Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Browser Redirect problem. Tried everything


  • Please log in to reply
9 replies to this topic

#1 jcboulware

jcboulware

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 05 December 2010 - 06:43 PM

I can't seem to get rid of this Internet Explorer redirect problem / virus. It not only happens during search engine results, but also on many other link buttons and ads.
I have tried AdAware, Hitman Pro, Malwarebytes, and TDSSKiller.
AdAware finds nothing.
TDSSKiller finds nothing.
Malwarebytes finds nothing.
Hitman Pro finds javawq.dll & mswstr10y.dll as infected Malware, but can not delete them on reboot.

I have attached my DDS logs

----------------------------------------------------------


DDS (Ver_10-12-05.01) - NTFSx86
Run by Curtis Boulware at 18:22:42.01 on Sun 12/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.251 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Curtis Boulware\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Curtis Boulware\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uWindows: Run=?
uWindows: Load=?
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CobInVfBVF.exe] c:\docume~1\curtis~1\locals~1\temp\CobInVfBVF.exe
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\curtis~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\curtis boulware\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 88848932;88848932 Boot Guard Driver;c:\windows\system32\drivers\88848932.sys [2010-11-30 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-18 64288]
R1 88848931;88848931;c:\windows\system32\drivers\88848931.sys [2010-11-30 128016]
R1 setup_9.0.0.722_01.12.2010_04-17drv;setup_9.0.0.722_01.12.2010_04-17drv;c:\windows\system32\drivers\8884893.sys [2010-11-30 315408]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-6-13 24576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-8 1375992]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-8 15264]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-6-13 36608]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-9-8 16968]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
S3 JEPPDRIVE;JeppDrive Service;c:\windows\system32\drivers\JeppDrive.sys [2010-3-12 24344]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]

=============== Created Last 30 ================

2010-12-02 00:02:29 -------- d-----w- c:\docume~1\curtis~1\applic~1\Malwarebytes
2010-12-02 00:02:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-02 00:02:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-02 00:02:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-02 00:02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-01 02:00:07 37392 ----a-w- c:\windows\system32\drivers\88848932.sys
2010-12-01 02:00:07 315408 ----a-w- c:\windows\system32\drivers\8884893.sys
2010-12-01 02:00:07 128016 ----a-w- c:\windows\system32\drivers\88848931.sys
2010-11-19 06:31:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-19 03:45:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-19 03:40:53 -------- d-----w- c:\docume~1\curtis~1\locals~1\applic~1\Sunbelt Software
2010-11-19 03:33:59 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{437292BE-95BD-4B12-B699-6D217A03ACAF}
2010-11-19 03:33:06 -------- d-----w- c:\program files\Lavasoft
2010-11-19 03:02:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-19 02:09:25 -------- d-----w- c:\docume~1\curtis~1\locals~1\applic~1\{A0E7D19A-AE5F-4F2A-AB6A-D98BD1361D0D}
2010-11-18 23:57:40 105984 --sha-r- c:\windows\system32\mswstr10Y.dll
2010-11-18 23:57:40 105984 --sha-r- c:\windows\system32\javawq.dll
2010-11-17 03:52:23 2 --shatr- c:\windows\winstart.bat
2010-11-17 03:52:11 -------- d-----w- c:\program files\UnHackMe
2010-11-06 16:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-11-18 23:57:21 0 ----a-w- c:\windows\Wtiwuyu.bin
2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

============= FINISH: 18:24:09.42 ===============


----------------------------------------------------

I have run GMER twice and both times it has shut down the computer with a the blue stop screen as the scan nears completion. Sorry I can not post the gmer logs.

EDIT: Posts merged ~BP

Redirect still here. Tonight, something took over the computer and I could not get to the Internet without buying some Anti Virus software. I Re-booted in safe mode and ran Malwarebytes. Removed something and after some effort and many safe mode reboot efforts, I was able to take control of my computer again. Need some expert help. Thanks.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 10 December 2010 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:27 PM

Posted 13 December 2010 - 11:17 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 jcboulware

jcboulware
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 December 2010 - 08:07 AM

Ran DDS and saved logs. Ran GMER and was attacked so badly during the scan that the computer shut itself off and now will not reboot. In normal mode, boot turns to frozen black / blank screen. In Safe mode boot, screen freezes with with many lines of boot items listed on the screen. Now I don't know what to do.

#4 jcboulware

jcboulware
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 December 2010 - 08:48 PM

Back up and running. DDS logs attached. I cannot get through a full GMER scan.

Attached Files



#5 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:27 PM

Posted 14 December 2010 - 10:16 PM

Welcome to BC :)

Sorry for the delay.

Is your computer behind a router?
Microsoft MVP Consumer Security--2007-2010

#6 jcboulware

jcboulware
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 14 December 2010 - 11:39 PM

yes.

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:27 PM

Posted 15 December 2010 - 08:09 PM

Did you setup the router? Did you change the default password? Can you give me the model number and manufacture. We need to reset it to factory defaults because i think its infected.
Microsoft MVP Consumer Security--2007-2010

#8 jcboulware

jcboulware
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 16 December 2010 - 08:40 AM

I can no longer boot the computer. Last night I turned it on and it gets caught in a boot cycle. When the Windows logo come up, the computer turns off and restarts, only to do it over and over. I can not get it to boot in normal or safe mode now.

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:27 PM

Posted 16 December 2010 - 11:18 AM

Did you try Last known good configuration?
Microsoft MVP Consumer Security--2007-2010

#10 jcboulware

jcboulware
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 16 December 2010 - 02:30 PM

Yes, same boot loop of death.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users