Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

web search redirect infection


  • Please log in to reply
1 reply to this topic

#1 Blueline23

Blueline23

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 20 October 2009 - 07:28 PM

Thank you in advance for any help provided. I obtained a nasty computer infection over the weekend. I returned to my laptop to see that some 3rd party website was performing a free virus scan on my machine. Immediately after I was getting pop ups to porn sites, unable to access task manager or pretty much any application. Also my internet browsing returned irrelevant search results for sites like tazinga.com, couponmountain.com, optumhealth.com, going.com, etc. I found that my Windows Firewall was turned off and I hadn't run the latest Windows XP updates. I have Symantec installed and it found sysguard.exe, I applied the recommended fix which included deleting some registry entries and most of my issues went away. The one remaining issue is the irrelevant search results. I have tried performing full scans with Ad-aware, Malwarebytes and SpyBot Search and Destroy. They have found lots of issues and supposedly cleaned them, but the issue still persists. I need help! Here are the log files requested:


DDS (Ver_09-10-13.01) - NTFSx86
Run by Timj at 17:53:49.18 on Tue 10/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.645 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe
C:\Program Files\Qqest Software Systems\TimeForce II\QuickBooks\TFQBService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Private Shell\PShellAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\TimJ.QQEST\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Microsoft Internet Explorer provided by Qqest Software
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.qqest.com/intranet
mDefault_Page_URL = hxxp://www.qqest.com/intranet
mSearchAssistant = hxxp://www.google.com/ie
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 6\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 6\SnagItIEAddin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Private Shell Key Agent] "c:\program files\private shell\PShellAgent.exe" -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\lsp.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timj~1.qqe\applic~1\mozilla\firefox\profiles\8lf15m6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig/dell?hl=en
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 2138
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 2138
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 2138
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 2138
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 2138
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-20 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1170768]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-4 202096]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.4\reporting services\reportserver\bin\ReportingServicesService.exe [2007-3-4 17264]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 ServiceTimeForce;TimeForce Advanced Server;c:\inetpub\wwwroot\qqest\utilities\TimeForceServices.exe [2008-4-1 908288]
R2 TFPunches;TimeForce Punches;c:\inetpub\wwwroot\qqest\utilities\TimeForcePunches.exe [2008-4-1 459264]
R2 TimeForceQBSI;TimeForceQBSI;c:\program files\qqest software systems\timeforce ii\quickbooks\TFQBService.exe [2009-7-31 13312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-31 102448]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 vsttagent;Visual Studio Team Test Agent;c:\program files\microsoft visual studio 9.0 team test load agent\loadtest\QTAgentService.exe [2008-7-30 66568]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 USA19W;USA19W;c:\windows\system32\drivers\usa19w2k.sys [2008-6-2 292920]
S3 USA19w2KP;Keyspan High Speed USB Serial Adapter Port Driver;c:\windows\system32\drivers\usa19w2kp.sys [2008-6-2 40848]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]

=============== Created Last 30 ================

2009-10-20 14:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-20 14:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-20 14:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-10-20 13:04 3,273 a------- c:\windows\system32\wbem\Outlook_01ca51b82246ea2f.mof
2009-10-20 11:05 64,288 a------- c:\windows\system32\drivers\Lbd.sys
2009-10-20 11:03 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-20 11:03 <DIR> --d----- c:\program files\Lavasoft
2009-10-18 20:37 <DIR> --d----- c:\program files\Trend Micro
2009-10-18 16:49 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-18 16:49 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-18 16:49 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-10-18 16:47 <DIR> --d----- c:\windows\SQLTools9_KB970892_ENU
2009-10-18 16:44 <DIR> --d----- c:\windows\SQL9_KB970892_ENU
2009-10-18 16:06 <DIR> --d----- c:\docume~1\timj~1.qqe\applic~1\Malwarebytes
2009-10-18 16:06 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 16:06 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-18 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-18 16:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 18:57 178,432 a------- c:\windows\system32\lsp.dll
2009-10-13 13:45 17,408 -------- c:\windows\system32\dllcache\corpol.dll
2009-10-13 13:38 1,435,648 -------- c:\windows\system32\dllcache\query.dll
2009-10-13 13:37 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-10-13 13:35 126,976 -------- c:\windows\system32\dllcache\ftpsvc2.dll
2009-09-30 11:40 534 a------- c:\windows\system32\ChangeHost.cm_
2009-09-24 16:55 <DIR> --d----- c:\program files\RegClean
2009-09-24 16:55 792,506 a------- C:\REGCLN41.EXE

==================== Find3M ====================

2009-09-11 08:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 08:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 15:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-28 04:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 04:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-26 23:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-26 23:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 02:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 02:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-13 09:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 09:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 08:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 08:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 08:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-28 22:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 22:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 22:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 22:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-04 15:39 70,984 a------- c:\documents and settings\timj.qqest\g2mdlhlpx.exe
2009-05-13 14:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051320090514\index.dat

============= FINISH: 17:54:40.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:22 PM

Posted 31 October 2009 - 06:12 AM

Hello Blueline23

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users