Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 BrianL

BrianL

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 27 January 2009 - 10:30 AM

A couple days ago, I found that I had the virus which blocks access to antivirus updates and does the go.google.com redirects in top Google results. I ran Malwarebytes, which appeared to have fixed that. Something apparently stuck around, though, because now the links for top Google results go to sites like freescan.antivirus.com, monstermarketplace.com, etc.

Scans done with AVG, Avast, AdAware, McAfee, KOS (Critical Areas), and Malwarebytes have come up with nothing. Deleting all temp files and running ipconfig /flushdns fixed things for a little while, but the problem came back. Thanks for any assistance.

Here's a fresh DDS log:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Smitters at 9:02:48.73 on Tue 01/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.137 [GMT -6:00]

AV: avast! antivirus 4.8.0 [VPS 090115-0] *On-access scanning disabled* (Outdated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Smitters\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Bar = hxxp://www.toshiba.com/search
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [PrintServer Diagnostic] c:\program files\print server\ptp\PSDiagnostic.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133906475893
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133906456924
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\smitters\applic~1\mozilla\firefox\profiles\3qka7y68.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.01.06);user_pref(general.useragent.extra.zencast,
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-25 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-25 201320]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-25 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-25 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-25 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-25 40488]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-25 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-25 144704]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-24 111184]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashmaisv.exe" /service --> c:\program files\alwil software\avast4

\ashMaiSv.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashwebsv.exe" /service --> c:\program files\alwil software\avast4

\ashWebSv.exe [?]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkeusbi.sys [2005-12-8 41729]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\ma763010.sys --> c:\windows\system32\drivers\MA763010.sys [?]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\drivers\mausbft.sys [2007-7-14 106112]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-25 33832]
S3 Otis;Audible Otis Service;c:\windows\system32\drivers\OtisPlay.sys [2006-11-23 9472]
S3 PortRst;PortRst;c:\windows\system32\drivers\PortRst.sys [2006-11-23 18560]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-24 20560]
S4 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashserv.exe" --> c:\program files\alwil software\avast4\ashServ.exe [?]
S4 MKEMUSB;Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkemusb.sys [2005-12-8 14308]

=============== Created Last 30 ================

2009-01-26 21:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-26 21:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-26 10:14 <DIR> --d----- C:\Malware Fixers
2009-01-26 06:46 <DIR> --d----- c:\program files\Trend Micro
2009-01-26 00:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-26 00:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 00:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 18:29 8,283 a------- c:\windows\system32\Config.MPF
2009-01-25 18:28 143,360 a------- c:\windows\system32\dunzip32.dll
2009-01-25 18:22 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-25 18:22 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-25 18:22 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-25 18:22 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-25 18:22 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-25 18:22 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-01-25 18:21 <DIR> --d----- c:\program files\McAfee.com
2009-01-25 18:21 <DIR> --d----- c:\program files\common files\McAfee
2009-01-25 18:20 <DIR> --d----- c:\program files\McAfee
2009-01-25 17:59 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-25 17:30 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-25 17:20 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 03:19 <DIR> --d----- c:\docume~1\smitters\applic~1\Malwarebytes
2009-01-25 03:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 01:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-01-25 01:39 <DIR> --d----- c:\program files\Sunbelt Software
2009-01-24 22:30 <DIR> --d----- c:\program files\AVG
2009-01-24 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-24 21:50 54,157,776 a------- C:\avg_free_stf_en_8_176a1400.exe
2009-01-10 17:34 441 a------- c:\windows\system32\TDSSosvd.dat
2009-01-07 18:21 <DIR> --dsh--- c:\windows\system32\twain32
2009-01-05 19:21 441 a------- c:\windows\system32\TDSSbipq.dat

==================== Find3M ====================

2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-20 19:10 77,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2005-04-20 19:51 105 a------- c:\documents and settings\all users\B1.bat
2001-11-30 10:09 49,152 a----r-- c:\program files\common files\HDvAvi.dll

============= FINISH: 9:04:30.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 BrianL

BrianL
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 01 February 2009 - 11:05 AM

I understand everyone is busy, but I couldn't wait any longer. I did find some help searching the forums. Please close this topic and assist others.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:43 AM

Posted 01 February 2009 - 02:38 PM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users