sony Ericsson P900 program suite /Nokia Mobile phone. Is this currently active?

    C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
    C:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
    (Intuwave)

    Before I wind this up, can you please give me some information about the following:
    C:\Program Files\Common Files\Teleca Shared\logger.exe

    As far as I could find Teleca is part of
    If you are using this and know it's on the system, okay.

    What is the E drive?

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      E:\GG\plugins\UI\GEngine.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  15. knighce

    knighce TS Rookie Topic Starter

    About the mRouter3 software, I think it was installed when I first transfered some photos from my mobile phone (Sony Ericsson c905) to this PC. Recently I haven't connect my mobile phone to this PC, so I think it's not active.

    About the Teleca, with how you described it, I don't have an HTC phone and I don't remember connecting one to this computer. Hence I don't use it and did not konw it's on the system.

    About the E drive, my hard drive has four partitions, one of them is the E drive.

    Hope these help.

    I attached the OTMoveIt log and the latest HiJack This log.

    Thanks.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.