Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE7 Redirection Problem


  • This topic is locked This topic is locked
4 replies to this topic

#1 BobMM

BobMM

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 04 June 2010 - 06:23 PM

Following up from my posting on the Am I Infected? forum, here are the logs from the various analytics I was asked to run. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/321196/ie7-browser-redirects-to-jump/ ~ OB

Restating the problem: I'm working on a tablet PC running XP SP3 and IE7. The machine was infected with the Protection Center virus, which malwarebytes was able to remove. I'm continuing to have issues with the browser, however. It launches and I can run a search, but clicking through the links unpredictably brings me to the wrong site -- various advertisements -- and once brought me back to the site that loads Protection Center.

I had some trouble running gmer -- it blue screened the computer twice -- but seemed to finish successfully on the third try, and that log is attached, too.

Here's the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Myers-Morgan at 17:50:11.91 on Fri 06/04/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.216 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Symbol Commander\Sensiva.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee\msc\mcupdui.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Ursuline\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/
uInternet Settings,ProxyServer = 10.1.10.2:80
uInternet Settings,ProxyOverride =
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\x1IEBHO.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [TapButt] c:\program files\toshiba\tapbutton\TapButt.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TosRotation] "c:\program files\toshiba\toshiba rotation utility\TRot.exe"
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Sensiva] "c:\symbol commander\Sensiva.exe"
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: []
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Drag'n Drop CD+DVD] c:\program files\drag'n drop cd+dvd\binfiles\DragDrop.exe /StartUp
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\myesse~1.lnk - c:\program files\my essentials\usb me1001-usb\wireless utility\O-Maxwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - {F834F29F-717D-41ba-9ABF-14DA1BBE6147} - c:\windows\system32\mscoree.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - {FDEB4153-68B1-43bc-A112-BEEFF096F335} - c:\windows\system32\mscoree.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-8-30 5888]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-23 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-23 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-23 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-23 40552]
R3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [2010-5-22 408064]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2004-8-30 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2004-8-30 30720]
R3 TMicAry;Toshiba Audio Effect with MicArray;c:\windows\system32\drivers\TMicAry.sys [2004-8-30 138240]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2004-8-27 14208]

=============== Created Last 30 ================

2010-06-04 22:47:12 0 ----a-w- c:\documents and settings\ursuline\defogger_reenable
2010-06-03 23:16:23 0 d-----w- c:\docume~1\ursuline\applic~1\SUPERAntiSpyware.com
2010-06-03 23:16:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-03 23:16:11 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-03 03:36:03 0 d-----w- c:\program files\Trend Micro
2010-06-03 02:25:57 0 d-----w- c:\docume~1\ursuline\applic~1\Malwarebytes
2010-06-03 02:25:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 02:25:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-03 02:25:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 02:25:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 04:19:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 03:50:21 408064 ----a-r- c:\windows\system32\drivers\OMAWGU.sys
2010-05-23 03:49:19 0 d-----w- c:\program files\My Essentials
2010-05-22 21:05:17 0 ----atw- c:\windows\005084_.tmp
2010-05-18 03:46:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-16 16:52:07 1409 ----a-w- c:\windows\QTFont.for
2010-05-16 16:52:06 54156 ---ha-w- c:\windows\QTFont.qfn

==================== Find3M ====================

2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-08-23 12:51:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082320090824\index.dat

============= FINISH: 17:53:59.72 ===============

Attached Files


Edited by Orange Blossom, 04 June 2010 - 06:37 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 PM

Posted 07 June 2010 - 06:14 PM

Hi BobMM,

Welcome to the BC malware removal forum.

I see proxy settings. Is the computer on a network?


Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
  • Disable real-time protection of you security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Close all the open windows.
  • Double-click TDLfix.exe to run the tool, a command window opens.
  • Type (or copy the following and right-click to paste) in the command window and press Enter:

    netbt
  • The application shall restart the computer immediately and runs after restart.
  • Tell me if the computer rebooted and ran to completion.


#3 BobMM

BobMM
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 08 June 2010 - 07:08 AM

Regarding the proxy settings, the tablet is a hand-me-down. It used to be part of a university network, but isn't anymore.

Your utility ran the way you described: It launched, rebooted the PC, then ran again on restart with a message something like "This window will close shortly", then shut down.

What's next?


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 PM

Posted 08 June 2010 - 09:52 AM

The rootkit should have been taken care of and the redirecting should have been stopped.

  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  3. Please tell me how is the computer running.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 PM

Posted 14 June 2010 - 06:30 AM



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users