Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Searches Redirected


  • This topic is locked This topic is locked
9 replies to this topic

#1 davey_weir

davey_weir

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 28 November 2009 - 11:52 AM

When I click on a search result in Google I am redirected to a different site, namely Jokeroo and Britannia Search.

I have ran TFC, Malwarebytes and SuperAntispyware, all found nothing.

I posted this in someone elses thread and for the want of not hijacking someone elses thread!

Can you help? Please?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/28/2009 at 04:25 PM

Application Version : 4.31.1000

Core Rules Database Version : 4316
Trace Rules Database Version: 2177

Scan type : Complete Scan
Total Scan Time : 00:47:15

Memory items scanned : 334
Memory threats detected : 0
Registry items scanned : 7662
Registry threats detected : 0
File items scanned : 67419
File threats detected : 0


Malwarebytes' Anti-Malware 1.41
Database version: 3246
Windows 6.1.7100

28/11/2009 02:44:01
mbam-log-2009-11-28 (02-44-01).txt

Scan type: Quick Scan
Objects scanned: 95645
Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:49 PM

Posted 28 November 2009 - 02:34 PM

Hi, please run 2 other tests/

Part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 davey_weir

davey_weir
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 30 November 2009 - 01:48 PM

I downloaded RootRepeal but Im receiving loads of errors when starting it, and as a result I cant run full scans cos I get more errors. Its driver initialising errors, and process errors, so I cant do any scans - any ideas? Oh, brilliant, as I type my computer has started playing music to me!

SmitFraud was fine, the results are:

SmitFraudFix v2.424

Scan done at 18:41:31.79, 30/11/2009
Run from C:\Users\Darren\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.1.7100] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\AVG9\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Microsoft Office\Office12\ONENOTEM.EXE
C:\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Windows\system32\svchost.exe
C:\AVG9\avgwdsvc.exe
C:\AVG9\avgfws9.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\igfxext.exe
C:\AVG9\avgam.exe
C:\AVG9\avgnsx.exe
C:\AVG9\avgemc.exe
C:\AVG9\avgcsrvx.exe
C:\AVG9\avgchsvx.exe
C:\AVG9\avgrsx.exe
C:\AVG9\avgcsrvx.exe
C:\AVG9\avgcsrvx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe
C:\Users\Darren\Desktop\SmitfraudFix\Policies.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Darren


C:\Users\Darren\AppData\Local\Temp


C:\Users\Darren\Application Data


Start Menu


C:\Users\Darren\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"VMApplet"="SystemPropertiesPerformance.exe /pagefile"




DNS

Description: Atheros AR5007EG Wireless Network Adapter
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{83B1BF49-29FC-4DC6-B2F6-2B099007339D}: NameServer=193.36.79.100 193.36.79.101
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4941A79-1661-4172-9288-332E33199E9C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{83B1BF49-29FC-4DC6-B2F6-2B099007339D}: NameServer=193.36.79.100 193.36.79.101
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4941A79-1661-4172-9288-332E33199E9C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{83B1BF49-29FC-4DC6-B2F6-2B099007339D}: NameServer=193.36.79.100 193.36.79.101
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4941A79-1661-4172-9288-332E33199E9C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

Edited by davey_weir, 30 November 2009 - 01:55 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:49 PM

Posted 30 November 2009 - 02:02 PM

You may need to disable AVG temporarily.. or try this one.

Download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 davey_weir

davey_weir
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 30 November 2009 - 08:41 PM

Ok, thanks for your help and advice.

I downloaded AVG Anti Rootkit. I ran the scan, and it found nothing. Then, I realised I had Anti Rootkit as part of AVG 9.0!! So, I uninstalled the one you told me to download and ran a further scan using the Rootkit as part of AVG 9.0. It found two hidden things which, oddly enough, were part of RootRepeal! I deleted RootRepeal from my system as it wont work at all.

So - AVG found nothing.

Now - it looks like the infection has stopped redirecting my google search results to the likes of Britannia Search and redirect.dir or whatever its called.

Are there any further steps I need to take to ensure it has really gone for good and/or to prevent it from reappearing?

#6 davey_weir

davey_weir
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 30 November 2009 - 08:55 PM

Hmmm, spoke too soon!

I did a search through google and clicked the result. The direct.dir or whatever its called decided to open itself in a new window.

Please help me, really p***ing me off!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:49 PM

Posted 30 November 2009 - 11:07 PM

Must be a hidden or protected malware.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 davey_weir

davey_weir
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 01 December 2009 - 07:35 AM

I will do, thank you. Also, I ran Ad Aware scan, the results are as follows, just out of interest:

Logfile created: 01/12/2009 02:26:40
Lavasoft Ad-Aware version: 8.1.2
User performing scan: Darren

*********************** Definitions database information ***********************
Lavasoft definition file: 149.104
Genotype definition file version: Unknown

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 88599
Objects detected: 0


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Scan and cleaning complete: Finished correctly after 3530 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\
ID: useantivirus, enabled:0, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true
ID: heuristicslevel, enabled:1, value: mild, domain: medium,mild,strict

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:0, value: Daily 1
ID: time, enabled:0, value: Tue Dec 01 02:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily2, enabled:0, value: Daily 2
ID: time, enabled:0, value: Tue Dec 01 08:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily3, enabled:0, value: Daily 3
ID: time, enabled:0, value: Tue Dec 01 14:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily4, enabled:0, value: Daily 4
ID: time, enabled:0, value: Tue Dec 01 20:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Tue Dec 01 02:13:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: true
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: true
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:0, value: false
ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: layers, enabled:1
ID: useantivirus, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: DARRENSNETBOOK
Processor name: Intel® Atom™ CPU N270 @ 1.60GHz
Processor identifier: x86 Family 6 Model 28 Stepping 2
Processor speed: ~1596MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 7170, number of processors 2, processor features: [MMX,SSE,SSE2,SSE3]
Physical memory available: 222646272 bytes
Physical memory total: 1063706624 bytes
Virtual memory available: 1988091904 bytes
Virtual memory total: 2147352576 bytes
Memory load: 79%
Microsoft (build 7100)
Windows startup mode:

Running processes:
PID: 264 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 352 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 412 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY
PID: 420 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 456 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 516 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 532 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 540 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY
PID: 676 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 756 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 796 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 896 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 932 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1108 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1224 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1312 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1460 name: C:\Windows\System32\dwm.exe owner: Darren domain: DarrensNetbook
PID: 1516 name: C:\Windows\explorer.exe owner: Darren domain: DarrensNetbook
PID: 1624 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1656 name: C:\Windows\System32\taskhost.exe owner: Darren domain: DarrensNetbook
PID: 1684 name: C:\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1968 name: C:\Windows\System32\hkcmd.exe owner: Darren domain: DarrensNetbook
PID: 1976 name: C:\Windows\System32\igfxpers.exe owner: Darren domain: DarrensNetbook
PID: 2028 name: C:\AVG9\avgtray.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2040 name: C:\Program Files\Windows Sidebar\sidebar.exe owner: Darren domain: DarrensNetbook
PID: 356 name: C:\Windows\System32\igfxsrvc.exe owner: Darren domain: DarrensNetbook
PID: 304 name: C:\Microsoft Office\Office12\ONENOTEM.EXE owner: Darren domain: DarrensNetbook
PID: 740 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Darren domain: DarrensNetbook
PID: 1760 name: C:\AVG9\Identity Protection\Agent\Bin\AVGIDSMonitor.exe owner: Darren domain: DarrensNetbook
PID: 1380 name: C:\Windows\System32\conhost.exe owner: Darren domain: DarrensNetbook
PID: 1908 name: C:\Windows\System32\taskeng.exe owner: Darren domain: DarrensNetbook
PID: 2052 name: C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe owner: Darren domain: DarrensNetbook
PID: 2228 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2396 name: C:\AVG9\avgwdsvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2444 name: C:\AVG9\avgfws9.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2508 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2716 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2784 name: C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2976 name: C:\Spybot - Search & Destroy\SDWinSec.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3252 name: C:\AVG9\avgam.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 3272 name: C:\AVG9\avgnsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3492 name: C:\AVG9\avgchsvx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3504 name: C:\AVG9\avgrsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3544 name: C:\AVG9\avgcsrvx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3612 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3804 name: C:\Windows\System32\igfxext.exe owner: Darren domain: DarrensNetbook
PID: 3944 name: C:\AVG9\avgemc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4020 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1452 name: C:\AVG9\avgcsrvx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3064 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3584 name: C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2740 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2432 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2684 name: C:\AVG9\avgcsrvx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4440 name: C:\Program Files\Windows Media Player\wmpnetwk.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 5752 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 6112 name: C:\Windows\System32\sppsvc.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 5932 name: C:\Windows\System32\dllhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5704 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Darren domain: DarrensNetbook
PID: 4296 name: C:\Windows\System32\ctfmon.exe owner: Darren domain: DarrensNetbook
PID: 4632 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 6136 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Darren domain: DarrensNetbook
PID: 320 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Darren domain: DarrensNetbook
PID: 3704 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2924 name: C:\Windows\servicing\TrustedInstaller.exe owner: SYSTEM domain: NT AUTHORITY

Startup items:
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: HotKeysCmds
imagepath: C:\Windows\system32\hkcmd.exe
Name: Persistence
imagepath: C:\Windows\system32\igfxpers.exe
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Name: AVG9_TRAY
imagepath: C:\AVG9\avgtray.exe
Name:
imagepath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: AeLookupSvc
displayname: Application Experience
Name: AudioEndpointBuilder
displayname: Windows Audio Endpoint Builder
Name: Audiosrv
displayname: Windows Audio
Name: avg9emc
displayname: AVG E-mail Scanner
Name: avg9wd
displayname: AVG WatchDog
Name: avgfws9
displayname: AVG Firewall
Name: AVGIDSAgent
displayname: AVG9IDSAgent
Name: BFE
displayname: Base Filtering Engine
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Browser
displayname: Computer Browser
Name: bthserv
displayname: Bluetooth Support Service
Name: CryptSvc
displayname: Cryptographic Services
Name: CscService
displayname: Offline Files
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: DPS
displayname: Diagnostic Policy Service
Name: EapHost
displayname: Extensible Authentication Protocol
Name: eventlog
displayname: Windows Event Log
Name: EventSystem
displayname: COM+ Event System
Name: fdPHost
displayname: Function Discovery Provider Host
Name: FDResPub
displayname: Function Discovery Resource Publication
Name: gpsvc
displayname: Group Policy Client
Name: HomeGroupListener
displayname: HomeGroup Listener
Name: HomeGroupProvider
displayname: HomeGroup Provider
Name: IKEEXT
displayname: IKE and AuthIP IPsec Keying Modules
Name: iphlpsvc
displayname: IP Helper
Name: KeyIso
displayname: CNG Key Isolation
Name: LanmanServer
displayname: Server
Name: LanmanWorkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: lmhosts
displayname: TCP/IP NetBIOS Helper
Name: MMCSS
displayname: Multimedia Class Scheduler
Name: MpsSvc
displayname: Windows Firewall
Name: Netman
displayname: Network Connections
Name: netprofm
displayname: Network List Service
Name: NlaSvc
displayname: Network Location Awareness
Name: nsi
displayname: Network Store Interface Service
Name: p2pimsvc
displayname: Peer Networking Identity Manager
Name: p2psvc
displayname: Peer Networking Grouping
Name: PlugPlay
displayname: Plug and Play
Name: PNRPsvc
displayname: Peer Name Resolution Protocol
Name: PolicyAgent
displayname: IPsec Policy Agent
Name: Power
displayname: Power
Name: ProfSvc
displayname: User Profile Service
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcEptMapper
displayname: RPC Endpoint Mapper
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: SBSDWSCService
displayname: SBSD Security Center Service
Name: Schedule
displayname: Task Scheduler
Name: SENS
displayname: System Event Notification Service
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: sppsvc
displayname: Software Protection
Name: SSDPSRV
displayname: SSDP Discovery
Name: SstpSvc
displayname: Secure Socket Tunneling Protocol Service
Name: StiSvc
displayname: Windows Image Acquisition (WIA)
Name: SysMain
displayname: Superfetch
Name: TapiSrv
displayname: Telephony
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: TrustedInstaller
displayname: Windows Modules Installer
Name: upnphost
displayname: UPnP Device Host
Name: UxSms
displayname: Desktop Window Manager Session Manager
Name: WdiServiceHost
displayname: Diagnostic Service Host
Name: WdiSystemHost
displayname: Diagnostic System Host
Name: WerSvc
displayname: Windows Error Reporting Service
Name: WinHttpAutoProxySvc
displayname: WinHTTP Web Proxy Auto-Discovery Service
Name: Winmgmt
displayname: Windows Management Instrumentation
Name: Wlansvc
displayname: WLAN AutoConfig
Name: wlidsvc
displayname: Windows Live ID Sign-in Assistant
Name: WMPNetworkSvc
displayname: Windows Media Player Network Sharing Service
Name: wscsvc
displayname: Security Center
Name: WSearch
displayname: Windows Search
Name: wuauserv
displayname: Windows Update
Name: wudfsvc
displayname: Windows Driver Foundation - User-mode Driver Framework

#9 davey_weir

davey_weir
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 01 December 2009 - 08:09 PM

Let me know if it went OK.


Have posted on there, and everyone else seems to be getting replies bar me!!

Any idea how long it takes?

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:49 PM

Posted 01 December 2009 - 10:46 PM

Hello,

Now comes the frustrating and hard part: waiting. We work with hundreds of logs every day, so we have devised a means of seeing only those topics that don't have responses yet. At the moment, we have nearly 400 unanswered topics, the oldest dated Nov. 26, 2009 at 3:02 pm Eastern Standard time in the U.S.A. Your HiJack This topic is dated Dec. 1, 2009 at 7:58 AM using the same time zone.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/275402/google-searches-redirected-to-directdir/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users