Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects


  • This topic is locked This topic is locked
9 replies to this topic

#1 Mini1000

Mini1000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 07 December 2010 - 04:45 PM

Hi,
I was having some problems with google redirects; I would search for something, click the link, and FF would take me to a random ad website. After trying MBAM and Search and Destroy, I ran Combofix, then found this site with the words "DO NOT RUN ComboFix unless requested to." Too late, d'oh!

Immediately after running combofix, the redirect problem stopped, but when I turned off my laptop (HP Mini 1000), I tried to boot it again and Windows would not boot.

This is what happens when I boot:
HP screen with HP logo and 2 options--F9 Change boot device order F10 BIOS setup options
Black screen with white blinking underscore in top left corner

I have included the DDS scan I ran after running Combofix before I turned off my computer, as well as the original Combofix log. I was unable to run GMER.

Your help is greatly, greatly appreciated.

Details:
HP Mini 1000
Windows XP


DDS (Ver_10-12-05.01) - NTFSx86
Run by Hannah Carney at 0:39:15.75 on Tue 12/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.498 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\stacsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\Hannah Carney\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Hannah Carney\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hannah Carney\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.Yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\hannah carney\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IDTSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\hannah~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\hannah carney\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\hannah~1\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hannah~1\applic~1\mozilla\firefox\profiles\dmw137ie.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en#min13
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=1682&gct=&gc=1&q=
FF - plugin: c:\documents and settings\hannah carney\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\hannah carney\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\hannah carney\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\hannah~1\applic~1\mozilla\firefox\profiles\dmw137ie.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\hannah~1\applic~1\mozilla\firefox\profiles\dmw137ie.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Classic Compact: {D46E8522-6E86-44b1-A622-58C0668AD78E} - c:\docume~1\hannah~1\applic~1\mozilla\firefox\profiles\dmw137ie.default\extensions\{D46E8522-6E86-44b1-A622-58C0668AD78E}
FF - Extension: SpanishTrans: {103b0940-62c7-11db-bd13-0800200c9a66} - c:\docume~1\hannah~1\applic~1\mozilla\firefox\profiles\dmw137ie.default\extensions\{103b0940-62c7-11db-bd13-0800200c9a66}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\hannah~1\applic~1\mozilla\firefox\profiles\dmw137ie.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-5-8 112128]

=============== Created Last 30 ================

2010-12-07 08:06:25 -------- d-sha-r- C:\cmdcons
2010-12-07 08:03:57 98816 ----a-w- c:\windows\sed.exe
2010-12-07 08:03:57 89088 ----a-w- c:\windows\MBR.exe
2010-12-07 08:03:57 256512 ----a-w- c:\windows\PEV.exe
2010-12-07 08:03:57 161792 ----a-w- c:\windows\SWREG.exe
2010-12-07 07:56:51 -------- d-sh--w- c:\documents and settings\hannah carney\IETldCache
2010-12-07 06:51:58 7680 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-12-07 06:49:37 -------- d-----w- c:\windows\ie8updates
2010-12-07 06:44:39 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-12-07 06:44:14 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-07 06:44:01 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-07 06:37:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-07 06:37:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-07 06:34:18 -------- dc-h--w- c:\windows\ie8
2010-12-07 06:29:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 06:29:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 0:40:30.73 ===============

Attached Files


Edited by Mini1000, 07 December 2010 - 04:47 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 14 December 2010 - 11:46 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Mini1000

Mini1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 December 2010 - 11:46 PM

Yes! Thank you!

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 14 December 2010 - 11:59 PM

Do you have your XP disc. We might need a file from it. Based on your post I assume you still can not boot into Windows. If that is the case then please do this....

Please save the following instructions into Notepad and print it out as this webpage would not be available when you're carrying out the process.

Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start.
Use the up and down arrow key to select Microsoft Windows Recovery Console.
You must enter which Windows installation to log onto. Type 1 and press enter.
At the C:\Windows prompt, type the following green bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following green bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.
At the next prompt, type the following green bolded text, and press Enter:

exit

Windows will now begin loading.
Success?

Answer my questions and I will guide you from here.

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Mini1000

Mini1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 15 December 2010 - 12:09 AM

Thanks for your reply thcbytes. I have a question about the instructions.

"Before Windows loads, you will be prompted to choose which Operating System to start." Do I need to insert the Windows XP cd in order to receive this prompt? Currently, when I restart the computer, I only see the blinking underscore that I mentioned in my original post. I have left my computer running for as long as one hour and this is the only screen I see.

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 15 December 2010 - 08:48 AM

Reboot and pay attention. Based on your Combofix log it appears that CF installed the Recovery Console so just as soon as you reboot you should see the prompt. If you do not just let me know and I will instruct you what to do. I assume you have an XP disc is this true?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Mini1000

Mini1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 15 December 2010 - 02:34 PM

I do not see the prompt. I tried hitting a few keys, and I think F11 brought up this message:

"Reboot and select proper boot device or insert boot media in selected boot device and press a key".

I do have the Windows XP CDs. Unfortunately, the HP Mini does not have an optical drive. I have ordered an external drive, and it should arrive this weekend. When it arrives I will reply to this thread to let you know.

Thanks for your patience, thcbytes.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 15 December 2010 - 10:54 PM

That sounds reasonable.

In the meantime please do this...

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

Next...

  • Boot the computer with the USB drive again.
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    userinit.*

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review


Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Mini1000

Mini1000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 December 2010 - 06:33 PM

thcbytes,

Thank you so very much for your help. I have since received the DVD drive and completed a reinstallation of Windows XP. I figured there wasn't that much on my hard drive worth saving. Everything is up and running again, so thank you again, and have a great holiday season.

Best regards

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 19 December 2010 - 11:06 PM

I am glad all is well now. :thumbup2:
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users