Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Searches Redirected-Firefox and IE

  • This topic is locked This topic is locked
2 replies to this topic

#1 Olias


  • Members
  • 4 posts
  • Gender:Male
  • Local time:07:17 PM

Posted 08 December 2009 - 07:28 PM

Hello to Bleeping Computer. I need your help!

I have recently started having issues with Google searches in Firefox and IE being randomly redirected to other sites. Most are junk shopping sites, but many are 'anti-spyware' sites. When I started noticing the redirects I ran scans with McAfee, Spybot, Windows Defender, MalwareBytes and Ad-Aware and only MBAM found anything. But even after MBAM 'removed' the problem the redirects remain. Six or eight searches in a row will function properly, but then the hijacker takes over and I cannot get anywhere without multiple clicks. I have looked around a bit on my own using various viewing tools including Hijack This but other than deleting a few suspicious items (with no results) I'm not getting anywhere.

My primary anti-virus is the McAfee suite which comes free from my ISP. I do scans with MBAM, Spybot and Windows Defender from time to time. My firewall is up and functioning, and I am fully backed up on an outboard drive. I am running XP MCE SP3 on an HP m7674n and the machine is completely updated.

I have not had much in the way of other symptoms, however. My system seems to run normally, and is not visibly lagging. Internet operations other than Google searches seem fine. All of the malware programs update and execute normally. There does not seem to be any unwarranted traffic inbound or outbound, although the CPU usage will generally hover around 50% even at idle which seems high but may not be an actual issue. The only other thing I noted—which may or may not be related—was that when I wanted to try running a scan from safe mode my machine would not boot and kept returning me to the OS option screen. Overall…my system seems to come up clean on multiple scans…but something is still redirecting my Google searches.

I have read many of your forums and am now asking for your help. I have run the appropriate scans and generated the reports that you need, and await further instructions. Thank you in advance for your generous assistance.


Here is the DDS log from today:

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 18:21:05.14 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1313 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://comcast.net/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [HyperIM] c:\program files\hyperim\HyperIM.exe -min
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PCDrSmartMonitor] "c:\program files\pc-doctor 5 for windows\PcdSmartMonitor.exe" -r
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\wallpa~1.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\9l8llyld.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-4 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-29 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-4 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-4 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-4 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-4 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-4 40552]
R3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2006-5-11 21248]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-9-9 468768]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-9-9 82048]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-4 34248]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-3-23 120168]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-12-07 01:05:42 0 d-----w- c:\program files\JavaRa
2009-12-07 01:04:41 73295 ----a-w- c:\program files\JavaRa.zip
2009-12-05 09:17:53 0 d-----w- c:\program files\Trend Micro
2009-12-05 09:16:47 812344 ----a-w- c:\program files\HJTInstall.exe
2009-12-02 11:33:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-02 11:26:49 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-12-02 10:06:10 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-02 00:28:02 0 dc----w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-02 00:27:51 0 d-----w- c:\program files\Lavasoft
2009-11-27 00:53:58 94832 ----a-w- c:\documents and settings\hp_administrator\.recently-used.xbel
2009-11-17 23:17:56 388240 ----a-w- c:\program files\msgr10us.exe
2009-11-10 13:10:09 8084968 ----a-w- c:\program files\Firefox Setup 3.5.5.exe

==================== Find3M ====================

2009-12-06 01:36:24 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-05 19:28:20 93074728 ----a-w- c:\program files\iTunesSetup.exe
2009-09-23 06:20:47 4045528 ----a-w- c:\program files\mbam-setup.exe
2009-09-19 03:17:11 6873872 ----a-w- c:\program files\Thunderbird Setup
2009-09-19 03:04:20 708658 ----a-w- c:\program files\ypops-win-
2009-09-15 15:28:29 40080 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-04-12 02:06:42 11121848 ----a-w- c:\program files\FreewarePrimoSetup.exe
2009-04-12 01:58:29 12519424 ----a-w- c:\program files\gs864w32.exe
2009-04-12 01:51:22 21379762 ----a-w- c:\program files\scribus-
2009-01-03 02:44:25 32116333 ----a-w- c:\program files\MayuraChessBoard.zip
2008-10-02 03:59:37 359656 ----a-w- c:\program files\msicuu2.exe
2008-09-26 21:46:13 1258745 ----a-w- c:\program files\CamStudio[1].2.5.b1.bin.zip
2008-09-09 15:34:29 35600 ----a-w- c:\program files\amcap.exe
2008-09-04 03:44:14 965120 ----a-w- c:\program files\MoveMediaPlayer_07103010.exe
2008-04-29 05:19:30 15299 ----a-w- c:\program files\him_2.12_sdk.zip
2008-04-29 05:19:18 1071692 ----a-w- c:\program files\HyperIM_2.14_Setup.zip
2008-03-08 18:33:54 446008 ----a-w- c:\program files\msgr8us.exe
2007-12-09 07:43:23 54330664 ----a-w- c:\program files\iTunes75Setup.exe
2007-11-01 04:18:22 16395480 ----a-w- c:\program files\gimp-help-2-0.13-eng-setup.exe
2007-10-31 16:12:23 14952016 ----a-w- c:\program files\gimp-2.4.0-i586-setup.exe
2007-08-13 02:41:20 6221304 ----a-w- c:\program files\winamp535_full_emusic-7plus.exe
2007-08-05 08:28:46 732795 ----a-w- c:\program files\uploadr_2.5.0.15_en.exe
2007-03-17 07:57:47 2810507 ----a-w- c:\program files\icechat-setup.exe
2007-02-26 01:56:29 6910976 ----a-w- c:\program files\WindowsVistaUpgradeAdvisor.msi
2007-02-18 03:19:12 150192 ----a-w- c:\program files\TweakUiPowertoySetup.exe
2007-02-18 00:21:10 1070592 ----a-w- c:\program files\TweakMCE.msi
2007-02-18 00:20:27 187072 ----a-w- c:\program files\powertoys_wpchanger.exe
2007-02-10 08:40:15 1367553 ----a-w- c:\program files\mirc621.exe
2007-01-29 04:38:56 5186048 ----a-w- c:\program files\WindowsDefender.msi
2007-01-14 07:57:17 6135808 ----a-w- c:\program files\icq5_1_setup.exe
2003-03-06 06:04:22 396288 ----a-w- c:\program files\wmal2pcm.exe
2006-11-25 01:14:34 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 18:22:45.59 ===============

Please find attached the other reports requested, attach.txt and the Root Repeal report.

Attached Files

BC AdBot (Login to Remove)


#2 Olias

  • Topic Starter

  • Members
  • 4 posts
  • Gender:Male
  • Local time:07:17 PM

Posted 14 December 2009 - 07:44 PM

Please disregard my issue as I had to resort to other measures. My machine was rapidly becoming unusable as more and more processes and applications became increasingly unstable or failed to function at all. I ended up wiping my disc and utilizing a mirror-image backup from a year ago. Many thanks just the same. You may close this topic.


#3 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:08:17 PM

Posted 20 December 2009 - 06:28 PM


Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users