Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - Search Redirected - Windows Installer runs


  • This topic is locked This topic is locked
3 replies to this topic

#1 Defcomp1

Defcomp1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 07 March 2009 - 04:21 PM

Hi, I'm using my own computer to post this message about a friend's computer that I have in my possession that I am trying to help straighten out. When I first got the computer it was:

1 - boot up/restart loop
2 - logon/logoff loop
3 - no desktop icon or start menu
4 - not runing or accessing task manager, windows firewall, system restore, regedit, msconfig, sfc /scannow, etc
5 - not connecting to internet
6 - running windows installer when attemping to open internet explorer, word, excel, frontpage, certain folders. etc
7 - google and yahoo search links being redirected, some websites including windows updates not loading at all
8 - unknown iexplorer processes running in the background

after 2 weeks of a lot of effort & research on internet and using avg, spybot, adaware, bartpe cd, careful registry edits, recovery console, etc, I was able to solve 1, 2, 3, 4, and 5 above and finally save his data files to an external drive. Although I can now access the internet on the infected computer, some program files downloaded on that computer don't run properly like the same program file downloaded on my own computer and transferred to the infected computer and ran. that is the reason I am using a different computer to post this request for help.

The last thing I did before joining this forum was run combofix and saved the log. Combofix discovered rootkits and deleted some files, then realized that I was over my head, so i did not do anything else.

How can I eliminate the search links redirections?
How make iexplorer load web pages like windows updates, computer help forums & sites, etc?
How can I stop the invisible iexplorer processor from running?

Posted below in the DDS.txt log files and in the next post the ComboFix.txt log file which was created befor the DDS.txt file

Thanks in advanced

DDS.txt


DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Administrator at 14:55:55.48 on Sat 03/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.469 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\sm56hlpr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hometab.bellsouth.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/go/dticonesp
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\explorer.exe,
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [AVG8_TRAY] c:\program files\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\hewlett-packard\compaq organize\bin\displayAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\95yk94zm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-11 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-11 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-11 107272]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-11 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-11 298264]
S0 bawikjkc;bawikjkc;c:\windows\system32\drivers\bawikjkc.sys --> c:\windows\system32\drivers\bawikjkc.sys [?]
S0 hpexuefu;hpexuefu;c:\windows\system32\drivers\hpexuefu.sys --> c:\windows\system32\drivers\hpexuefu.sys [?]
S0 wkgkubcp;wkgkubcp;c:\windows\system32\drivers\wkgkubcp.sys --> c:\windows\system32\drivers\wkgkubcp.sys [?]
S1 ethiczdi;ethiczdi;c:\windows\system32\drivers\ethiczdi.sys [2009-2-11 138048]

=============== Created Last 30 ================

2009-03-07 13:47 179,200 a------- c:\windows\SWREG.exe
2009-03-07 13:47 115,712 a------- c:\windows\sed.exe
2009-03-06 17:44 105,984 a------- c:\windows\system32\301.tmp
2009-03-06 17:44 40 a------- c:\windows\system32\300.tmp
2009-02-25 18:38 45,568 a------- c:\windows\system32\xwa.dll
2009-02-25 18:38 1 a------- c:\windows\system32\4.tmp
2009-02-25 18:37 124 a------- c:\windows\system32\3.tmp
2009-02-25 17:50 577,536 a------- c:\windows\system32\juloq
2009-02-25 17:50 105,984 a------- c:\windows\system32\9F.tmp
2009-02-25 17:50 1 a------- c:\windows\system32\9D.tmp
2009-02-25 17:50 124 a------- c:\windows\system32\9C.tmp
2009-02-25 17:16 577,536 a------- c:\windows\system32\nqmdwdjv
2009-02-25 17:16 105,984 a------- c:\windows\system32\85.tmp
2009-02-25 17:16 1 a------- c:\windows\system32\83.tmp
2009-02-25 17:16 124 a------- c:\windows\system32\82.tmp
2009-02-25 17:08 0 a------- c:\windows\mqcd.dbt
2009-02-25 17:08 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-02-25 17:07 32,768 a------- c:\windows\system32\odjan.wa
2009-02-25 17:07 32,768 a------- c:\windows\system32\kei1w.an
2009-02-25 17:07 77,312 a------- c:\windows\system32\rkoq.pxf
2009-02-25 17:07 28,672 a------- c:\windows\system32\doqkm.zt
2009-02-25 17:07 262,144 a------- c:\windows\system32\nvtpm32.dll
2009-02-25 17:07 105,984 a------- c:\windows\system32\azton.mt
2009-02-25 17:07 105,984 a------- c:\windows\system32\68.tmp
2009-02-25 17:07 1 a------- c:\windows\system32\66.tmp
2009-02-25 17:07 124 a------- c:\windows\system32\65.tmp
2009-02-24 11:54 <DIR> --d----- c:\windows\tmp
2009-02-23 13:29 86,016 a------- c:\windows\DUMP8d2c.tmp
2009-02-21 13:55 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-02-21 13:55 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-21 13:55 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-21 13:55 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-02-21 13:55 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-02-21 13:55 30,720 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-21 13:55 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-21 13:55 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-21 13:55 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-02-21 08:40 1,050,112 a------- c:\windows\Explorer.EXE
2009-02-21 08:40 32,256 a------- c:\windows\system32\ctfmon.exe
2009-02-21 08:40 31,232 a------- c:\windows\system32\svchost.exe
2009-02-21 08:40 565,248 a------- c:\windows\sm56hlpr.exe
2009-02-21 08:40 62,464 a------- c:\windows\system32\mshta.exe
2009-02-21 08:40 163,328 a------- c:\windows\regedit.exe
2009-02-21 08:40 86,528 a------- c:\windows\system32\notepad.exe
2009-02-21 08:40 50,176 a------- c:\windows\system32\rundll32.exe
2009-02-21 08:40 397,312 a------- c:\windows\system32\Ati2evxx.exe
2009-02-21 08:40 135,168 a------- c:\windows\system32\wscript.exe
2009-02-21 08:40 94,208 a------- c:\windows\system32\HPZipm12.exe
2009-02-21 08:40 86,016 a------- c:\windows\NOTEPAD.EXE
2009-02-21 08:37 77,824 a------- c:\windows\ALCXMNTR.EXE
2009-02-21 08:37 139,322 a------- c:\windows\HPCPCUninstaller-6.3.2.116-5577497.exe
2009-02-21 08:37 27,648 a------- c:\windows\hh.exe
2009-02-21 08:37 323,584 a------- c:\windows\IsUninst.exe
2009-02-20 19:15 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-20 19:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-20 18:58 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-20 17:27 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-20 15:06 <DIR> --d----- c:\program files\Lavasoft
2009-02-13 09:13 276 a------- c:\windows\system32\MRT.INI
2009-02-11 22:27 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-11 22:19 138,048 a------- c:\windows\system32\drivers\ethiczdi.sys
2009-02-11 18:16 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-11 17:20 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-11 17:20 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-11 17:20 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-11 17:20 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-11 17:20 <DIR> --d----- c:\docume~1\compaq~1\applic~1\AVGTOOLBAR
2009-02-11 17:20 <DIR> --d----- c:\program files\AVG
2009-02-11 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-08 18:58 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-08 18:58 43,009 a------- c:\windows\services.ex_
2009-02-08 18:57 5,186 a------- c:\windows\system32\uacinit.dll
2009-02-08 18:51 87,552 a------- c:\windows\system32\aPy83Jr4.exe

==================== Find3M ====================

2009-03-06 17:44 577,536 a------- c:\windows\system32\USER32.DLL
2009-03-06 17:44 577,536 a------- c:\windows\system32\dllcache\user32.dll
2009-02-21 08:37 1,097,801 a------- c:\windows\help\sbsi\training\orun32.exe
2009-02-21 08:37 253,952 a------- c:\windows\help\sbsi\training\ounins32_s.exe
2009-02-21 08:37 73,288 a------- c:\windows\help\sbsi\training\usersid.exe
2009-02-21 08:37 785,408 a------- c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
2009-02-21 08:37 761,344 a------- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2009-02-21 08:37 175,616 a------- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-02-21 08:37 167,424 a------- c:\windows\pchealth\uploadlb\binaries\UploadM.exe
2009-02-21 08:37 116,736 a------- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2009-02-21 08:37 65,536 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-02-21 08:37 60,928 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-02-21 08:37 52,224 a------- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2009-02-21 08:37 36,352 a------- c:\windows\pchealth\helpctr\binaries\HscUpd.exe
2009-02-12 08:34 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-12 08:34 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-02-11 18:12 3,649 a------- c:\windows\viassary-hp.reg
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 87,552 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 00:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
2008-12-04 17:16 8,856 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2007-11-23 13:16 45,464 a------- c:\docume~1\compaq~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:56:14.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Defcomp1

Defcomp1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 07 March 2009 - 04:23 PM

[Edit: ComboFix.txt removed]

Sorry, I just noticed the "DO NOT post a ComboFix log unless requested to" above, so I have deleted the log. Don't know how I missed it before.

Edited by Defcomp1, 07 March 2009 - 04:54 PM.


#3 Defcomp1

Defcomp1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 10 March 2009 - 02:35 PM

>>> Please Close This Topic <<<

First, thanks to the team members of this site, you guys do an incredible job with the meticulous analysis & very detailed responses to the many long problem logs posted here. I, for one, apreciate the time, effort, skill and patience such an endeavor must require on your part. Just by looking at many of the closed topics that had a successful resolution and the time frame involved, I have a realistic grasp of the time needed and was willing to wait patiently, however the owner of the infected computer wasn't.

Next, my friend picked his computer up today. He was both surprised and quite relieved that I was successful in retrieving all of his data files, especially some very important documents and folders that he had been unable to access even before his computer crashed. After verifying that his files & documents copied to an external hard drive showed 0 infested/infected when scanned by several popular anti-virus & malware/spyware programs from a clean computer and that they could be loaded properly when the original application software was installed on that clean computer, he decided to do the Full OEM Original Installation Restore (stored on drive D: partition) from the pre-boot options. Unfortunately all his attempts failed and ended with various BSOD crashes. He has now ordered the OEM Installation CD/DVD set from the mfg and will start from scratch.

One positive outcome from all this, is that he is much more aware of the importance of proactive preventative measures like both backup up & copy, enabled firewalls, up-to-date & active antivirus/malware/spyware, etc.

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:01 PM

Posted 10 March 2009 - 02:46 PM

Thanks for informing us what you have done.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users