Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser keeps redirecting


  • This topic is locked This topic is locked
2 replies to this topic

#1 dazypetal

dazypetal

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 15 March 2010 - 01:00 PM

My internet browsers, both Mozilla Firefox and Internet Explorer, keep redirecting my searches to pages I definitely don't want to go to. The page redirects are usually just random search engines, most commonly one called Search Click 8, but occasionally I get something saying my computer is infected and trying to run a full scan without my permission; I generally just close those windows ASAP because I know from experience that nothing good can come of that.
This happens both with browser searches and quick searches. I've run a MalwareBytes scan as well as ComboFix scan and neither one fixed it, although ComboFix did find and remove some things. I've posted asking for help in the Yahoo! forums, but nothing anyone suggested did any good. Can this be fixed, or is my laptop shot?

Here's my DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Lauryn at 1:43:33.26 on Mon 03/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.586 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\MSI\MSI Q-Face\webtest.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lauryn\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mail.yahoo.com/
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [Q-Face agent] c:\program files\msi\msi q-face\webtest.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {BB0ADCF3-7F21-4E83-B5D6-82144F6CB718} = 83.149.115.157,4.2.2.1,192.168.1.1
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lauryn\applic~1\mozilla\firefox\profiles\vj5op7mz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mail.yahoo.com/

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 o6ko;Event PostAgent Wizard Javascript Directory Search;c:\windows\system32\drivers\o6ko.sys [2007-5-12 32768]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-12-8 159744]
R3 MSILiveVirtualCamera;MSI Live Virtual Camera;c:\windows\system32\drivers\MSILiveVirtualCamera.sys [2007-1-29 449408]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-12-8 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-12-8 704384]
S2 PASW;Process Activation Service;c:\windows\system32\psactive.exe --> c:\windows\system32\psactive.exe [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz132;cpuz132;\??\c:\docume~1\lauryn\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\lauryn\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-03-15 00:50:41 0 d-----w- c:\program files\Jojos Fashion Show
2010-03-10 00:47:12 0 d-----w- c:\program files\ReflexiveArcade
2010-03-09 22:25:39 0 d-----w- c:\windows\Top Chef
2010-03-09 22:25:39 0 d-----w- c:\program files\Top Chef
2010-03-09 00:52:22 2406 ----a-w- c:\windows\system32\.crusader
2010-03-09 00:34:59 166 ----a-w- c:\windows\system32\Compress.res
2010-03-09 00:33:57 232 ----a-w- c:\windows\reimage.ini
2010-03-09 00:33:31 0 d-----w- c:\program files\Reimage
2010-03-06 19:42:09 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-03 22:43:26 0 d-----w- c:\documents and settings\lauryn\Saved Games
2010-03-03 22:43:26 0 d-----w- c:\docume~1\lauryn\applic~1\Flood Light Games
2010-03-03 22:43:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Flood Light Games
2010-03-03 22:33:14 0 d-----w- c:\windows\system32\Adobe
2010-03-03 22:31:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-03 22:31:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 22:23:58 0 d-sh--w- c:\documents and settings\lauryn\IECompatCache
2010-03-03 22:23:00 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-03 22:19:58 147456 ----a-w- c:\windows\system32\igfxCoIn_v4926.dll
2010-03-03 22:18:56 0 d-----w- c:\program files\SystemRequirementsLab
2010-03-03 22:12:23 0 d-----w- c:\windows\Logs
2010-03-01 01:38:42 4096 ----a-w- c:\windows\d3dx.dat
2010-02-28 21:08:07 0 d-----w- C:\My Games
2010-02-27 00:39:47 0 d-----w- c:\windows\Be Rich
2010-02-26 15:50:51 0 d-----w- c:\windows\ie8updates
2010-02-26 02:28:42 0 d-----w- c:\docume~1\lauryn\applic~1\ERS G-Studio
2010-02-26 02:27:11 0 d-----w- c:\windows\Many Years Ago
2010-02-26 02:27:11 0 d-----w- c:\program files\Many Years Ago
2010-02-25 21:57:20 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-25 21:57:19 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-25 21:57:19 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-25 21:57:18 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-25 21:57:17 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-25 21:57:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-22 02:29:45 0 d-sh--w- c:\documents and settings\lauryn\PrivacIE
2010-02-21 04:29:33 0 d-sh--w- c:\documents and settings\lauryn\IETldCache
2010-02-21 04:25:01 0 dc-h--w- c:\windows\ie8
2010-02-18 02:19:56 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-02-18 02:19:56 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-15 00:32:32 437 ----a-w- c:\windows\PAGANDAY.INI
2010-02-15 00:32:02 0 d-----w- c:\documents and settings\lauryn\WINDOWS

==================== Find3M ====================

2010-03-09 00:54:25 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-07 19:33:06 24064 ----a-w- C:\bigevwbq.exe
2010-02-04 15:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 15:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 15:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 15:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-01-12 05:48:00 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-01-12 05:48:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

============= FINISH: 1:43:47.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 AM

Posted 17 March 2010 - 02:37 PM

Hi dazypetal,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

In case the issue is not resolved please update me about the current issue. Also post the logs outlined in Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 AM

Posted 22 March 2010 - 05:00 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users