Search Engine Redirect

If I try using a search engine like Google or Yahoo I get redirected to a page that appears to be the search engine I used yet it has bogus search results. I have tried Malewarebytes and Spybot they caught some things but didn't solve the problem.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Todd at 21:12:38.48 on Sun 08/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.92 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Todd\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://aimhome.netscape.com/aimhome.adp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\anapod~1.lnk - c:\program files\red chair software\anapod explorer\anamgr.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: c:\windows\system32\xdce.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272588712937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd\applic~1\mozilla\firefox\profiles\l1ty1xsv.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-8-7 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-8-5 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-8-5 112592]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-1-25 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-1-25 108392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-8-5 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-8-5 1142224]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-4-1 1822296]
R2 TCPIP Pass-through Filter;TCPIP Pass-through Filter;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-6 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-1-25 200576]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100808.003\NAVENG.SYS [2010-8-8 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100808.003\NAVEX15.SYS [2010-8-8 1362608]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000xp.sys [2010-7-14 829152]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-2 23888]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-8-1 816672]

=============== Created Last 30 ================

2010-08-08 04:38:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-08 04:38:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-08 02:23:11 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-07 22:38:35 0 d-----w- c:\program files\Panda Security
2010-08-07 00:19:12 0 d-----w- C:\VT-SEPVersion
2010-08-07 00:10:32 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-07 00:10:32 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-07 00:10:32 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-07 00:10:32 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-07 00:09:34 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-08-07 00:09:34 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-08-07 00:08:34 0 d-----w- c:\program files\Symantec
2010-08-07 00:01:55 0 d-----w- c:\windows\system32\appmgmt
2010-08-06 23:51:38 0 d-----w- c:\program files\Trend Micro
2010-08-05 23:01:06 0 d-----w- c:\docume~1\todd\applic~1\Malwarebytes
2010-08-05 22:59:48 767952 ----a-w- c:\windows\BDTSupport.dll
2010-08-05 22:59:47 882 ----a-w- c:\windows\RegSDImport.xml
2010-08-05 22:59:47 879 ----a-w- c:\windows\RegISSImport.xml
2010-08-05 22:59:47 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-08-05 22:59:47 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-08-05 22:59:47 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-08-05 22:59:47 131 ----a-w- c:\windows\IDB.zip
2010-08-05 22:59:47 1152444 ----a-w- c:\windows\UDB.zip
2010-08-05 22:59:39 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-08-05 22:59:39 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-08-05 22:58:52 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-08-05 22:58:52 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-08-05 22:58:52 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-08-05 22:58:52 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-08-05 22:58:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-08-05 22:58:29 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-05 22:58:18 0 d-----w- c:\program files\Spyware Doctor
2010-08-05 22:58:18 0 d-----w- c:\program files\common files\PC Tools
2010-08-05 22:58:18 0 d-----w- c:\docume~1\todd\applic~1\PC Tools
2010-08-05 22:58:18 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-08-05 22:57:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-05 22:57:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-05 22:57:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-05 22:57:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 01:19:15 8192 ----a-w- c:\windows\system32\apxg.dll
2010-08-05 01:06:55 8192 ----a-w- c:\windows\system32\jsvrumd.dll
2010-08-04 23:59:02 8192 ----a-w- c:\windows\system32\ahnkm.dll
2010-08-04 23:54:27 54 ----a-w- c:\windows\lsrslt.ini
2010-08-04 23:53:35 8192 ----a-w- c:\windows\system32\xdce.dll
2010-08-04 23:53:30 782336 ----a-w- c:\windows\system32\drivers\czkzg.sys
2010-08-04 23:53:27 19456 ----a-w- c:\windows\system32\msippsth.dll
2010-08-04 01:54:36 27958 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Shorten Codec.bmp
2010-08-04 01:54:36 1331 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Shorten Codec.dat
2010-08-04 01:51:38 27958 ----a-w- c:\windows\system32\SpoonUninstall-dMC mp3PRO (CLI) Encoder.bmp
2010-08-04 01:51:38 2467 ----a-w- c:\windows\system32\SpoonUninstall-dMC mp3PRO (CLI) Encoder.dat
2010-08-04 01:51:22 27958 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP mp3PRO Input Codec.bmp
2010-08-04 01:51:22 2074 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP mp3PRO Input Codec.dat
2010-08-04 01:51:07 27958 ----a-w- c:\windows\system32\SpoonUninstall-dMC Generic CLI Encoder.bmp
2010-08-04 01:51:07 2146 ----a-w- c:\windows\system32\SpoonUninstall-dMC Generic CLI Encoder.dat
2010-08-04 01:40:33 27958 ----a-w- c:\windows\system32\SpoonUninstall-dMC Power Pack.bmp
2010-08-04 01:40:33 10841 ----a-w- c:\windows\system32\SpoonUninstall-dMC Power Pack.dat
2010-08-04 01:39:46 36104 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2010-08-04 01:39:46 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2010-08-01 22:40:28 816672 ----a-w- c:\windows\system32\drivers\rt2870.sys
2010-07-22 04:14:22 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-22 04:13:54 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-15 04:07:34 0 d--h--w- c:\windows\PIF
2010-07-15 03:26:06 829152 ----a-w- c:\windows\system32\drivers\ae1000xp.sys
2010-07-15 03:26:06 226592 ----a-w- c:\windows\system32\RaCoInst.dll
2010-07-15 03:26:06 13931 ----a-w- c:\windows\system32\RaCoInst.dat

==================== Find3M ====================

2010-08-04 01:54:36 167424 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-08-04 01:52:49 2656 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
2010-08-04 01:10:29 2228 ----a-w- c:\windows\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2010-08-04 01:08:36 8457 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2010-07-07 00:25:43 13132 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 21:14:00.92 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

1. Do not run any other tool untill instructed to do so!
2. Please Do not Attach logs or put in code boxes.
3. Tell me about any problems that have occurred during the fix.
4. Tell me of any other symptoms you may be having as these can help also.
5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

MBRCheck

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some data on it
• a report called MBRcheck will be on your desktop
• open this report
• Right click on the screen and select > Select All
• Press Control+C
• now please copy that report to this thread

information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3. report from MBRchecker
4.let me know of any problems you may have had

Gringo

Hi, thanks for the reply but I got help from a friend in town and I got my issue resolved, thank you though, sorry for any inconvenience.

No problem Thanks for letting me know


Gringo