Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results hijacked in FF and IE


  • This topic is locked This topic is locked
2 replies to this topic

#1 bibendum

bibendum

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 17 June 2009 - 05:01 PM

1) I run a google search.
2) In the results page I click on a link.
3) I am not taken to that page, but to one of several alternate sites.
4) This happens in Firefox and IE, though Firefox is my primary browser.

Thanks for any assistance. DDS below and Attach.zip attached.


DDS FILE



DDS (Ver_09-05-14.01) - NTFSx86
Run by Ian at 16:41:23.34 on Wed 06/17/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.366 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Ian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - c:\program files\acro software\cutepdf filler evaluation\CPFillerCoE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [IBM RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [Google Update] "c:\documents and settings\ian\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [TrackPointSrv] tp4serv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\ian\startm~1\programs\startup\rmclock.lnk - c:\program files\rmclock\RMClockLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.21.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: ixhldq.dll
LSA: Notification Packages = scecli pwdmon ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ian\applic~1\mozilla\firefox\profiles\yr6qwvv4.default\
FF - component: c:\documents and settings\ian\application data\mozilla\firefox\profiles\yr6qwvv4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\ian\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.1 beta 1\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.1 beta 1\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2009-1-28 117800]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-1-28 20520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2009-6-15 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2009-6-15 4224]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-4 201320]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2008-7-2 15360]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-3-19 63872]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-7-4 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-4 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-4 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-4 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-4 40488]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2008-7-4 4608]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13904]
S2 gupdate1c9830eefd541e2;Google Update Service (gupdate1c9830eefd541e2);c:\program files\google\update\GoogleUpdate.exe [2009-1-30 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-4 33832]

=============== Created Last 30 ================

2009-06-17 16:30 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-17 14:32 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 14:32 <DIR> --d----- c:\program files\Lavasoft
2009-06-15 18:22 292,152 a------- c:\windows\system32\tvt_gina_api.dll
2009-06-15 18:22 1,056,768 a------- c:\windows\system32\MFC71.dll
2009-06-15 18:22 582,968 a------- c:\windows\system32\tvt_gina.dll
2009-06-15 18:22 11,520 a------- c:\windows\system32\drivers\ANC.sys
2009-06-15 18:22 4,224 a------- c:\windows\system32\drivers\IBMBLDID.sys
2009-06-15 18:21 188 a------- c:\windows\x
2009-06-15 18:21 0 a------- c:\windows\system32\AccConnAdvanced.html
2009-06-15 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lenovo
2009-06-15 17:04 <DIR> --d----- c:\docume~1\ian\applic~1\Downloaded Installations
2009-06-09 20:50 <DIR> --ds---- c:\documents and settings\ian\UserData

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 18:02 0 a---hr-- c:\windows\system32\drivers\IBM_2371_GHU_TP.MRK
2009-06-15 17:04 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-17 15:49 536,064 a------- c:\program files\GIFAnimator.exe
2009-03-11 14:24 12,536 a------- c:\program files\winscp417.ini
2008-11-12 20:57 1,305,600 a------- c:\program files\winscp417.exe
2008-07-04 21:52 49 -------- c:\program files\.directory
2007-11-16 00:55 16,057,654 a------- c:\program files\YamiPod.exe

============= FINISH: 16:44:20.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:29 AM

Posted 23 June 2009 - 11:47 AM

Hello bibendum,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:29 AM

Posted 30 June 2009 - 05:32 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users