Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 getting redirected. Please Help!!!


  • This topic is locked This topic is locked
2 replies to this topic

#1 iWIN7777

iWIN7777

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 19 August 2010 - 11:17 AM

I had the Desktop Security 2010 virus that I was able to remove with Malwarebytes but now it seems my IE8 has been hijacked. Now every now and then when I click on a search result I get redirected to another site which varies also. It does it on google as well as yahoo. Can someone please help? I am using XP Pro. Could not get GMER to complete. It either reboots my pc or freezes my desktop. DDS log is as follow (Attach log could not be attached when editting post):


DDS (Ver_10-03-17.01) - NTFSx86
Run by nguyen01 at 12:46:41.88 on Thu 08/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1116 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nguyen01\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by ALPLA Corporate IT
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunServices: [SoftwareSoftwareUpdateFilesLocalized] c:\program files\apple software update\softwareupdatefiles.resources\ru.lproj\updatesoftwareupdatefileslocalized.exe
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\nguyen01\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = aim.exe
uPolicies-disallowrun: 2 = aimster.exe
uPolicies-disallowrun: 3 = aol.exe
uPolicies-disallowrun: 4 = aol.exe
uPolicies-disallowrun: 5 = aolbrowser.exe
uPolicies-disallowrun: 6 = aolbrowser.exe
uPolicies-disallowrun: 7 = ares.exe
uPolicies-disallowrun: 8 = audio galaxy.exe
uPolicies-disallowrun: 9 = audiognome.exe
uPolicies-disallowrun: 10 = avant.exe
uPolicies-disallowrun: 11 = avant.exe
uPolicies-disallowrun: 12 = azureus.exe
uPolicies-disallowrun: 13 = bearshare.exe
uPolicies-disallowrun: 14 = blubster.exe
uPolicies-disallowrun: 15 = bt++.exe
uPolicies-disallowrun: 16 = btdownloadgui.exe
uPolicies-disallowrun: 17 = buddyizer.exe
uPolicies-disallowrun: 18 = chrome.exe
uPolicies-disallowrun: 19 = chrome.exe
uPolicies-disallowrun: 20 = directconnect.exe
uPolicies-disallowrun: 21 = edonkey.exe
uPolicies-disallowrun: 22 = emule.exe
uPolicies-disallowrun: 23 = filetopia.exe
uPolicies-disallowrun: 24 = filetopia.exe
uPolicies-disallowrun: 25 = firefox.exe
uPolicies-disallowrun: 26 = firefox.exe
uPolicies-disallowrun: 27 = firefreedom.exe
uPolicies-disallowrun: 28 = flock.exe
uPolicies-disallowrun: 29 = flock.exe
uPolicies-disallowrun: 30 = gator.exe
uPolicies-disallowrun: 31 = gdonkey.exe
uPolicies-disallowrun: 32 = gnotella.exe
uPolicies-disallowrun: 33 = gnutella.exe
uPolicies-disallowrun: 34 = gnutellalite.exe
uPolicies-disallowrun: 35 = grabit.exe
uPolicies-disallowrun: 36 = grokster.exe
uPolicies-disallowrun: 37 = icq.exe
uPolicies-disallowrun: 38 = imesh.exe
uPolicies-disallowrun: 39 = imeshclient.exe
uPolicies-disallowrun: 40 = kazaa.exe
uPolicies-disallowrun: 41 = kazaalit.exe
uPolicies-disallowrun: 42 = kazaalite.exe
uPolicies-disallowrun: 43 = k-meleon.exe
uPolicies-disallowrun: 44 = k-meleon.exe
uPolicies-disallowrun: 45 = ktscrt.exe
uPolicies-disallowrun: 46 = kxx.exe
uPolicies-disallowrun: 47 = limewire.exe
uPolicies-disallowrun: 48 = lynx.exe
uPolicies-disallowrun: 49 = lynx.exe
uPolicies-disallowrun: 50 = mirc.exe
uPolicies-disallowrun: 51 = morpheus.exe
uPolicies-disallowrun: 52 = mozilla.exe
uPolicies-disallowrun: 53 = mozilla.exe
uPolicies-disallowrun: 54 = napigator.exe
uPolicies-disallowrun: 55 = napster.exe
uPolicies-disallowrun: 56 = netscape.exe
uPolicies-disallowrun: 57 = netscape.exe
uPolicies-disallowrun: 58 = netscp.exe
uPolicies-disallowrun: 59 = netscp.exe
uPolicies-disallowrun: 60 = opera.exe
uPolicies-disallowrun: 61 = opera.exe
uPolicies-disallowrun: 62 = overnet.exe
uPolicies-disallowrun: 63 = p2pautostart.exe
uPolicies-disallowrun: 64 = piolet.exe
uPolicies-disallowrun: 65 = safari.exe
uPolicies-disallowrun: 66 = safari.exe
uPolicies-disallowrun: 67 = SbiCtr.exe
uPolicies-disallowrun: 68 = seamonkey.exe
uPolicies-disallowrun: 69 = seamonkey.exe
uPolicies-disallowrun: 70 = slsk.exe
uPolicies-disallowrun: 71 = songspy.exe
uPolicies-disallowrun: 72 = swapnutinstall.exe
uPolicies-disallowrun: 73 = winmx.exe
uPolicies-disallowrun: 74 = wrapster.exe
uPolicies-disallowrun: 75 = xolox.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: alpla.net\p2plus
Trusted Zone: p2plus
Trusted Zone: alpla.net\p2plus
Trusted Zone: p2plus
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229023093439
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229023086001
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9B479D7B-916A-45B0-B042-D42865A60E21} - hxxp://192.168.194.167/DvrOcx.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-14 343920]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-16 70728]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-7-1 6016]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-14 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-14 43288]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-16 66600]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2008-7-30 10379]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]

=============== Created Last 30 ================

2010-08-19 10:37:50 0 d-----w- c:\docume~1\alluse~1\applic~1\GroupPolicy
2010-08-17 16:50:53 120 ----a-w- c:\windows\Hlopowuwuqecuz.dat
2010-08-17 16:50:53 0 ----a-w- c:\windows\Fpenabulez.bin
2010-08-09 20:35:04 54016 ----a-w- c:\windows\system32\drivers\jtbbussw.sys
2010-08-09 19:46:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-09 19:45:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-09 18:30:01 0 d-----w- c:\program files\Trend Micro
2010-08-09 16:07:28 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-09 15:34:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 15:12:11 0 d-----w- c:\docume~1\nguyen01\applic~1\Desktop Security
2010-08-07 12:30:42 0 d-----w- c:\windows\system32\DRM
2010-08-07 10:08:39 285696 -c----w- c:\windows\system32\dllcache\atmfd.dll
2010-08-07 10:05:15 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-08-07 10:03:16 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-08-07 10:03:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-07 10:02:17 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll
2010-08-07 04:35:02 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-07 04:34:37 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-08-07 04:28:39 86016 -c----w- c:\windows\system32\dllcache\cabview.dll

==================== Find3M ====================

2008-10-14 16:00:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101420081015\index.dat

============= FINISH: 12:48:32.21 ===============

Edited by Orange Blossom, 21 August 2010 - 10:20 PM.
Moved from Malware logs to AII as no logs are included and the prep guide not followed ~Pandy Moved BACK to log forum as logs were edited in. ~ OB


BC AdBot (Login to Remove)

 


#2 iWIN7777

iWIN7777
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 22 August 2010 - 12:00 PM

Problem solved - Thank you.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 22 August 2010 - 04:37 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users