Jump to content

Google/Findgala redirect


Recommended Posts


Been hit with the findgala redirect with google. It occurs when i highlight something and go to search that on google. I have run MBAM and ESET both have showed no infected files. Logs of MBAM and DDS.



Malwarebytes' Anti-Malware


Database version: 7951

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

10/15/2011 5:22:43 AM

mbam-log-2011-10-15 (05-22-43).txt

Scan type: Quick scan

Objects scanned: 172840

Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)


DDS (Ver_2011-08-26.01)


Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 10/29/2009 7:56:42 AM

System Uptime: 10/14/2011 11:10:31 PM (7 hours ago)


Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3P

Processor: Intel® Core2 Quad CPU Q9550 @ 2.83GHz | Socket 775 | 1983/333mhz


==== Disk Partitions =========================


A: is Removable

C: is FIXED (NTFS) - 264 GiB total, 125.04 GiB free.

D: is FIXED (NTFS) - 166 GiB total, 113.981 GiB free.

E: is FIXED (NTFS) - 166 GiB total, 159.966 GiB free.

F: is CDROM ()


==== Disabled Device Manager Items =============


==== System Restore Points ===================


RP229: 10/5/2011 7:21:15 AM - Removed NVIDIA PhysX

RP230: 10/5/2011 7:28:10 AM - Removed Gamer HUD Lite

RP231: 10/5/2011 7:44:45 AM - Installed NVIDIA 3D Vision Controller Driver

RP232: 10/11/2011 6:42:33 AM - Installed Java 6 Update 26

RP233: 10/12/2011 5:35:11 AM - Windows Update


==== Installed Programs ======================




Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.6

Anarchy Online

Apple Application Support

Apple Software Update

Browser Configuration Utility

Driver Sweeper 2.0.5

Easy Tune 6 B09.0908.1

Energy Saver Advance B9.0316.1


EVGA Precision 2.0.4

FW LiveUpdate

Gigabyte Raid Configurer

Java Auto Updater

Java 6 Update 26

Malwarebytes' Anti-Malware version

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Mozilla Firefox 7.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

NVIDIA 3D Vision Controller Driver


NVIDIA Stereoscopic 3D Driver

Quicken 2007


Realtek 8169 8168 8101E 8102E Ethernet Driver

Realtek High Definition Audio Driver

Samsung CLP-310 Series

Spy Sweeper

Spy Sweeper Core

System Requirements Lab


==== Event Viewer Messages From Past Week ========


10/15/2011 6:38:10 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.

10/14/2011 11:10:53 PM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the file specified.


==== End Of File ===========================


DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by instreams at 6:38:49 on 2011-10-15

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.1842 [GMT -4:00]


AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Spy Sweeper *Disabled/Updated* {8162D2B6-63C7-5812-E5F7-165FDC222080}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe


C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe



C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe

C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Windows Media Player\wmpnetwk.exe





C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Logitech\SetPoint II\SetPointII.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe






============== Pseudo HJT Report ===============


uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - C:\Windows\SysWOW64\dvmurl.dll

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [ehTray.exe] "C:\Windows\ehome\ehTray.exe"

mRun: [JMB36X IDE Setup] "C:\Windows\RaidTool\xInsIDE.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SETPOI~1.LNK - C:\Program Files (x86)\Logitech\SetPoint II\SetPointII.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{108F8546-8888-4DA3-95CF-3134B93CB498} : DhcpNameServer =

TCP: Interfaces\{416E2044-D232-4B9E-8278-D65389BE6127} : DhcpNameServer =

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [JMB36X IDE Setup] "C:\Windows\RaidTool\xInsIDE.exe"


================= FIREFOX ===================


FF - ProfilePath - C:\Users\instreams\AppData\Roaming\Mozilla\Firefox\Profiles\3fpg76gc.default\

FF - prefs.js: browser.search.selectedEngine - search

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Users\instreams\AppData\Roaming\Mozilla\Firefox\Profiles\3fpg76gc.default\extensions\2020Player_IKEA@2020Technologies.com\plugins\NP_2020Player_IKEA.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll


============= SERVICES / DRIVERS ===============


R0 epfwwfp;epfwwfp;C:\Windows\system32\DRIVERS\epfwwfp.sys --> C:\Windows\system32\DRIVERS\epfwwfp.sys [?]

R0 ssfs0bbc;ssfs0bbc;C:\Windows\system32\DRIVERS\ssfs0bbc.sys --> C:\Windows\system32\DRIVERS\ssfs0bbc.sys [?]

R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\system32\DRIVERS\EpfwLWF.sys --> C:\Windows\system32\DRIVERS\EpfwLWF.sys [?]

R2 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]

R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]

R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2011-8-9 974944]

R2 GEST Service;GEST Service for program management.;C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe [2009-9-19 68136]

R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-8-3 379496]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe [2009-11-6 4048240]

R2 WRConsumerService;Webroot Client Service;C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe [2010-5-9 1201640]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

S3 AODDriver;AODDriver;C:\Program Files (x86)\GIGABYTE\ET6\amd64\AODDriver.sys [2009-2-23 14904]

S3 etdrv;etdrv;C:\Windows\etdrv.sys [2009-9-20 25640]

S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2009-9-20 30528]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]

S3 RTCore64;RTCore64;C:\Program Files (x86)\EVGA Precision\RTCore64.sys [2011-8-31 14440]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]


=============== Created Last 30 ================


2011-10-15 03:11:19 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3A718C80-4094-483D-B55F-90B2A166B275}\offreg.dll

2011-10-14 11:45:36 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3A718C80-4094-483D-B55F-90B2A166B275}\mpengine.dll

2011-10-12 09:34:52 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax

2011-10-12 09:34:52 613888 ----a-w- C:\Windows\System32\psisdecd.dll

2011-10-12 09:34:51 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll

2011-10-12 09:34:51 108032 ----a-w- C:\Windows\System32\psisrndr.ax

2011-10-12 09:34:47 861696 ----a-w- C:\Windows\System32\oleaut32.dll

2011-10-12 09:34:47 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2011-10-12 09:34:47 331776 ----a-w- C:\Windows\System32\oleacc.dll

2011-10-12 09:34:47 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll

2011-10-12 09:34:43 3138048 ----a-w- C:\Windows\System32\win32k.sys

2011-10-05 11:49:29 -------- d-----w- C:\Program Files (x86)\EVGA Precision

2011-10-05 11:43:26 980072 ----a-w- C:\Windows\System32\nvvsvc.exe

2011-10-05 11:43:26 836200 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll

2011-10-05 11:43:26 61544 ----a-w- C:\Windows\System32\nvshext.dll

2011-10-05 11:43:26 6136936 ----a-w- C:\Windows\System32\nvcpl.dll

2011-10-05 11:43:26 3021416 ----a-w- C:\Windows\System32\nvsvc64.dll

2011-10-05 11:43:26 117864 ----a-w- C:\Windows\System32\nvmctray.dll

2011-10-05 11:43:20 -------- d-----w- C:\ProgramData\NVIDIA Corporation

2011-09-19 14:29:26 -------- d-----w- C:\Program Files\ESET


==================== Find3M ====================


2011-10-15 03:10:53 25640 ----a-w- C:\Windows\gdrv.sys

2011-09-25 05:51:06 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll

2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll

2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-08-28 09:12:08 3480352 ----a-w- C:\ccsetup310.exe

2011-08-09 17:57:12 202576 ----a-w- C:\Windows\System32\drivers\eamonm.sys

2011-08-04 13:20:38 62496 ----a-w- C:\Windows\System32\drivers\epfwwfp.sys

2011-08-04 13:20:38 38288 ----a-w- C:\Windows\System32\drivers\EpfwLWF.sys

2011-08-04 13:20:38 187632 ----a-w- C:\Windows\System32\drivers\epfw.sys

2011-08-04 13:20:38 146432 ----a-w- C:\Windows\System32\drivers\ehdrv.sys

2011-08-03 07:31:54 311912 ----a-w- C:\Windows\SysWow64\nvStreaming.exe


============= FINISH: 6:41:24.06 ===============

Link to post
Share on other sites


Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step


Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.