I have the issue where google search links get redirected to other sites, some shopping some porn, through 'hugosearch' 'lisosearch' and 'fastsearch' and also that access to security / anti-virus sites (including microsoft & windows update) is blocked as a 'no internet connection' page comes up when I attempt to access them. (although the connection is fine for all other sites).
I have disabled CD emulation software and posted the DDS logs below and attached the relevent DDS and ARK logs. I have malwarebytes on the PC and a full scan in safe mode comes back clean. Please assist me if you can, I have attached another PC to this connection and that seems fine but I am rather worried that my router has been accessed.
Thanks in advance.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Freddie at 15:45:48.07 on 27/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.392 [GMT 0:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\DesktopAuthority\DaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DesktopAuthority\RMGui.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\locator.exe
c:\windows\system32\slclient.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Freddie\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\yqubeeyv\hwjnreim.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NativeNetServices] rundll32.exe "c:\documents and settings\freddie\local settings\application data\smartcommslink\NativeNetServices.dll",acxapiEnum sysnetClock
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\www
Trusted Zone: superantispyware.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207243706437
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://afrvpn.com/NELX.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.bangbook.com/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: DAinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R2 DAInfo;DA Remote Management Kernel Information Provider;c:\program files\desktopauthority\DAInfo.sys [2009-3-26 12080]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\desktopauthority\DaMaint.exe [2009-3-26 63408]
R2 DAtf;DA Remote Management Token Factory;c:\program files\desktopauthority\DAtf.sys [2009-3-26 11184]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\desktopauthority\DesktopAuthority.exe [2009-3-26 1312688]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-12-7 103744]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [2008-4-4 556960]
S1 ggxwpjdy;ggxwpjdy;\??\c:\windows\system32\drivers\ggxwpjdy.sys --> c:\windows\system32\drivers\ggxwpjdy.sys [?]
S3 DAmirr;DAmirr;c:\windows\system32\drivers\damirr.sys --> c:\windows\system32\drivers\DAmirr.sys [?]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2007-10-24 19376]
=============== File Associations ===============
scrfile="%1" /S
=============== Created Last 30 ================
2011-01-25 08:18:11 125400 ----a-w- c:\program files\internet explorer\IEXPLOREmgrmgrmgr.exe
2011-01-24 07:00:00 125400 ----a-w- c:\program files\internet explorer\IEXPLOREmgrmgr.exe
2011-01-23 09:36:06 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-01-22 22:43:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeReturner
2011-01-22 22:43:50 -------- d-----w- c:\program files\Safe Returner
2011-01-22 09:04:06 125400 ----a-w- c:\program files\internet explorer\IEXPLOREmgr.exe
2011-01-21 19:04:50 -------- d-----w- c:\program files\yqubeeyv
==================== Find3M ====================
2010-11-21 19:25:51 43 ----a-w- C:\ARMAGON.BAT
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
============= FINISH: 15:47:43.20 ===============
Logs now attached correctly in original post!
EDIT: Posts merged ~BP
Hello
I'm now away from the machine until next Monday, 7th Feb 2011.
Further things I've noticed are that I'm unable / prevented from getting to 'Java' from the Control Panel. I see on other cases this has been an issue. I don't think my router has actually been hacked as the password was set to the s/n of the box - so not very guessable! I have reset the router but that has made no difference.
I'm also unable now to access this site from the PC - the malware seems to have 'learned' that. But I have access to a clean PC at work to post on here and download / upload files / logs etc.
Hope to speak to you early next week to try some solutions.
EDIT: Posts merged ~BP
Attached Files
Edited by Budapest, 01 February 2011 - 04:04 PM.