Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Poisoned Google search results


  • This topic is locked This topic is locked
14 replies to this topic

#1 Sacqueboutier

Sacqueboutier

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 May 2009 - 09:45 AM

Whenever I do a Google search, the first few pages of results are almost entirely links to obvious scam sites, such as as toseeka or allthefinancials, or links to porn sites. The results are similar whether using Firefox or IE. Search results from my other computer are fine, so it's obviously a problem on my main computer. I have tried running an antivirus/anti-malware scan using Symantec Endpoint Protection, as well as Malwarebytes Anti-Malware, Spybot S&D, SUPERAntiSpyware, and a couple of other tools, but nothing of significance was detected, and the problem persists. Any advice? Thanks in advance.

DDS.txt contents:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Wibecan at 10:20:30.89 on Sun 05/24/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.874 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\Symantec\NetBackup DLO\DLO\DLOChangeLogSvcu.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Symantec\NetBackup DLO\DLO\DLOClientu.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\OutlookUtility\HP.OutlookUtility.TaskbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Wibecan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Hewlett-Packard
uSearch Bar = hxxp://www.google.com/ie
uStart Page = about:blank
mDefault_Page_URL = hxxp://athp.hp.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: TLObject Class: {be92034e-5c96-49cc-95ae-43ba8f5793c6} - c:\windows\system32\tlbh.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.19.0\gears.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [COEMsgDisplay] c:\program files\hewlett-packard\pc coe\COEMsgDisplay.exe
mRun: [QuickPassword] c:\program files\activcard\activcard gold\agquickp.exe
mRun: [IDA] c:\program files\hewlett-packard\pc coe\IDA.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_15\bin\jusched.exe"
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\RegistryController.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRunOnce: [Uninstall getPlus® for Adobe] "c:\program files\nos\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
StartupFolder: c:\docume~1\wibecan\startm~1\programs\startup\hpoutl~1.lnk - c:\docume~1\wibecan\applic~1\microsoft\installer\{6f0fc68c-1dab-4b04-b645-6673e8ebba65}\_E6E55AE0A5D3244365C2A6.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\symantec\netbackup dlo\dlo\DLOClientu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\windows\installer\{9fdf923e-db53-41e4-8ce6-8deb8301c12e}\Icon_WZQKPICK.EXE
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
mPolicies-system: DisableNT4Policy = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.1 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.19.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: compaq.com
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: cpqcorp.net
Trusted Zone: dcu.org
Trusted Zone: dec.com
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: hpe-learning.com
Trusted Zone: hpqcorp.net
Trusted Zone: hpshopping.com
Trusted Zone: tandem.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPITWeb/Customer/cabs/HPISDataManager.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169809900876
DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} - hxxps://digitalbadge.external.hp.com/hp/HPPKI.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wibecan\applic~1\mozilla\firefox\profiles\r309y42j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJPI150_15.dll
FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R2 acautoreg;ActivCard Gold Autoregister;c:\program files\common files\activcard\acautoreg.exe [2007-6-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\common files\activcard\accoca.exe [2004-5-12 143360]
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\hpavad~1\avChgSvc.exe [2008-10-7 238080]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-7-8 108392]
R2 DLOChangeJournalSvc;Symantec NetBackup Desktop Agent Change Journal Reader;c:\program files\symantec\netbackup dlo\dlo\DLOChangeLogSvcu.exe [2008-9-1 476536]
R2 radexecd;HP OVCM Notify Daemon;c:\program files\hewlett-packard\pc coe 3\ov cms\radexecd.exe [2007-2-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;c:\program files\hewlett-packard\pc coe 3\ov cms\radsched.exe [2007-3-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;c:\program files\hewlett-packard\pc coe 3\ov cms\Radstgms.exe [2008-7-3 315570]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2008-7-8 2240944]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-1-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2007-1-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2007-6-28 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-4 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-17 36608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090523.020\NAVENG.SYS [2009-5-23 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090523.020\NAVEX15.SYS [2009-5-23 876144]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2007-8-3 23424]
R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\SmartUSB.sys [2007-1-26 17024]
RUnknown SASENUM;SASENUM; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 gupdate1c8a7b6300e466c;Google Update Service (gupdate1c8a7b6300e466c);c:\program files\google\update\GoogleUpdate.exe [2008-7-15 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-7-8 23888]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-23 33176]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\maga\maga.exe --> c:\program files\sygate\ssa\maga\maga.exe [?]
S3 SCR241 PCMCIA Smart Card Reader;SCR241 PCMCIA Smart Card Reader;c:\windows\system32\drivers\S241PCMC.sys [2005-6-8 41672]

=============== Created Last 30 ================

2009-05-20 07:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-19 22:42 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-05-19 10:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-19 10:25 <DIR> --d----- c:\docume~1\wibecan\applic~1\SUPERAntiSpyware.com
2009-05-16 15:29 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-08 21:46 <DIR> --d----- c:\program files\Yahoo!
2009-05-01 12:02 4,096 a------- c:\windows\system32\detoured.dll
2009-05-01 12:02 <DIR> --d----- c:\docume~1\wibecan\applic~1\tecmod
2009-04-28 08:54 566,288 a------- c:\windows\system32\LcProxy.ax
2009-04-28 08:54 185,360 a------- c:\windows\system32\LCCoin20.dll
2009-04-28 08:52 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-04-28 08:49 <DIR> --d----- C:\2b3dd362f49c3ef900db1906
2009-04-28 08:40 <DIR> --d----- C:\47801d78c5976b16b4bfe2dae5e36a5c
2009-04-28 08:36 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-28 08:35 14,048 -------- c:\windows\system32\spmsg2.dll
2009-04-28 08:32 3,727,720 a------- c:\windows\system32\d3dx9_35.dll

==================== Find3M ====================

2009-05-22 17:49 149,768 a------- c:\windows\system32\drivers\WpsHelper.sys
2009-04-17 16:00 23,552 a------- c:\windows\system32\tlbh.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2005-12-13 23:39 48,080 a------- c:\docume~1\wibecan\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:20:42.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 08:07 AM

Hi,
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\windows\system32\tlbh.dll

Select it and click ok:
Then click the Send File button below.

Let me know once you've uploaded the file
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Sacqueboutier

Sacqueboutier
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2009 - 08:13 AM

File uploaded.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 08:24 AM

Hi,

Thank you for the file, it may be indeed the cause of your problem.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

c:\windows\system32\tlbh.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be92034e-5c96-49cc-95ae-43ba8f5793c6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that solved your problem.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Sacqueboutier

Sacqueboutier
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2009 - 08:59 AM

Unfortunately, no. In both Firefox and IE, I still get bogus results. An example, in case it's helpful, is attached.

I only get problem results with Google. I get valid results with Yahoo.

I did verify that the file was deleted from the system after the reboot. I did the registry change prior to opening any browser window.

Attached Files



#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 09:48 AM

Can you upload your hosts file?
It's located here: C:\Windows\system32\drivers\etc
the file is called hosts

Upload it here: http://www.bleepingcomputer.com/submit-malware.php?channel=8
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 09:59 AM

Hi,

I also see those 'Toseeka' redirects, so this smells like a DNS Hijacker.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Sacqueboutier

Sacqueboutier
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2009 - 10:13 AM

My hosts file just has one entry in it:
127.0.0.1 localhost

I figured there wasn't a need to upload that. I'll follow the ComboFix instructions and get back to you. Thanks so much for your assistance.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 10:14 AM

Ok,

That's what i thought after I saw the google redirect results. We'll see what Combofix says :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Sacqueboutier

Sacqueboutier
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2009 - 10:44 AM

ComboFix log attached.

Attached Files

  • Attached File  log.txt   19.38KB   4 downloads


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 11:00 AM

Hi,

I see you have MalwareBytes installed. MalwareBytes has been updated, so also update malwarebytes via the Update tab > check for updates.
You should get version 2178 now. If not and you still get a previous version, then wait 15 mins and try again, because detection for your variant is added since version 2178 - earlier versions won't detect it yet.

Then, once you've updated to 2178 or up, perform a full scan again.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Sacqueboutier

Sacqueboutier
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2009 - 12:47 PM

MBAM did find a number of items. Log below.

Malwarebytes' Anti-Malware 1.36
Database version: 2178
Windows 5.1.2600 Service Pack 2

5/25/2009 1:34:05 PM
mbam-log-2009-05-25 (13-34-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182676
Time elapsed: 1 hour(s), 17 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\tec_shell.tecshellext (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c3faf888-2e4b-4147-a099-d25c96c07390} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4f7d128e-8e86-4c79-ad2a-3eb0661943f5} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1e91cbc-ead5-4d41-8e7a-92ad5259820c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tec_shell.tecshellext.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tloaderbho.tlobject (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tloaderbho.tlobject.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{96b00514-3c5d-4ba7-9be1-09345c3d9c26} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e48fbe09-9a92-4daa-8d55-40718a85ec82} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{21e02410-f327-4fee-8ec2-8c14d9963183} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\tec_shell.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Wibecan\Application Data\tecmod (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Wibecan\Application Data\tecmod\tecshl.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP317\A0031345.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wibecan\Application Data\tecmod\tecinj.dll (Trojan.BHO) -> Quarantined and deleted successfully.

#13 Sacqueboutier

Sacqueboutier
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2009 - 12:55 PM

And the problem appears to be resolved! Search results look unpolluted thus far.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 25 May 2009 - 01:14 PM

Hi,

Good to hear that solved your issue :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:08 PM

Posted 15 June 2009 - 10:19 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users