BleepingComputer.com: Search redirect

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Search redirect troubles getting DDS to run

#1 User is offline   youronlysin 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 28-March 11
  • Gender:Male
  • Location:Williamsburg, VA.

Posted 29 March 2011 - 08:56 AM

I tried to follow the directions best I could, but I am having trouble getting DDS to provide me with any files. It runs and runs and I have to reboot the computer to get rid of it. Aside from disabling AVG and AdAware, I'm not sure what else I can do to make it run correctly. GMER ran fine.

My issues are search result redirects. I currently have installed AVG 2011, AdAware, hijackthis and Malwarebytes. While the spyware programs were able to find their own issues and deal with them, the redirecting issue is still present.

Currently, I have run GMER and DeFogger and also have a hijackthis log, should it be needed. Heres the GMER info:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-29 08:09:07
Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\0000008e ST3250410AS rev.3.AAF
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fglirfod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB812887E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA3E3E6C0]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8128BFE]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA3E3E770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA3E3E810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA3E3E8B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2788 80501678 4 Bytes CALL 9914BA60
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB54C23A0, 0x5CC259, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A
.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C
.text C:\WINDOWS\System32\svchost.exe[1380] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Device\0000007e -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#2020202020202020202020205236335946424C33#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

I already have a post in the logs section and one of the prep. items is to run DDS and supply the resulting log. The issue I have is that DDS starts and looks like it is operating correctly, yet it never supplies a log file. In addition, I cannot close the DDS window. It will minimize, etc, and I can continue to use the computer but the program just isn't running right.

Currently, I have installed AVG 2011, AdAware, hijackthis and Malware Bytes(free). Before I run the DDS program, I disable AVG, and exit AdAware. Malware Bytes free does not provide any live operation.

Previously, I had SpyBot Search and Destroy installed but was having issues with it's TeaTimer so I uninstalled it. I can't think of anything else to disable that might be causing DDS to malfunction. I was able to get GMER to run and provide a log, hijackthis runs and provides a log as well. Anyone have any ideas?

Merged topics then posts. ~ OB

This post has been edited by Orange Blossom: 29 March 2011 - 02:43 PM

#2 User is offline   youronlysin 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 28-March 11
  • Gender:Male
  • Location:Williamsburg, VA.

Posted 03 April 2011 - 07:56 AM

Please cancel my help request. While I appreciate your help and all the work that you do, time was against me so I chose to re-image the drive.

#3 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 03 April 2011 - 11:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users