Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


automatic redirect to other site (Virus?)

  • This topic is locked This topic is locked
2 replies to this topic

#1 hunnie910


  • Members
  • 2 posts
  • Local time:04:24 PM

Posted 15 March 2010 - 08:50 AM

I have followed the Preparation Guide instruction

Here is my detailed problem:
On Saturday morning 3/13, I tried to open a Facebook game via Internet Explorer. The website is apps.facebook.com/eastvalleytch. After I logged in, it was loading the game, then half way through, i saw the status bar at the bottom showing it was redirecting to a google seach. Then, suddenly, it takes me to Dell Home Page (my computer is a Dell computer), with this link below, and it states "Sorry, We couldn't find hxxp://paytech.cn/promote/pro.swf%3Ffb_sig_in_iframe%3D1"

full link on the address bar is this:

I tried playing the game in FireFox, and it works fine (no redirect to the google search).

Here is the DDS txt that I saved by following the Preparation Guide:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Chi-Mei at 18:26:48.70 on Mon 03/15/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.958.149 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCommon FilesMotiveMcciCMService.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Program FilesAmazonAmazon Unbox VideoADVWindowsClientService.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesHighresolution EnterprisesX-Mouse Button Control (32bit Version)XMouseButtonControl.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesMcAfee.comAgentmcagent.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesDellSupportDSAgnt.exe
C:Program FilesAmazonAmazon Unbox VideoADVWindowsClientSystemTray.exe
c:program filescommon filesinstallshieldupdateserviceisuspm.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceagent.exe
C:Windowssystem32svchost.exe -k SDRSVC
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uWindow Title = Internet Explorer provided by Dell
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0070406
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0binssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeevirusscanscriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogletoolbar1.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [DellSupport] "c:program filesdellsupportDSAgnt.exe" /startup
uRun: [ehTray.exe] c:windowsehomeehTray.exe
uRun: [DellSupportCenter] "c:program filesdell support centerbinsprtcmd.exe" /P DellSupportCenter
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [Corel Photo Downloader] c:program filescorelcorel snapfire plusPhotoDownloader.exe
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:program filesgooglegoogle desktop searchGoogleDesktop.exe" /startup
mRun: [ECenter] c:delle-centerEULALauncher.exe
mRun: [ISUSPM Startup] c:progra~1common~1instal~1update~1ISUSPM.exe -startup
mRun: [XMouseButton] c:program fileshighresolution enterprisesx-mouse button control (32bit version)XMouseButtonControl.exe
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [xltScMon.exe] c:windowssystem32xltScMon.exe
mRun: [dscactivate] "c:program filesdell support centergs_agentcustomdsca.exe"
mRun: [DellSupportCenter] "c:program filesdell support centerbinsprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [NvSvc] RUNDLL32.EXE c:windowssystem32nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [mcagent_exe] "c:program filesmcafee.comagentmcagent.exe" /runkey
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupamazon~1.lnk - c:program filesamazonamazon unbox videoADVWindowsClientSystemTray.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupprogra~1.lnk - c:windowsinstaller{42accb45-3363-47e0-94e9-f0074cc8bc56}Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:program filesjavajre1.6.0binssv.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
AppInit_DLLs: c:progra~1googlegoogle~1GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:userschi-meiappdataroamingmozillafirefoxprofilesne31yepn.default
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:progra~1mozill~1extensionstalkback@mozilla.orgcomponentsqfaservices.dll
FF - component: c:program filesmcafeesiteadvisorcomponentsMcFFPlg.dll
FF - component: c:program filesmozilla firefoxcomponentsGoogleDesktopMozilla.dll
FF - component: c:userschi-meiappdataroamingmozillafirefoxprofilesne31yepn.defaultextensions{3112ca9c-de6d-4884-a869-9855de68056c}componentsfrozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

c:program filesmozilla firefoxgreprefsall.js - pref("ui.allow_platform_file_picker", true);
c:program filesmozilla firefoxgreprefsall.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:program filesmozilla firefoxgreprefsall.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&mozver={moz:version}-{moz:buildid}&");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&mozver={moz:version}-{moz:buildid}&");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2010-1-5 385536]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:progra~1mcafeesitead~1mcsacore.exe [2010-2-20 93320]
R2 McProxy;McAfee Proxy Service;c:progra~1common~1mcafeemcproxymcproxy.exe [2010-2-20 359952]
R2 McShield;McAfee Real-time Scanner;c:progra~1mcafeeviruss~1mcshield.exe [2010-2-20 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2010-2-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2010-2-20 35272]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:windowssystem32driversSCR3XX2K.sys [2007-10-17 56448]
S2 gupdate1c9e66130ac09c3;Google Update Service (gupdate1c9e66130ac09c3);c:program filesgoogleupdateGoogleUpdate.exe [2009-6-5 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2010-2-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2010-2-20 40552]
S4 McSysmon;McAfee SystemGuards;c:progra~1mcafeeviruss~1mcsysmon.exe [2010-2-20 606736]

=============== Created Last 30 ================

2010-03-16 01:24:12 0 -c--a-w- c:userschi-meidefogger_reenable
2010-03-11 05:26:55 24064 -c--a-w- c:windowssystem32nshhttp.dll
2010-03-11 05:26:53 411136 -c--a-w- c:windowssystem32drivershttp.sys
2010-03-11 05:26:53 31232 -c--a-w- c:windowssystem32httpapi.dll
2010-03-11 03:11:18 0 dc----w- c:programdataReal
2010-02-24 01:11:55 2048 -c--a-w- c:windowssystem32tzres.dll
2010-02-24 01:10:11 523776 -c--a-w- c:windowssystem32RMActivate_isv.exe
2010-02-24 01:10:11 511488 -c--a-w- c:windowssystem32RMActivate.exe
2010-02-24 01:10:11 472576 -c--a-w- c:windowssystem32secproc_isv.dll
2010-02-24 01:10:11 472064 -c--a-w- c:windowssystem32secproc.dll
2010-02-24 01:10:11 347136 -c--a-w- c:windowssystem32RMActivate_ssp.exe
2010-02-24 01:10:11 346624 -c--a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-02-24 01:10:09 329216 -c--a-w- c:windowssystem32msdrm.dll
2010-02-24 01:10:09 151040 -c--a-w- c:windowssystem32secproc_ssp_isv.dll
2010-02-24 01:10:09 151040 -c--a-w- c:windowssystem32secproc_ssp.dll
2010-02-20 22:53:24 12606 -c--a-w- c:windowssystem32Config.MPF
2010-02-20 22:48:12 79816 -c--a-w- c:windowssystem32driversmfeavfk.sys
2010-02-20 22:48:12 40552 -c--a-w- c:windowssystem32driversmfesmfk.sys
2010-02-20 22:48:12 35272 -c--a-w- c:windowssystem32driversmfebopk.sys
2010-02-20 22:48:09 130424 -c--a-w- c:windowssystem32driversMpfp.sys
2010-02-20 22:47:29 0 dc----w- c:program filesMcAfee.com
2010-02-20 22:47:29 0 dc----w- c:program filescommon filesMcAfee
2010-02-20 22:47:28 0 dc----w- c:program filesMcAfee
2010-02-20 22:36:15 34248 -c--a-w- c:windowssystem32driversmferkdk.sys

==================== Find3M ====================

2010-02-24 17:16:06 181632 -c----w- c:windowssystem32MpSigStub.exe
2010-01-02 06:38:20 916480 -c--a-w- c:windowssystem32wininet.dll
2010-01-02 06:32:33 71680 -c--a-w- c:windowssystem32iesetup.dll
2010-01-02 06:32:33 109056 -c--a-w- c:windowssystem32iesysprep.dll
2010-01-02 04:57:00 133632 -c--a-w- c:windowssystem32ieUnatt.exe
2009-12-28 12:35:50 11776 -c--a-w- c:windowssystem32tsbyuv.dll
2009-12-28 12:35:00 1314816 -c--a-w- c:windowssystem32quartz.dll
2009-12-28 12:32:34 22528 -c--a-w- c:windowssystem32msyuv.dll
2009-12-28 12:32:32 31744 -c--a-w- c:windowssystem32msvidc32.dll
2009-12-28 12:32:32 123904 -c--a-w- c:windowssystem32msvfw32.dll
2009-12-28 12:32:25 13312 -c--a-w- c:windowssystem32msrle32.dll
2009-12-28 12:31:22 82944 -c--a-w- c:windowssystem32mciavi32.dll
2009-12-28 12:31:01 50176 -c--a-w- c:windowssystem32iyuv_32.dll
2009-12-28 12:28:43 91136 -c--a-w- c:windowssystem32avifil32.dll
2009-12-28 12:28:43 65024 -c--a-w- c:windowssystem32avicap32.dll
2009-09-13 00:44:43 86016 ----a-w- c:windowsinfinfstor.dat
2009-09-13 00:44:43 51200 ----a-w- c:windowsinfinfpub.dat
2009-09-13 00:44:42 86016 ----a-w- c:windowsinfinfstrng.dat
2008-10-26 05:47:24 174 --sha-w- c:program filesdesktop.ini
2008-10-26 05:38:46 665600 ----a-w- c:windowsinfdrvindex.dat
2006-11-02 12:42:02 30674 -c--a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 -c--a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 -c--a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 -c--a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 -c--a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 -c--a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 -c--a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 -c--a-w- c:windowsinfperflib0000perfc.dat
2007-04-06 15:54:40 8192 --sha-w- c:windowsusersdefaultNTUSER.DAT

============= FINISH: 18:29:26.62 ===============

Please note that when I followed the Preparation Guide to do the GMER scan, my computer crashed after about 10 min of scanning.

Here is what it said when it crashed:

STOP: c000021a {Fatal System Error}
The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005 (0x00060fc0 0x0124ea50)
The system has been shut down

Collection data for crash dump...
Initializing for crash dump...

I tried to do the GMER scan three times, and all three times it crashed. I could see the RootKit list hasn't changed after the first two minutes of scan during the previous three times. So at the fourth time, I stopped it after I saw the Rootkit list stopped changing. And I saved the list as ark.txt as instructed.

Where can I attached the Attach.txt and ark.txt files? I am using the "Full Edit" mode right now, but I don't see an "attach" button

P.S. I downloaded a free McAfee anti-virus program about 3 weeks ago, and since then, my computer is very slow. Not sure if this is part of the problem.

Edited by Orange Blossom, 16 March 2010 - 01:05 PM.
Moved to Malware Removal Logs~~ boopme/ Deactivate links. ~ OB

BC AdBot (Login to Remove)


#2 Shannon2012


  • Security Colleague
  • 3,657 posts
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:24 PM

Posted 19 March 2010 - 08:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


#3 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:24 AM

Posted 27 March 2010 - 07:29 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users