Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 Nucleophile

Nucleophile

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:25 AM

Hello folks,

I have recently contracted a virus / malware. It started as a rogue antivirus program called "Antivirus Soft" which I was able to remove. However, some symptoms have persisted. Various results from search engines such as Bing and Google are redirected to random advertising sites. I am also unable to complete Windows Update. When I try to install new updates, I get the following error: Code 80072EFE. SuperAntiSpyware, MalwareBytes AntiMalware, Spybot S&D, and Avira AntiVirus have all failed to solve these problems. I can have a clean scan and the problem will persist. In an effort to clean my machine, I have used system restore and updated / uninstalled / reinstalled firefox. This did not solve the problem, and I discovered that it happens in IE too.

Here is my DDS.txt logfile:


DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 0:10:58.69 on Sat 06/12/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2073 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\John\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-12 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 67656]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-7 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-7 267432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-12 53328]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-7 60936]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-14 1153368]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-10-25 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-10-25 19008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-25 135664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-8-12 138680]
S4 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-8-12 254040]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-8-12 352920]

=============== Created Last 30 ================

2010-06-12 05:07:12 0 ----a-w- c:\users\john\defogger_reenable
2010-06-08 04:15:21 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-06 03:11:00 0 d-----w- c:\programdata\DivX
2010-06-06 01:59:55 0 d-----w- c:\users\john\appdata\roaming\Avira
2010-06-06 01:57:37 0 d-----w- c:\programdata\Avira
2010-06-06 01:57:37 0 d-----w- c:\program files\Avira
2010-05-13 21:55:59 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 06:21:15 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-27 06:21:14 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-27 06:21:06 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 09:17:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-24 16:57:56 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-10-25 17:38:03 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:11:43.23 ===============

I have attached my "attach.exe" logfile from the DDS application.

Here is my HijackThis logfile:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:12:56 AM, on 6/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\John\Desktop\gmer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\John\Desktop\SecurityTools\HijackThis.exe
C:\Windows\system32\DllHost.exe

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 3282 bytes

My logfile from GMER is too large to attach and my browser freezes when I try to paste it directly into the post. I shall try to paste in pieces in the following post.

Thank you in advance for any assistance with this problem.


Attached Files



BC AdBot (Login to Remove)

 


#2 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:43 AM

Attached and removed the post.

~farbar

Edited by farbar, 16 June 2010 - 06:44 AM.


#3 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:47 AM

Removed the post, log list of the same type of entries.

~farbar

Edited by farbar, 16 June 2010 - 06:45 AM.


#4 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:49 AM

Removed the post, long list of the same type of entries.

~farbar

Edited by farbar, 16 June 2010 - 06:47 AM.


#5 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:53 AM

Attached the log to the next post.

~farbar

Edited by farbar, 16 June 2010 - 06:39 AM.


#6 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:54 AM

Removed the post. Log list of the same type of entries.

~farbar

Edited by farbar, 16 June 2010 - 06:48 AM.


#7 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:56 AM

Removed the long list of the same type of entries.

~farbar

Edited by farbar, 16 June 2010 - 06:49 AM.


#8 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 01:58 AM

Removed the post as they are the same type of entries.

~farbar

Edited by farbar, 16 June 2010 - 06:41 AM.


#9 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 02:01 AM

Removed the log, they the same type of entries.

Edited by farbar, 16 June 2010 - 06:40 AM.


#10 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 02:09 AM

Attached the log to the next post to make it easy to review the posts.

~farbar

Edited by farbar, 16 June 2010 - 06:36 AM.


#11 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 02:11 AM

Attached the log to the next post to make it easy to review the posts.

~farbar

Edited by farbar, 16 June 2010 - 06:32 AM.


#12 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 12 June 2010 - 02:13 AM

Attached the log to the next post to make it easy to review the posts.

~farbar

Edited by farbar, 16 June 2010 - 06:28 AM.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:44 PM

Posted 16 June 2010 - 06:29 AM

Hi Nucleophile,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please update me on the current condition of your computer if the issue is not resolved.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:44 PM

Posted 20 June 2010 - 06:04 PM

This thread will now be closed due to lack of activity.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

#15 Nucleophile

Nucleophile
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 20 June 2010 - 07:00 PM

QUOTE
Please let me know in your next reply if you agree with this.


I agree.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users