Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Online search result hijacking


  • This topic is locked This topic is locked
2 replies to this topic

#1 goupilandcie

goupilandcie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 28 November 2009 - 10:03 AM

Hello, I am having a problem where when I search for something online and I click on the results I get redirected to somewhere else (usually fairly random). This just started last night. It seems there are some popups involved as well. I appreciate any help you can provide me.


DDS (Ver_09-11-24.02) - NTFSx86
Run by goupilandcie at 6:47:32.20 on Sat 11/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.36 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ayako\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [VTTimer] VTTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 91.212.65.122 www.spyware-protector-2009.com
Hosts: 91.212.65.122 secure.spyware-protector-2009.com
Hosts: 91.212.65.122 spyware-protector-2009.com
Hosts: 91.212.65.122 browser-security.microsoft.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ayako\applic~1\mozilla\firefox\profiles\4uyy9wvz.default\
FF - prefs.js: browser.startup.homepage - www.teanobi.com
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\ayako\application data\mozilla\firefox\profiles\4uyy9wvz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 547744]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-1-3 20160]

=============== Created Last 30 ================

2009-11-28 14:40:30 0 d-----w- c:\program files\Trend Micro
2009-11-28 14:18:01 0 d-sha-r- C:\cmdcons
2009-11-28 14:16:00 98816 ----a-w- c:\windows\sed.exe
2009-11-28 14:16:00 77312 ----a-w- c:\windows\MBR.exe
2009-11-28 14:16:00 260608 ----a-w- c:\windows\PEV.exe
2009-11-28 14:16:00 161792 ----a-w- c:\windows\SWREG.exe
2009-11-28 14:01:04 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-28 14:00:42 0 d-----w- c:\docume~1\ayako\applic~1\AVG8
2009-11-28 12:24:32 0 d-----w- C:\RootkitNO
2009-11-28 12:23:07 0 d-----w- c:\program files\UnHackMe
2009-11-28 10:22:31 0 d-----w- C:\$AVG
2009-11-28 10:22:15 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-11-28 10:21:50 0 d-----w- c:\windows\system32\drivers\Avg(2)
2009-11-28 10:21:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-18 19:48:29 0 d-----w- c:\program files\Games
2009-11-06 01:18:24 0 d-----w- c:\program files\PeerGuardian2
2009-11-04 02:47:59 0 d-----w- c:\program files\uTorrent
2009-11-04 02:47:40 0 d-----w- c:\docume~1\ayako\applic~1\uTorrent
2009-11-03 22:49:49 0 d-----w- c:\program files\GPLGS
2009-11-03 22:48:58 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-11-03 22:48:43 0 d-----w- c:\program files\Acro Software
2009-11-03 22:19:49 0 d-----w- c:\program files\Nikon
2009-11-03 22:18:44 0 d-----w- c:\program files\common files\Nikon
2009-11-03 22:14:08 0 d-----w- C:\dan pc
2009-11-03 22:12:47 1409 ----a-w- c:\windows\system32\tmp93E2D.FOT
2009-11-03 22:12:47 1409 ----a-w- c:\windows\system32\tmp92E2D.FOT
2009-11-03 22:12:47 1409 ----a-w- c:\windows\system32\tmp91E2D.FOT
2009-11-03 22:12:47 1409 ----a-w- c:\windows\system32\tmp01D2D.FOT

==================== Find3M ====================

2009-10-05 19:09:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

============= FINISH: 6:49:21.78 ===============




---------------------------------------




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 06:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Ayako\LOCALS~1\Temp\catchme.sys
Address: 0xEF312000 Size: 31744 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7AA3000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1E87000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\ayako\application data\skype\teanobi\etilqs_21tkgzec3pvptgwhacfz
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Ayako\Application Data\Mozilla\Firefox\Profiles\4uyy9wvz.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\ayako\local settings\application data\mozilla\firefox\profiles\4uyy9wvz.default\cache\_cache_001_
Status: Size mismatch (API: 275958, Raw: 275253)

Path: c:\documents and settings\ayako\local settings\application data\mozilla\firefox\profiles\4uyy9wvz.default\cache\_cache_002_
Status: Size mismatch (API: 272377, Raw: 269392)

==EOF==



I also have Hijackthis and Combofix logs ready if it will help.

Attached Files


Edited by goupilandcie, 28 November 2009 - 10:06 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 05 December 2009 - 01:24 PM

Hi,

Download ComboFix from here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply, together with a new DDS log.

#3 Guest_Black_Bird_*

Guest_Black_Bird_*

  • Guests
  • OFFLINE
  •  

Posted 13 December 2009 - 12:32 PM

Because you didn't reply anymore, I am closing this topic.
If you want to have this topic reopened, please feel free to send me a private message.

All others, please start a new topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users