Adware Detection » Main Search Page http://AdwareDetection.com AdwareDetection.com Mon, 21 May 2012 02:17:15 +0000 en hourly 1 http://wordpress.org/?v=3.3.2 How do locate the source of Google hijacking? http://AdwareDetection.com/blog/how-do-locate-the-source-of-google-hijacking/ http://AdwareDetection.com/blog/how-do-locate-the-source-of-google-hijacking/#comments Fri, 12 Jun 2009 20:53:19 +0000 admin http://AdwareDetection.com/blog/how-do-locate-the-source-of-google-hijacking/ adware detection
D-Scan asked:

Ever since spyware was installed the other day (and I removed it), Google has been redirecting to other spyware websites, and it says ‘analitic-checks.google.com’ in the status bar. I have used every spyware removal program under the sun.

Here is my process report from HijackThis:

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 – BHO: (no name) – {02478D38-C3F9-4efb-9B51-7695ECA05670} – (no file)
O2 – BHO: Adobe PDF Reader Link Helper – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 – BHO: Verizon Broadband Toolbar – {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} – C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 – BHO: PCTools Site Guard – {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 – BHO: NAV Helper – {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {C4069E3A-68F1-403E-B40E-20066696354B} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Verizon Broadband Toolbar – {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} – C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 – HKLM\..\Run: [Dell AIO Printer A940] “C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe”
O4 – HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 – HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 – HKLM\..\Run: [SSC_UserPrompt] “C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe”
O4 – HKLM\..\Run: [NAV CfgWiz] “C:\Program Files\Norton AntiVirus\CfgWiz.exe” /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE “REBOOT”
O4 – HKLM\..\Run: [ISTray] “C:\Program Files\Spyware Doctor\pctsTray.exe”
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 – Extra button: AIM – {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} – C:\Program Files\AIM\aim.exe
O9 – Extra button: (no name) – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – (no file)
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra button: WeatherBug – {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} – C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 – DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) – https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 – DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} – http://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
O16 – DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} – http://pictures04.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 – DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} – http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 – Winlogon Notify: RunOnceEx – C:\WINDOWS\
O23 – Service: Lavasoft Ad-Aware Service (aawservice) – Lavasoft – F:\Programs\adware\aawservice.exe
O23 – Service: Automatic LiveUpdate Scheduler – Symantec Corpor

]]> http://AdwareDetection.com/blog/how-do-locate-the-source-of-google-hijacking/feed/ 1