Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection - Browser Hijack/Redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 compounded

compounded

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 12 October 2010 - 05:37 PM

Greetings Bleeping Computer Experts,

I seem to have a browser redirect infection on my XP machine. It affects both Firefox, my default browser, and IE, and presents itself when I click on search results links about three quarters of the time. Usually the link sends me to a shopping or advertising page, like Shopica or what once looked like something about mortgage modifications; sometimes it fails to connect to anything and the browser displays an error; and, about a quarter of the time, the link goes to the page it's supposed to go to, though usually after a delay. Both Google and Bing search results are affected. It has happened twice on internal links in non-search websites. Once, when the search results link redirects took a while, a small portion of the correct page appeared as the editor sparked displayed the correct address, but the browser kept churning and the title bar switched to a message saying "Redirecting...", and after a short while it redirected away from the correct page to the incorrect one. I only noticed it once, and am not sure it's a part of the infection, or if the infection simply sent me to a page which in that case then redirected me to another.

An Avast! scan turned up nothing. A Spy-Bot S&D scan turned up a few results which were cleaned, immunized, and which have not reappeared on three subsequent Spy-Bot scans, showing a clean system. Malwarebytes Anti-Malware found a couple of results, which were then cleaned. A computer reboot followed by another Malwarebytes scan found another couple results, which were cleaned. A third and fourth scans found a clean system. CCleaner didn't return anything that looked suspicious in a standard registry scan. My computer doesn't have a separate firewall, but the Windows firewall has been on since before the problem started, and I am behind a router with its own firewall.

I've followed the instructions in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" post and the dds.txt text is pasted below, and the Attach.txt is attached. Unfortunately, I couldn't get GMER to run to completion. The first time, it resulted in a blue screen; the second, not in a blue screen, but in a program crash which allowed the program window to close but wouldn't allow my computer to restart except by shutting off the power through the hardware power button. Third and fourth attempts resulted in blue screens with errors at 0x0000008E, but no other information. Defogger and a computer restart had been beforehand, and and almost all possible programs had been shut down, disabled, or earlier uninstalled.

The DDS log has been altered simply to replace my name with "********" , I hope that is ok.

Please accept my thanks for setting up a board like this where people like me can come for help, your assistance is greatly appreciated.



#####



DDS (Ver_10-10-10.03) - NTFSx86
Run by ******** at 18:02:30.23 on Tue 10/12/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1505 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100301-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\********\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: System=osk.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Winsplit] c:\program files\winsplit revolution\WinSplit.exe
uRun: [MP3 Skype Recorder] c:\program files\mp3 skype recorder\MP3 Skype Recorder.exe
uRun: [SuperCopier2.exe] c:\program files\supercopier2\SuperCopier2.exe
uRun: [Google Update] "c:\documents and settings\********\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
dRun: [MP3 Skype Recorder] c:\program files\mp3 skype recorder\MP3 Skype Recorder.exe
dRunOnce: [<NO NAME>] OSK.exe
StartupFolder: c:\docume~1\********\startm~1\programs\startup\ashdis~1.lnk - c:\program files\alwil software\avast4\ashDisp.exe
StartupFolder: c:\docume~1\********\startm~1\programs\startup\hal2000.lnk - c:\program files\hal\HAL System Server.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~2.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
Trusted Zone: bart
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093467485359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38016.8383680556
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: taskmgr.exe - "c:\install\process explorer\processexplorer\PROCEXP.EXE"
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.1.247 NAS1 #Windows Home Server#

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\********\applic~1\mozilla\firefox\profiles\76oo11l9.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\********\application data\mozilla\firefox\profiles\76oo11l9.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\********\application data\mozilla\firefox\profiles\76oo11l9.default\extensions\refractor@developer.mozilla.org\components\prism.dll
FF - component: c:\documents and settings\********\application data\mozilla\firefox\profiles\76oo11l9.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\********\application data\mozilla\firefox\profiles\76oo11l9.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\********\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\adobe\adobe acrobat 6.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-21 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-21 138680]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2005-12-8 8192]
R2 SageTV;SageTV;c:\program files\sagetv\sagetv\SageTVService.exe [2006-5-31 757760]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-10-7 376680]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-10-7 44776]
S2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-6-30 815704]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-21 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-21 352920]
S3 EsiDS3D;Service for Sensaura WDM 3D Audio Driver;c:\windows\system32\drivers\EsiDS3D.sys [2004-3-11 400384]
S3 F5U003BD;Belkin F5U003 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U003BD.SYS [2000-4-21 16853]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [2001-8-9 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [2001-8-9 25569]
S3 hdsp;RME Hammerfall Audio Device;c:\windows\system32\drivers\hdsp.sys [2004-9-18 41728]
S3 ITE;ITE;c:\windows\system32\drivers\ITE.SYS [2004-5-28 37264]
S3 Pd71_01;Service for ProDigy 7.1;c:\windows\system32\drivers\Pd71wdm.sys [2004-3-11 29152]
S3 Pd71_02;Service for ProDigy 7.12 Sensaura;c:\windows\system32\drivers\Pd71Sens.sys [2004-3-11 26912]
S3 Pd71_AA;Service for ProDigy 7.1 Audio Driver (EWDM);c:\windows\system32\drivers\Pd71.sys [2004-3-11 30784]
S3 USA19H;USA19H;c:\windows\system32\drivers\usa19h2k.sys --> c:\windows\system32\drivers\USA19H2k.sys [?]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\usa19h2kp.sys --> c:\windows\system32\drivers\USA19H2kp.SYS [?]
S4 Wuseudaecess;Wuseudaecess; [x]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-10-12 19:57:42 540000 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-10-10 07:15:58 -------- d-----w- C:\downloads
2010-10-10 03:22:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-10 03:22:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-10 03:22:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

============= FINISH: 18:03:40.98 ===============

BC AdBot (Login to Remove)

 


#2 compounded

compounded
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 16 October 2010 - 12:49 AM

Hi, I think I've solved the problem I was having. I was able to reacquire and revert back to an earlier copy of the OS install, and spend a couple days updating the files which were almost certainly not related to the infection and which were outdated on the old install and needed to be created or updated to reflect recent work.

I can't find any options on the board or in the user controls to delete or edit a topic of one's creation, and there's not much reason to keep this around since it only stated the problem, so could a staff member please, preferably, delete this topic, or, secondarily, close it?

Thanks. I understand how staff members, working on a volunteer basis, can get overwhelmed and backlogged considering the volume of new posts to this board every day, each of which require a fair level of individual attention, and I thank you again for setting up the board in the first place.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:51 PM

Posted 16 October 2010 - 05:45 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom fruits_cherry.gif
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users