Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 taint

taint

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 12 March 2010 - 04:01 PM

I've been having a big problem recently with my Vista 32 bit laptop. for alot of search results in google that i click on gets redirected to a malicious site. this even happens when i click on a microsoft result. I've scanned with spybot and a few other things and updated my hosts file and cleaned my temp folders and still the same thing happens. I'm not sure what to do so this is my last resort I guess.

I installed the programs and ran the scans that was instructed in the prep guide. so here it goes:

DDS result:

CODE
DDS (Ver_09-12-01.01) - NTFSx86
Run by Jonah at 15:29:06.09 on Fri 03/12/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.1.1033.18.1982.1168 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Users\Jonah\Documents\Downloads\Programs\dds.EXE
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\jonah\appdata\roaming\mozilla\firefox\profiles\zpe54bht.default\
FF - component: c:\users\jonah\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-11 1153368]

=============== Created Last 30 ================

2010-03-12 20:24:45 0 ----a-w- c:\users\jonah\defogger_reenable
2010-03-12 17:55:00 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-12 17:40:07 0 d-----w- c:\program files\TrendMicro
2010-03-12 17:12:10 0 d-----w- C:\fixwareout
2010-03-12 16:34:17 0 d-----w- C:\RootkitNO
2010-03-12 16:24:35 2 --shatr- c:\windows\winstart.bat
2010-03-12 15:09:54 0 d---a-w- c:\programdata\TEMP
2010-03-12 15:08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-03-12 15:08:50 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-03-12 15:08:50 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-03-12 15:08:50 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-03-12 15:08:50 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-03-12 14:42:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 16:58:19 0 d-----w- c:\program files\Windows Installer Clean Up
2010-03-11 16:57:58 0 d-----w- c:\program files\MSECACHE
2010-03-11 16:33:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_point32k_01009.Wdf
2010-03-11 16:33:47 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-03-11 16:33:33 3 ----a-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
2010-03-11 16:33:32 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2010-03-11 16:33:32 4052 ----a-w- c:\windows\system32\wbem\Wdf01000.mof
2010-03-11 16:33:32 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2010-03-11 16:33:32 118 ----a-w- c:\windows\system32\wbem\Wdf01000Uninstall.mof
2010-03-11 16:33:01 0 d-----w- c:\program files\Microsoft IntelliPoint
2010-03-11 15:55:46 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-11 15:55:46 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-07 15:44:02 0 d-----w- c:\windows\system32\vi-VN
2010-03-07 15:44:02 0 d-----w- c:\windows\system32\eu-ES
2010-03-07 15:44:02 0 d-----w- c:\windows\system32\ca-ES
2010-03-07 15:14:51 0 d-----w- c:\windows\system32\EventProviders
2010-03-04 15:10:46 0 d-----w- c:\users\jonah\appdata\roaming\IDM
2010-02-23 22:07:27 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:07:17 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 22:07:17 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 22:07:17 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 22:07:17 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 22:07:16 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 22:07:16 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 22:07:16 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 22:07:16 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 22:07:16 152064 ----a-w- c:\windows\system32\secproc_ssp.dll

==================== Find3M  ====================

2010-03-12 19:57:24 27839 ----a-w- c:\programdata\nvModes.dat
2010-03-11 16:33:18 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-03-11 16:33:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-11 16:33:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-07 15:43:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-07 15:22:12 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 13:01:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 11:44:23 834048 ----a-w- c:\windows\system32\wininet.dll
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-04-09 23:35:35 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:30:32.81 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 AM

Posted 13 March 2010 - 06:39 PM

Hi taint, and welcome to Bleeping Computer.

Firstly,
* Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
* Execute the file TDSSKiller.exe by double-clicking on it.
* Wait for the scan and disinfection process to be over.
* When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Secondly,
I do not see an antivirus software installed on your computer... excl.gif
Please install an antivirus program of your choice and perform a full system scan with it (post a logfile, if possible)... You may want to install one of the antivirus programs I recommend on my site: link

Finally, re-scan with DDS and GMER - post the logfiles!... ;)..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 AM

Posted 02 April 2010 - 05:20 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users