Google redirects & blocked access to Security & AV sites

Hello.

I have the issue where google search links get redirected to other sites, some shopping some porn, through 'hugosearch' 'lisosearch' and 'fastsearch' and also that access to security / anti-virus sites (including microsoft & windows update) is blocked as a 'no internet connection' page comes up when I attempt to access them. (although the connection is fine for all other sites).

I have disabled CD emulation software and posted the DDS logs below and attached the relevent DDS and ARK logs. I have malwarebytes on the PC and a full scan in safe mode comes back clean. Please assist me if you can, I have attached another PC to this connection and that seems fine but I am rather worried that my router has been accessed.

Thanks in advance.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Freddie at 15:45:48.07 on 27/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.392 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\DesktopAuthority\DaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DesktopAuthority\RMGui.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\locator.exe
c:\windows\system32\slclient.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Freddie\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\yqubeeyv\hwjnreim.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NativeNetServices] rundll32.exe "c:\documents and settings\freddie\local settings\application data\smartcommslink\NativeNetServices.dll",acxapiEnum sysnetClock
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\www
Trusted Zone: superantispyware.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207243706437
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://afrvpn.com/NELX.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.bangbook.com/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: DAinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 DAInfo;DA Remote Management Kernel Information Provider;c:\program files\desktopauthority\DAInfo.sys [2009-3-26 12080]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\desktopauthority\DaMaint.exe [2009-3-26 63408]
R2 DAtf;DA Remote Management Token Factory;c:\program files\desktopauthority\DAtf.sys [2009-3-26 11184]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\desktopauthority\DesktopAuthority.exe [2009-3-26 1312688]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-12-7 103744]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [2008-4-4 556960]
S1 ggxwpjdy;ggxwpjdy;\??\c:\windows\system32\drivers\ggxwpjdy.sys --> c:\windows\system32\drivers\ggxwpjdy.sys [?]
S3 DAmirr;DAmirr;c:\windows\system32\drivers\damirr.sys --> c:\windows\system32\drivers\DAmirr.sys [?]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2007-10-24 19376]

=============== File Associations ===============

scrfile="%1" /S

=============== Created Last 30 ================

2011-01-25 08:18:11 125400 ----a-w- c:\program files\internet explorer\IEXPLOREmgrmgrmgr.exe
2011-01-24 07:00:00 125400 ----a-w- c:\program files\internet explorer\IEXPLOREmgrmgr.exe
2011-01-23 09:36:06 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-01-22 22:43:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeReturner
2011-01-22 22:43:50 -------- d-----w- c:\program files\Safe Returner
2011-01-22 09:04:06 125400 ----a-w- c:\program files\internet explorer\IEXPLOREmgr.exe
2011-01-21 19:04:50 -------- d-----w- c:\program files\yqubeeyv

==================== Find3M ====================

2010-11-21 19:25:51 43 ----a-w- C:\ARMAGON.BAT
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

============= FINISH: 15:47:43.20 ===============

Logs now attached correctly in original post!

EDIT: Posts merged ~BP

Hello

I'm now away from the machine until next Monday, 7th Feb 2011.

Further things I've noticed are that I'm unable / prevented from getting to 'Java' from the Control Panel. I see on other cases this has been an issue. I don't think my router has actually been hacked as the password was set to the s/n of the box - so not very guessable! I have reset the router but that has made no difference.

I'm also unable now to access this site from the PC - the malware seems to have 'learned' that. But I have access to a clean PC at work to post on here and download / upload files / logs etc.

Hope to speak to you early next week to try some solutions.

EDIT: Posts merged ~BP

Edited by Budapest, 01 February 2011 - 04:04 PM.

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
• Please Do not Attach logs or put in code boxes.
• Tell me about any problems that have occurred during the fix.
• Tell me of any other symptoms you may be having as these can help also.
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

• Please download DeFogger to your desktop.
  
  Double click DeFogger to run the tool.
  
• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

• Please download DDS by sUBs from one of the links below and save it to your desktop:
  
  
  Download DDS and save it to your desktop
  
  Link1
  Link2
  Link3
  
  Please disable any anti-malware program that will block scripts from running before running DDS.
  
  
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

• In your next post I need the following
  
  
• .logs from DDS
• log from RKUnHooker
• let me know of any problems you may have had

Gringo

Hello

three day bump

It has been Three days since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

This topic has been re-opened at the request of the person who originally posted.

Hello Gringo,

I've been away from the UK for a days with the laptop and I'm afraid that during that time I ran Rkill and combofix to try to get the machine working. I understand this is against the advice given on this site and I apologise if it makes your task of helping me harder, but I was abroad on business and acted in desperation.

I attach the logs.

I have also changed my DNS settings on the laptop to use openDNS.

I am now able to search without being re-directed using the openDNS search facility, but am still not able to access various security site including windows update, and even bleeping computer, so there is evidently still something amiss. Other than that the machine seems to be working fine

I now have access to a clean PC in the office so am able to access this site, update the case, download software and update logs during the day, so I should be able to respond within 24 hours.

:upload files to jotti:

• Please upload a file for scanning:
  
• Open virusscan.jotti
• Copy/paste this file and path into the white box at the top:

c:\program files\Internet Explorer\IEXPLOREmgrmgrmgr.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

please do this with each of these files one at a time

c:\program files\Internet Explorer\IEXPLOREmgr.exe

save the reports and send with your next reply
Note: If Jotti is busy, you can use VirusTotal instead.

Hello Gringo and thank you for your help.

I can't access either of those websites. It seems that access to any security or anti-virus site is blocked - although I have access to all other types of site. I presume the malware has caused this.

I get this error message, as if I have no connection when in fact the connection is fine;

Internet Explorer cannot display the webpage

What you can try:
Diagnose Connection Problems

I have tried to use Chrome but the result is the same.

I'm only able to access bleepingcomputer.com by using my PC at work (as I'm doing now)

An odd thing this morning was that as I shut the machine down I noticed the little yellow 'updates' sheild in the task bar and sure enough as the machine shutdown it seemed to go through the normal process of doing a windows update, installing 10 new updates, even though I'm unable to connect to an microsoft or windows update websites through a browser...

I do have MBAM installed on the laptop, so I am able to scan with that should you require me to do so, and I'm able to download other software and utilities while at work and then get them onto the laptop via email.

I should also add that I have reset my router, but with no effect.

Edited by Alfresco, 09 February 2011 - 06:29 AM.

Hello Gringo,

I was able to run a scan using rkunhooker last night and I've pasted the results into the attached notepad file.

I hope this is useful to you.


Al

Hello

IEXPLOREmgr.exe is a new version of an older virus that is not very nice

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

• Understanding virus names
• Threat aliases for Win32/Ramnit.A

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

OK Gringo, This machine will be 'retired' as it's of no particular value to me and I have a couple of others lying around.

Happily there is no data of value on the machine.

From what you have seen would you say that there is a possibility that the malware has spread to my wireless router, or I am safe to connect a 'clean' laptop

Thank you very much for your help.

it would be safe to connect the laptop it does not infect the router


where you have to be very carefull is if you remove any files from it - no .exe .dll .com .html or any type of exucutible files


only pics and docs would be safe and should be scanned before just in case




Gringo

Thanks.

Please close the case and thank you again for your advice on this matter.

I will close it in a couple of days in case you have any questions


Gringo

I do have a question actually... The only device plugged into the infected laptop has been my Ipod which i charge up through the usb socket.

Could the virus be lurking on the Ipod ready to transfer itself to any/everything that I connect to it?