| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 98168 | 2009-03-14 06:33:00 | Windows update gets redirected to fake Google site | Babar (14708) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 756246 | 2009-03-28 22:13:00 | Did either of you install some kind of star wars game?? When you run this, it can install a worm called P2load.A worm Does the home page in IE look like this ? (enterprises.pandasoftware.com) |
Speedy Gonzales (78) | ||
| 756247 | 2009-03-28 22:57:00 | Thanks to everyone that is helping me. I really appreciate it! @Grevan - I have reset all the the options (including advanced reset). Yes, I have run malwarebytes scan and it didn't detect anything. @ Speedy Gonzales - Yes, Command prompt and Regedit do work. @ Wainuitech - When running Hijack This, a message comes up saying " For some reasons your system denied write access to the Hosts file. If any hijacked domanis are in this file, Hijackthis may NOT be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run and type: notepad C:\Windows\system32\drivers\etc\hosts and press Enter. Find the line(s) Hijackthis reports and delete them. Save the file as 'hosts' (with quotes) and reboot. For Vista, simply, exit Hijackthis, right click of the Hijackthis icon, choose 'Run as Administrator' @Speedy Gonzales. Just ran Hijackthis and these are still there eventhough I asked for it to be fixed. O13 is no longer there: O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe @ All. Here is the logfile that I have just run. I have not yet run Combofix. Cheers Aaron Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:50:13 AM, on 29/03/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\eDSMSNfix.exe C:\Program Files\Launch Manager\QtZgAcer.EXE C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\system32\igfxsrvc.exe C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E C:\Windows\system32\igfxext.exe C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Users\K\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Windows\system32\NOTEPAD.EXE D:\Program Files\Security\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe O4 - HKLM\..\Run: [SetPanel] C:\AcerSW\APanel.exe /F:C:\AcerSW\SetPanel.ini O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-687689125-697858191-458345354-1001\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Sebastian') O4 - Global Startup: Empowering Technology Launcher.lnk = ? O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: eNetHook.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- End of file - 7927 bytes |
aronking (2294) | ||
| 756248 | 2009-03-28 23:00:00 | @ wainuitech - Oh I have reset the Windows host file as well before running Hijack this. The log file is after reset. Aaron |
aronking (2294) | ||
| 756249 | 2009-03-28 23:12:00 | What about post #11?? Is that what you saw / or see when you open IE? If those entries dont want to disappear, get ccleaner (www.ccleaner.com) Install it (untick the yahoo option, you dont need it). Run it, click on tools / startup. Highlight them then click on delete |
Speedy Gonzales (78) | ||
| 756250 | 2009-03-28 23:24:00 | @ Speedy Gonzales - No I did not install star wars game and my IE is not redirected to something that looks like that. In fact IE allows me to go to every page except for Windowes update :( Cheers Aaron |
aronking (2294) | ||
| 756251 | 2009-03-28 23:27:00 | What error comes up when you try to go to the windowsupdate site?? Does it let you install the activeX file?? Or doesnt it get that far?? Or does it bring up an error after you scan for updates?? if it does, whats the error? Its not the same prob as the original post then, by the sounds of it |
Speedy Gonzales (78) | ||
| 756252 | 2009-03-28 23:36:00 | The Gopher prefix entry that couldn't be fixed-right click HijackThis then run as administrator. Then tick it, it should work Blam |
Blam (54) | ||
| 756253 | 2009-03-29 01:49:00 | @ wainuitech - Oh I have reset the Windows host file as well before running Hijack this . The log file is after reset . Aaron If you are still being redirected - open the hosts file and post back its complete contents . One easy way is run Hijackthis - ( but dont scan) Click on "Open The Misc Tools Section" ( button) then second one down " open Hosts File Manager" , then open in Notepad - Copy / Paste the complete contents back here . If the file has already been reset and is back to standard, and you are still getting redirected - run Combo Fix as I mentioned earlier - MANY infections hide and DONT show in Hijackthis . Combo Fix will find them and deal to them . Edited: one other thing you can try before running combo fix is download Dial A Fix ( . softpedia . com/get/System/System-Miscellaneous/Dial-a-fix . shtml" target="_blank">www . softpedia . com) - run it - tick everything, reboot and see if windows update now works ( or Not) |
wainuitech (129) | ||
| 756254 | 2009-03-30 10:14:00 | I have found the solution to the problem . It is not what I expected at all . It was the ADSL router that was redirecting the url searches to a trojan site . All I did was to reboot the router and the default settings came on and all is well . The faulty numbers were in the Primary and Secondary DNS servers on the router (these were not those assigned by my ISP) . So if you had the correct DNS Server numbers in your setting in a PC, it ignored the defaults in the router . That is why on my desktop, it could go to the correct Windows update site . On the notebooks, it had the setting to obtain the DNS Server address automatically, so it used the default in my router, which blocked access to windows update . I didn't make a note of the IP address but I think it began with 855 . xxx . xx . xxx The last 3 digits were 15 for the primary DNS and 156 for the secondary DNS server . I hope that this helps someone else . Thanks :thanks guys for all your help . I really appreciate it . Of course, that is why Malware and Trojan Remover didn't find anything . One question I have . Is there anything I should do now to ensure that my PCs are all clean? Cheers Aaron PS I am not technically savvy so my explanation may not be as clear as could be . If anyone can express it better for others, please do so . |
aronking (2294) | ||
| 756255 | 2009-03-30 10:55:00 | Hmm you may have had one of the variants of the DNSchanger trojan Which hits routers. Info is here (www.net-security.org) The info you gave, is on the 2nd page A typical sign of infection with DNSChanger is that the DNS and DHCP servers are pointing to the IP address range 85.255.*.* . Another sign for infection is that non-existing domain names are being resolved by the malicious DNS servers. Potentially infected users can try to browse to a fictitious domain that doesn't exist. And what you did (reset the modem) sounds like what youre meant to do cleaning the infected PC is not enough to get rid of the pest - victims will need to reset the DNS settings in their router, too. |
Speedy Gonzales (78) | ||
| 1 2 | |||||