Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirection - some type of Trojan Horse


  • This topic is locked This topic is locked
2 replies to this topic

#1 tommiebob11

tommiebob11

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 19 July 2009 - 04:07 PM

Continuing from the "Am I infected" forum. Sent here to run HijackThis. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/242351/search-engine-yahoo-google-and-bing-redirection-to-nonrelated-sites/ ~ OB

When I use Google or any other search engine the results send me to other websites. Also noticing a popup saying I may be infected and to download new virus software (which I ignore).

Here's the DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 13:53:43.50 on Sun 07/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.623.346 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\lxamsp32.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [lxamsp32.exe] lxamsp32.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [HPGamesActiveMenu] c:\program files\wildtangent\activemenu\hp\games\ActiveMenu.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acbtnm~1.lnk - c:\program files\lexmarkx63\AcBtnMgr_X63.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acmoni~1.lnk - c:\program files\lexmarkx63\ACMonitor_X63.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpcent~2.lnk - c:\program files\hp center\137903\shadow\ShadowBar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpcent~1.lnk - c:\program files\hp center\137903\program\BackWeb-137903.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://apps.weyer.com/Citrix/ICAWEB/en/ica32/wficat.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S3 mbr;mbr;\??\c:\docume~1\owner\locals~1\temp\mbr.sys --> c:\docume~1\owner\locals~1\temp\mbr.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\d.tmp --> c:\windows\system32\D.tmp [?]

=============== Created Last 30 ================

2009-07-18 12:34 1,886 a------- c:\windows\system32\tmp.reg
2009-07-17 19:51 --d----- c:\documents and settings\owner\DoctorWeb
2009-07-17 14:07 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-17 13:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 13:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 13:59 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 13:59 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-17 11:15 14 a------- c:\documents and settings\owner\settings.dat
2009-07-17 01:38 --d----- c:\program files\Sophos
2009-07-17 00:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-16 23:19 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-07-16 23:19 --d----- c:\program files\SpywareBlaster
2009-06-21 11:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-21 11:08 --dsh--- c:\documents and settings\owner\PrivacIE
2009-06-21 11:07 --dsh--- c:\documents and settings\owner\IETldCache
2009-06-21 11:04 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-21 11:04 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-21 11:04 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-21 11:04 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-21 11:04 --d----- c:\windows\ie8updates
2009-06-21 11:04 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-21 11:02 -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-27 18:48 86,691 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-27 18:45 49,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\PCHI18N.dll
2009-05-27 18:45 77,824 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\WinVerifyTrust.dll
2009-05-27 18:45 126,976 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\ContentUpdater.exe
2009-05-27 18:45 122,880 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\SearchCtrl.dll
2009-05-27 18:45 420,432 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\pchplugin.zip
2009-05-27 18:45 155,648 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\PCHButton.exe
2009-05-27 18:45 731,136 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\motdeusr.zip
2009-05-27 18:45 106,496 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\PluginCtrl.dll
2009-05-19 09:38 2,678 a------- c:\windows\java\packages\data\0LZHBFB7.DAT
2009-05-19 09:38 2,678 a------- c:\windows\java\packages\data\QIZJFJPF.DAT
2009-05-19 09:38 2,678 a------- c:\windows\java\packages\data\OKJXFL7F.DAT
2009-05-19 09:38 2,678 a------- c:\windows\java\packages\data\DRNPZFR3.DAT
2009-05-19 09:38 2,678 a------- c:\windows\java\packages\data\A0XFBXNF.DAT
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 22:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-12 22:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 14:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 14:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 14:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 04:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 21:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2001-07-21 19:45 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 17:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 17:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 17:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll
2008-04-13 17:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 17:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 17:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 17:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 17:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 13:54:27.82 ===============

Attached Files


Edited by Orange Blossom, 19 July 2009 - 07:10 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:13 AM

Posted 29 July 2009 - 09:15 PM

Hello tommiebob11,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:13 AM

Posted 05 August 2009 - 08:27 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users