Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search endlessly redirecting


  • This topic is locked This topic is locked
2 replies to this topic

#1 gwhiz9999

gwhiz9999

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 13 August 2010 - 03:23 PM

I was in another forum here in which a site person tried to help with a couple things we tried, but nothing worked. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/339421/google-search-redirects/ ~ OB I was then instructed to post in this forum.

I have been fighting a losing battle against IE redirects for anything that is linked via a Google search. If I click on something in my favorites, it goes to the correct page. Also, if I copy and paste a url into the browser, it goes to it properly. Only the search links are being hijacked/redirected, and nothing seems to help. I have scanned with Microsoft Security Essentials, Malwarebytes, Super Anti-Spyware, Spybot S & D,... nothing seems to have any effect. I had an alureon infection a while back, but TDSSkiller took it out. I recently had a ramnit.b infection which apparently was the cause for my current problem, although it no longer pops up on MSE scans (it was constantly popping up just on the "live" monitoring). My winlogon.exe file apparently became corrupted, as the pc went into an endless loop of trying to restart, then shutting down because of winlogon having issues. It caused me to have to reinstall (repair) my xp, just to get the pc to function. I then had to reload/install xp service packs. I have had some trouble with winlogon again, but after a couple of tries, the winlogon "failure" windows that pop up don't shut down the pc. Often times, when something nasty has popped up, for seemingly no reason adobe's acrord32.exe has started up out of the blue, which prompted me to try to delete it, but a couple of the files won't delete. I don't know how much of all that is relevant or if I am leaving anything out, but I sure would be grateful if anyone can help me. Much thanks in advance.

Here is the dds.txt (attach.txt and ark.txt are attached).

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 8:45:05.57 on Fri 08/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.295 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Comcast
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by Comcast
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\games
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213142040551
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213143317687
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: sethlp - {0686A401-1ED1-7411-2CC4-0751000741B2} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 65.75.216.6 www.winmx.com err.winmx.com
Hosts: 205.238.40.54 www.winmx.com err.winmx.com
Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-6-11 2560]
S0 wgnqtu;wgnqtu;c:\windows\system32\drivers\efxh.sys --> c:\windows\system32\drivers\efxh.sys [?]
S0 yokmtm;yokmtm;c:\windows\system32\drivers\pcbuaqje.sys --> c:\windows\system32\drivers\pcbuaqje.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2010-08-13 12:41:45 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-08-13 07:48:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-13 07:48:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-13 07:33:01 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-08-13 04:39:31 0 d-----w- c:\program files\Trend Micro
2010-08-12 01:40:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-08-11 05:11:55 10841088 ----a-w- c:\windows\system32\OLD2.tmp
2010-08-11 04:38:17 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-11 04:38:17 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-11 04:38:17 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-11 04:38:17 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-11 04:38:17 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-11 04:38:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-11 04:38:17 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-11 04:38:07 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-11 04:19:58 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe
2010-08-11 04:19:33 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-11 04:17:56 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-11 04:16:04 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-11 04:14:41 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-11 04:14:41 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-11 04:14:33 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-11 04:12:12 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-11 04:10:23 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-08-11 04:07:27 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-11 04:07:22 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-11 04:05:59 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-11 03:36:20 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-08-11 03:36:20 1307648 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-08-11 03:24:50 19569 ----a-w- c:\windows\005633_.tmp
2010-08-11 01:19:11 0 d-----w- c:\windows\system32\wbem\Repository.001
2010-08-11 00:49:11 7208 ------w- c:\windows\system32\secupd.sig
2010-08-11 00:49:11 4569 ------w- c:\windows\system32\secupd.dat
2010-08-11 00:48:53 57667 ----a-w- c:\windows\system32\ieuinit.inf
2010-08-10 20:27:09 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-08-10 20:27:09 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-08-10 20:13:12 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-08-10 10:13:57 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-08-10 10:12:58 57399 -c--a-w- c:\windows\system32\dllcache\cplexe.exe
2010-08-10 10:11:05 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-08-10 10:10:39 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2010-08-10 10:10:39 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2010-08-10 10:10:39 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2010-08-10 10:09:06 53472 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2010-08-10 10:09:06 1929952 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2010-08-10 10:03:07 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-10 10:03:07 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-10 10:03:07 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-10 10:03:07 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-10 10:02:51 13608 ----a-r- c:\windows\SET45.tmp
2010-08-10 10:02:48 1086182 ----a-r- c:\windows\SET39.tmp
2010-08-09 21:03:06 13646 ----a-w- c:\windows\system32\wpa.bak
2010-08-09 20:48:00 0 d-----w- c:\program files\Online Services
2010-08-09 20:47:54 68608 ----a-w- c:\windows\system32\access.cpl
2010-08-09 20:45:29 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-08-09 20:45:18 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-08-09 20:44:32 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-09 20:44:18 870784 ----a-w- c:\windows\system32\ati3d1ag.dll
2010-08-09 20:44:18 201728 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-09 20:44:18 1057760 ----a-w- c:\windows\system32\ati3d2ag.dll
2010-08-09 20:44:17 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-09 20:43:04 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-08-09 20:43:04 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-08-09 20:42:39 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-08-09 20:40:50 146432 ----a-w- c:\windows\system\winspool.drv
2010-08-09 20:40:50 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-08-09 20:40:48 74752 ----a-w- c:\windows\system32\storprop.dll
2010-08-09 20:40:29 8574 -c--a-w- c:\windows\system32\dllcache\IASNT4.CAT
2010-08-09 20:40:29 797189 -c--a-w- c:\windows\system32\dllcache\NT5IIS.CAT
2010-08-09 20:40:29 7382 -c--a-w- c:\windows\system32\dllcache\OEMBIOS.CAT
2010-08-09 20:40:29 399645 -c--a-w- c:\windows\system32\dllcache\MAPIMIG.CAT
2010-08-09 20:40:29 37484 -c--a-w- c:\windows\system32\dllcache\MW770.CAT
2010-08-09 20:40:29 13472 -c--a-w- c:\windows\system32\dllcache\HPCRDP.CAT
2010-08-09 20:40:22 13608 ----a-r- c:\windows\SETE4.tmp
2010-08-09 20:40:19 1086182 ----a-r- c:\windows\SETD8.tmp
2010-08-09 18:22:32 0 d-----w- c:\program files\riv
2010-07-31 04:00:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-31 04:00:18 0 d-----w- c:\docume~1\owner\applic~1\2238815A4506126CA2F10063CB84AB39

==================== Find3M ====================

2010-08-13 09:35:14 2473 --sha-w- c:\windows\system32\mmf.sys
2010-08-10 10:10:12 23388 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10:44 81920 ------w- c:\windows\system32\ieencode.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2002-03-01 10:15:50 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2001-10-02 12:58:36 36864 ----a-w- c:\windows\inf\i386\Wiamicro.dll
2001-09-28 12:00:40 139264 ----a-w- c:\windows\inf\i386\Rtscan.dll
2001-09-27 12:11:10 167936 ----a-w- c:\windows\inf\i386\viceo.dll
2001-01-18 20:13:00 12400 ----a-w- c:\windows\inf\i386\Usbscan.sys
2008-07-23 18:25:11 32768 --sha-w- c:\windows\temp\cookies\index.dat
2008-07-23 18:25:11 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-07-23 18:25:11 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 8:46:00.46 ===============

Pasting in further information from another post. ~ OB

I meant to mention it when I orginally asked for help, and I didn't do anything to it, but Malwarebytes had found a "Malware.trace" that was in my registry in HKEY_CURRENT_USERS-SOFTWARE-WINSERVERS. There is the (default) item, plus ones called "run" with value of 0x00000000 (0), and "TimeGetWork" with a value of 0x0005c419 (377881). Both are of type "REG_DWORD". Not shockingly, it exists in HKEY_USERS as well, but Malwarebytes had only listed it once. Also of note and present in both HKEY sections, and perhaps of more importance, I noticed the folder right below it, which hasn't been picked up by any scanner, is a folder named "wpyyaxbft". Inside it is an item named "id", type REG_SZ, value 78.38 ...and a whole bunch of items of seemingly random letters such as "dkkekrkska". They are all REG_DWORD and have values of 1. I am quite certain these items are all a problem, but haven't done anything to them, again because I was instructed to not delete or install anything. I have seen such names of random/scrambled letters in the startup in msconfig before when having problems, and fighting this one. Perhaps it will help whichever advisor assists me.

Attached Files


Edited by Orange Blossom, 14 August 2010 - 10:54 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:37 AM

Posted 20 August 2010 - 03:13 AM

Hi,

If help still needed post a fresh dds.txt log contents and a description of current symptoms, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:37 AM

Posted 26 August 2010 - 02:52 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users