Browser Redirect Problem

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
« First
←
2
3
4

You cannot start a new topic
This topic is locked

Browser Redirect Problem Both IE and Firefox exhibit random redirects from Bing

#46 Brawgates

Member

Group: Members
Posts: 93
Joined: 26-September 09
Gender:Male
Location:Scotland

Posted 08 December 2011 - 10:32 AM

Gringo

Ran HijackThis from c:\program files\trend micro. Copy of results from Do a system scan and save logfile follows:-

Regards

Peter

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:21:48, on 08/12/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [advEventmm] rundll32.exe "C:\Documents and Settings\Peter\Local Settings\Application Data\DRMmappnp\advEventmm.dll",Appleobjhid xpMobilePath (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [QVTHcxPJpj.exe] C:\Documents and Settings\All Users\Application Data\QVTHcxPJpj.exe (User 'Peter')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6261 bytes

#47 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 December 2011 - 10:42 AM

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

This post has been edited by gringo_pr: 08 December 2011 - 10:42 AM

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#48 Brawgates

Member

Group: Members
Posts: 93
Joined: 26-September 09
Gender:Male
Location:Scotland

Posted 08 December 2011 - 11:15 AM

Gringo

I ran HijackThis as requested. From your list below, I checked those that were presented by Scan (shown in Red) and then ran Fix Checked.

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [advEventmm] rundll32.exe "C:\Documents and Settings\Peter\Local Settings\Application Data\DRMmappnp\advEventmm.dll",Appleobjhid xpMobilePath (User 'Peter')
O4 - HKUS\S-1-5-21-823518204-1202660629-1900996195-1003\..\Run: [QVTHcxPJpj.exe] C:\Documents and Settings\All Users\Application Data\QVTHcxPJpj.exe (User 'Peter')

These operations were run from my Administrator ID BCWork. My user ID Peter was logged off.

Regards

Peter

#49 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 December 2011 - 11:16 AM

Hello

The others were not listed ? and how are things doing now

gringo

<-- Don't worry every little bit helps.

#50 Brawgates

Member

Group: Members
Posts: 93
Joined: 26-September 09
Gender:Male
Location:Scotland

Posted 08 December 2011 - 11:19 AM

Gringo

A rather late afterthought. I logged on to Peter. advEventmm popup still appears.

Should Peter be logged on when HijackThis is run?

Peter

#51 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 December 2011 - 11:29 AM

yes that is what we need to remove

log in as peter and see if it shows up in hijackthis

gringo

<-- Don't worry every little bit helps.

#52 Brawgates

Member

Group: Members
Posts: 93
Joined: 26-September 09
Gender:Male
Location:Scotland

Posted 08 December 2011 - 11:35 AM

Gringo

Our previous exchanges crossed in the post!

I'd just answered my own question before your latest response arrived by running HijackThis/Scan from BCWork with Peter logged on. The missing 4 entries were visible. I'll now check and Fix Checked and report back.

Peter

#53 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 December 2011 - 11:39 AM

<-- Don't worry every little bit helps.

#54 Brawgates

Member

Group: Members
Posts: 93
Joined: 26-September 09
Gender:Male
Location:Scotland

Posted 08 December 2011 - 11:50 AM

Gringo

I think we've got there!

Used your HijackThis procedure to remove the 4 Registry entries for user ID Peter.
Logged off Peter and then back on.
No advEventmm popup.

Generally

No further redirects observed today.
PC seems to be running somewhat faster

I'll now proceed with cleanup and reset, and report again once this is complete.

Best wishes

Peter

#55 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 December 2011 - 11:51 AM

That is great news!!!

Gringo

<-- Don't worry every little bit helps.

#56 Brawgates

Member

Group: Members
Posts: 93
Joined: 26-September 09
Gender:Male
Location:Scotland

Posted 08 December 2011 - 08:01 PM

Gringo

Well that was some journey!

The infection appeared to be hidden very deeply inside the system, seemingly self-replicating to another host as you homed in on its site of operation.

I've now had a few hours to check out my system. All seems well.

My sincere thanks to you, Gringo, for offering your time in such a public spirited manner to help unfortunates like myself. Hats off!!

Your final notes on various settings, recommended products and background readings are particularly helpful. It will take me some time to tackle them. In the meantime, I will be expressing my thanks to you in a more tangible manner by offering you a donation.

With my very best wishes

Peter

#57 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 December 2011 - 08:16 PM

Thank you Peter it was very nice and you are more than welcome

If you have any questions just let me know - this will be open a couple of days

gringo

<-- Don't worry every little bit helps.

#58 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 10 December 2011 - 11:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.