BleepingComputer.com: Browser Redirect

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Browser Redirect IE and Firefox

#1 User is offline   hoseking 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 31-August 11

Posted 31 August 2011 - 11:33 AM

I have a machine that is having issues with a browser redirect in IE8 and Firefox. I have reset IE to default settings, recreated the host file, checked for proxy info in IE and network connections. I have run Malwarebytes, SuperAntiSpyware, and VIPRE Antivirus. All of them have come back clean. I am unable to get TDSSKiller to run for some reason. Machine is acting perfectly normal other than the browser redirect. I can browse websites using direct URL's, but any search engine will redirect me. Machine is fully updated. Thank you in advance for any help, it is very much appreciated. Let me know if there is any additional information required.

Machine is a HP dc5800
Win XP SP3

Here is the HijackThis log followed by the process log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:08 AM, on 8/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\RemoteSupportManager\DaMaint.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\RemoteSupportManager\rmgui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe"
O4 - HKLM\..\Run: [DA Remote Management GUI] "C:\Program Files\RemoteSupportManager\rmgui.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe /q /c"
O4 - HKUS\S-1-5-18\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.10:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC2A} (Encrypt Class) - https://192.168.1.10:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HUFF.local
O17 - HKLM\Software\..\Telephony: DomainName = HUFF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HUFF.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HUFF.local
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O20 - AppInit_DLLs: DAinit.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0000881223489622) (0000881223489622mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\000088~1.EXE (file missing)
O23 - Service: DA Remote Management Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\RemoteSupportManager\DaMaint.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Support Manager (RemoteSupportManager) - ScriptLogic Corporation - C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
O23 - Service: Sage Service Host (v1.1) (Sage.LS1.ServiceHost.1.1) - Sage Software, Inc. - C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe

--
End of file - 9019 bytes


Process list saved on 11:21:26 AM, on 8/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
616 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation
688 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation
736 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation
748 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation
924 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1028 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1256 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.6024 Microsoft Corporation
1368 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe 3.0.7311.0 Microsoft Corporation
1448 C:\Program Files\RemoteSupportManager\DaMaint.exe 1.0.0.48 ScriptLogic Corporation
1508 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe 1.0.4.0 InterVideo
1564 C:\Program Files\PDF Complete\pdfsvc.exe 3.5.22.2001 PDF Complete Inc
1616 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe 4.0.4112.7935 Intuit
1676 C:\Program Files\RemoteSupportManager\DesktopAuthority.exe 1.0.0.48 ScriptLogic Corporation
1736 C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe 1.1.0.0 Sage Software, Inc.
1872 c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe 2005.90.5000.0 Microsoft Corporation
1904 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
2076 C:\WINDOWS\Explorer.EXE 6.0.2900.5512 Microsoft Corporation
2468 C:\WINDOWS\system32\igfxtray.exe 6.14.10.4864 Intel Corporation
2520 C:\WINDOWS\system32\hkcmd.exe 6.14.10.4864 Intel Corporation
2544 C:\WINDOWS\system32\igfxpers.exe 6.14.10.4864 Intel Corporation
2572 C:\WINDOWS\system32\igfxsrvc.exe 6.14.10.4864 Intel Corporation
2580 C:\Program Files\Analog Devices\Core\smax4pnp.exe 6.0.32.138 Analog Devices, Inc.
2604 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe 5.2.0.52 Analog Devices, Inc.
2688 C:\WINDOWS\SMINST\Scheduler.exe 1.0.4.1
2800 C:\Program Files\RemoteSupportManager\rmgui.exe 1.0.0.48 ScriptLogic Corporation
2924 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe 9.4.0.195 Adobe Systems Inc.
2940 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
2992 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe 20.0.4012.0 Intuit Inc.
484 C:\Program Files\Internet Explorer\IEXPLORE.EXE 8.0.6001.18702 Microsoft Corporation
3404 C:\Program Files\Internet Explorer\IEXPLORE.EXE 8.0.6001.18702 Microsoft Corporation
2096 C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe 2.0.0.4 Trend Micro Inc.

This post has been edited by hoseking: 31 August 2011 - 11:39 AM

#2 User is offline   hoseking 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 31-August 11

Posted 01 September 2011 - 08:20 AM

I was able to resolve my own problem by using tools seen in other similar threads. After running fixTDSS it no longer redirects. Thank you, you may close the thread.

#3 User is offline   Orange Blossom 

  • OBleepin Investigator
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 29,827
  • Joined: 14-July 06
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 01 September 2011 - 11:47 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users