Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


web search results being redirected to ad websites

  • Please log in to reply
3 replies to this topic

#1 rossfp


  • Members
  • 2 posts
  • Local time:03:16 AM

Posted 06 October 2009 - 11:32 AM

Greetings. I am a new member and this is my first post. I have read the preparation guide for posting a malware problem and have tried to follow all the directions there. My problem is this: when I do a search on Google and click the search result links, I am redirected to websites that contain advertisements instead of the sites that the links say they are for. It does not redirect me every time, but most times. I completed a DDS log and a RootRepeal log and pasted the reports below. Thank you for taking the time to read and reply.

This is my DDS.txt log:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 9:53:31.35 on Tue 10/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.85 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ad Aware\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AWMON] "c:\program files\ad aware\ad-aware se plus\Ad-Watch.exe"
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: add to google photos screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: e&xport to microsoft excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09c04da7-5b76-4ebc-bbee-b25eac5965f5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\\gears.dll
IE: {2670000a-7350-4f3c-8081-5663ee0c6c49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780b25-18cc-41c8-b9be-3c9c571a8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242084615092
DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253205653626
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: groovelocalgws - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9m5erkxu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 287232]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-10 133104]

=============== Created Last 30 ================

2009-10-06 08:49 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-10-02 11:38 <DIR> --d----- c:\docume~1\admini~1\applic~1\NetMedia Providers
2009-10-02 11:38 <DIR> --d----- c:\docume~1\admini~1\applic~1\Sonic Foundry
2009-10-02 11:33 <DIR> --d----- c:\program files\Sonic Foundry
2009-10-02 11:32 156,910 a------- c:\windows\WMSysPr8.prx
2009-10-02 11:32 1,683,792 a------- c:\windows\system32\wmvcore2.dll
2009-10-02 11:32 665,424 a------- c:\windows\system32\wmv8dmoe.dll
2009-10-02 11:32 566,272 a------- c:\windows\system32\wmvdmoe.dll
2009-10-02 11:32 438,608 a------- c:\windows\system32\wmv8dmod.dll
2009-10-02 11:32 285,184 a------- c:\windows\system32\wmidx2.ocx
2009-10-02 06:34 58,820 a---h--- c:\windows\system32\mlfcache.dat
2009-09-17 14:33 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-09-17 12:25 206 a------- c:\windows\system32\MRT.INI
2009-09-17 12:13 221,184 a------- c:\windows\system32\wmpns.dll
2009-09-17 11:47 <DIR> --d----- c:\windows\system32\XPSViewer
2009-09-17 11:44 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-17 11:44 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-17 11:44 117,760 -------- c:\windows\system32\prntvpt.dll
2009-09-17 11:44 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-09-17 11:44 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-17 11:44 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-09-17 11:44 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-09-17 11:44 <DIR> --d----- C:\50eb19599a32b6c5f5
2009-09-17 11:40 <DIR> --d----- c:\windows\SxsCaPendDel
2009-09-17 11:23 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-17 11:21 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-09-17 11:21 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll

==================== Find3M ====================

2009-10-06 09:53 92,800 a------- c:\windows\system32\drivers\833d6046.sys
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 22:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 22:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll
2007-04-23 14:21 269,824 ac------ c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 ac------ c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 ac------ c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 ac------ c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 ac------ c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 ac------ c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 ac------ c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 ac------ c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 ac------ c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 9:56:54.60 ===============

This is my RootRepeal report:

ROOTREPEAL AD, 2007-2009
Scan Start Time: 2009/10/06 10:01
Program Version: Version
Windows Version: Windows XP SP3

Name: 833d6046.sys
Image Path: C:\WINDOWS\System32\drivers\833d6046.sys
Address: 0xF5CAF000 Size: 92800 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5C97000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AD2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF237B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: C:\WINDOWS\system32\drivers\833d6046.sys
Status: Locked to the Windows API!

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\833d6046.sys" at address 0xf5cc28fd

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\833d6046.sys" at address 0xf5cc0905

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\833d6046.sys" at address 0xf5cc09c5

Stealth Objects
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 2472) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: firefox.exe (PID: 2712) Address: 0x10000000 Size: 28672

Hidden Services
Service Name: 833d6046
Image Path: C:\WINDOWS\System32\drivers\833d6046.sys


Attached Files

Edited by rossfp, 06 October 2009 - 11:39 AM.

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • Gender:Male
  • Location:@localhost
  • Local time:05:16 AM

Posted 11 October 2009 - 09:59 AM

hi rossfp,

Sorry for the delay, no shortage of posters. If you still need help with the malware reply to my post.

How Can I Reduce My Risk to Malware?

#3 rossfp

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:16 AM

Posted 11 October 2009 - 01:26 PM

Well, I don't need help removing the malware anymore. I ended up reinstalling Windows. I just couldn't stand the redirection and how slow my machine was running. I know it gets busy here and you responded as quickly as possible.

But, if you have any advice on how to prevent this from happening again, I would very much appreciate it. I use AdAware SE, which is old and not supported for updates anymore. I use Firefox with the NoScript extension because I read on another post that may help. I am still learning how to use that tool.

Thanks for your response.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • Gender:Male
  • Location:@localhost
  • Local time:05:16 AM

Posted 11 October 2009 - 05:25 PM

hi rossfp,

Sometimes a reformat can be the quickest and safest thing to do. Dont forget to visit Windows Update to get your OS etc 'patched', or turn on the auto-update feature.

More massive patches will be released this Tuesday the 13th.

I do have some tips for reducing your risk, normally I save it for last. If you have any questions post away.

10 Tips for Reducing/Preventing Your Risk To Malware:
Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.

1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the limitations of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0 Read the FAQ's.

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.
Happy Safe Surfing.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users