Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ugly browser redirector


  • This topic is locked This topic is locked
2 replies to this topic

#1 Joey1701d

Joey1701d

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 05 August 2009 - 12:18 AM

This started with an Anti Virus 1 prompt in Internet Explorer. User didn't know what to do and clicked OK at some point. I cleaned a lot of stuff up using HJT, deleting registry keys, using ComboFix (found and killed an instance) and VundoFix (found and killed one instance) and a couple of other programs I don't recall 2 months later. Also found/killed a bunch of stuff using SpySweeper, AdAware and AVG scans. Installed Zone Alarm Free 8.0.298 for user and showed her how to use it.

Now Firefox Google links are being redirected to false spyware scan sites.

I'm getting clean scans on SpySweeper 6.1 bld 128, AdAware 8.0.7, AVG Antivirus 8.5.392, Malwarebytes 1.4 and VundoFix 7.0.6, all with today's definitions.

The OS is Windows XP Home SP3 with all high priority updates installed. Glad to post attach if requested.

Hope someone can help.

--[attachment=27301:Attach.txt]

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 23:48:08.63 on Tue 08/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1018 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sandy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [CTRegRun] "c:\windows\CTRegRun.EXE"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc1\DrgToDsc.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRunOnce: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /install /silent
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
Trusted Zone: turbotax.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandy\applic~1\mozilla\firefox\profiles\2kojla5y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\sandy\application data\vusion\npWARPVideoPlugin.250015.dll
FF - plugin: c:\documents and settings\sandy\application data\vusion\warpvideo@vusion.com\platform\winnt_x86-msvc\plugins\npWARPVideoPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{877C3BBB-4C2F-4AD1-B574-2A08DDC2E49E}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-26 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-20 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-20 353672]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-20 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-3-7 1205760]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\SiriusUSB.sys [2009-2-6 7552]

=============== Created Last 30 ================


==================== Find3M ====================

2009-08-04 09:02 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 09:02 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-01 21:36 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-30 21:12 96,600 a------- c:\docume~1\sandy\applic~1\GDIPFONTCACHEV1.DAT
2009-05-20 08:12 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-13 15:39 1,563,008 a------- c:\windows\WRSetup.dll
2009-05-13 00:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-10 00:27 26,112 a------- c:\windows\system32\userinit.exe
2009-05-10 00:27 26,112 a------- c:\windows\system32\dllcache\userinit.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll

============= FINISH: 23:48:37.48 ===============

BC AdBot (Login to Remove)

 


#2 Joey1701d

Joey1701d
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 05 August 2009 - 09:24 PM

Okay, don't bother responding to this. The user couldn't wait any longer so I'm reimaging her PC.

Joey

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:12 PM

Posted 05 August 2009 - 11:05 PM

Thank you for letting us know. That is generally the quickest solution. We work with hundreds of logs every day and consequently have a large backlog of topics, so it often takes several days before we can respond to a topic.

Since you have resolved this issue, this topic shall now be closed. If you experience new issues, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users