| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 98168 | 2009-03-14 06:33:00 | Windows update gets redirected to fake Google site | Babar (14708) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 756236 | 2009-03-14 06:33:00 | Whenever I try to get to http://windowsupdate.microsoft.com/ OR http://v4.windowsupdate.microsoft.com/ the page that gets loaded is a fake Google search site. Looks like I have a virus or some other nasty. Any suggestions? Norton 360 has not spotted anything wrong. Frustrated and tearing my remaining hair out.:badpc::angry::horrified Babar |
Babar (14708) | ||
| 756237 | 2009-03-14 06:38:00 | Welcome to PressF1 Norton is useless. To start: Download, update and run Malwarebytes. Download HiJack This and post the log file here. Links in my signiture. |
stormdragon (6013) | ||
| 756238 | 2009-03-14 06:42:00 | Welcome to PF1:) First thing is, get rid of Norton 360. It is one of the worse AV products you can get. get either Avast!(free), or Nod32 which is paid. www.avast.com You will need to register free with your email. Disable system restore(Right Click My computer>properties>System Restore tab>Tick "turn off system restore on all drives") Then Download Trojan Remover and MBAM from these two sites, then update and do a full scan: www.simplysuponline.com majorgeeks.com They are direct links, so they will not be redirected Once done, download HijackThis from here: www.trendsecure.com Do a scan, and copy and paste the log here. Tick and click "Fix Checked" the entries we tell you to fix. HTH Blam |
Blam (54) | ||
| 756239 | 2009-03-28 21:28:00 | Hi I am having the exact problem as described by Babar and have run Anti-Malware and Trojan Remover. Both did not detect anything. The Logfile of Hijack this is below. Can anyone assist? Also how exactly would I remove a line if necessary? Cheers :mad: Aaron Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:01:07 AM, on 29/03/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\eDSMSNfix.exe C:\Program Files\Launch Manager\QtZgAcer.EXE C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\system32\igfxsrvc.exe C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Windows\system32\igfxext.exe C:\Users\K\AppData\Local\Temp\RtkBtMnt.exe D:\Program Files\Security\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = au.rd.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = au.rd.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe O4 - HKLM\..\Run: [SetPanel] C:\AcerSW\APanel.exe /F:C:\AcerSW\SetPanel.ini O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Empowering Technology Launcher.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: eNetHook.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- End of file - 8001 bytes |
aronking (2294) | ||
| 756240 | 2009-03-28 21:37:00 | OOps, I forgot to mention that: Hardware is Acer Aspire 3680 Operating system is Vista Home Anti-virus is Norton 360 (will be ditched) |
aronking (2294) | ||
| 756241 | 2009-03-28 21:39:00 | Since trojan remover is installed Aronking, select all options under the utilities menu as well You can tick these entries then tick fix checked Close browsers O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O13 - Gopher Prefix: |
Speedy Gonzales (78) | ||
| 756242 | 2009-03-28 21:53:00 | Wow, Speedy Gonzales, you live upto your name! Have done the changes but I still get redirected to the fake Google site. I have turned System Restore off earlier. Really tearing my hair out. Aaron |
aronking (2294) | ||
| 756243 | 2009-03-28 21:58:00 | go into Internet Options under the tools menu in Internet explorer. In the advanced tab, there should be a button to reset all settings. I think hijackthis checks the hosts file, so that should be fine. Have you ran a malwarebytes scan yet? |
Greven (91) | ||
| 756244 | 2009-03-28 21:58:00 | Umm, does regedit and the command prompt open?? | Speedy Gonzales (78) | ||
| 756245 | 2009-03-28 22:11:00 | There are two that are causing the main problem . First dump Norton . in the Hijack as well as the one speedy mentioned O13 - Gopher Prefix -- this will redirect you to other sites . and open Trojan remover, under utilities reset the hosts file . Once reset try it again, if its still redirecting turn system restore back on and make a restore point manually, download and run Combofix ( . bleepingcomputer . com/combofix/how-to-use-combofix" target="_blank">www . bleepingcomputer . com) -- if the link redirects you This is a direct download ( . bleepingcomputer . com/sUBs/ComboFix . exe" target="_blank">download . bleepingcomputer . com) - run it, follow any prompts . Let it run and do its thing - sometimes it appears to have stopped but it hasn't - let it finish, when finished a log file will pop up . then its done . On the rear occasion if an infection is deep, combo fix will remove the infection but the PC has trouble booting again . Hence the system restore . |
wainuitech (129) | ||
| 1 2 | |||||