Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect TDSS


  • This topic is locked This topic is locked
8 replies to this topic

#1 etonesealp

etonesealp

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 21 March 2011 - 05:27 PM

Hi

Search results in Google and Bing, are being redirected to randon, sometimes vaugely related scam pages.

I have had this happening for a few weeks and at first thought it was just a cookie, but as it became more annoying and invasive did some searching and found its a bigger problem than I thought.

I have tried to remove with cc cleaner and Malwarebytes and thought it had gone but came back after re-boot.

Windows 7 Home edition with firefox browser, on old Dell Dimension 4800

Any help would be great....



Copy of logs as directed

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jeff Desktop at 21:45:24.45 on 21/03/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1023.400 [GMT 0:00]
.
AV: AVG Anti-Virus *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jeff Desktop\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Gpgbdv] rundll32 "c:\users\jeff desktop\appdata\roaming\drvinstk.dll",peguikv
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\desktop (1).ini
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jeffde~1\appdata\roaming\mozilla\firefox\profiles\h4hwl6jp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
FF - Ext: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - %profile%\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-12-9 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-12-9 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-12-9 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-12-9 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-12-9 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-12-9 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-10 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
.
=============== Created Last 30 ================
.
2011-03-20 22:32:47 -------- d-----w- C:\JEFF WIN 7
2011-03-20 20:35:25 -------- d-----w- c:\program files\CCleaner
2011-03-20 20:25:13 -------- d-----w- c:\users\jeffde~1\appdata\roaming\Malwarebytes
2011-03-20 20:25:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 20:25:05 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-20 20:25:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 20:25:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-15 09:00:34 -------- d--h--w- c:\progra~2\Common Files
2011-03-14 22:41:12 -------- d-----w- c:\users\jeff desktop\.thumbnails
2011-03-14 22:37:00 -------- d-----w- c:\users\jeff desktop\.gimp-2.6
2011-03-14 22:36:00 -------- d-----w- c:\program files\GIMP-2.0
2011-03-09 15:27:04 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 15:27:04 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 15:27:04 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 15:27:03 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 15:27:02 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 15:27:02 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 15:27:02 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 15:27:01 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 15:27:00 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-06 00:54:42 221184 --sha-r- c:\users\jeffde~1\appdata\roaming\drvinstk.dll
2011-02-24 00:36:49 -------- d-----w- c:\program files\MSXML 4.0
2011-02-24 00:36:25 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-23 14:57:36 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-23 14:57:36 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-23 12:28:40 -------- d-----w- c:\users\jeffde~1\appdata\roaming\TSO
2011-02-23 12:23:42 -------- d-----w- c:\program files\DSA Car Theory Test
.
==================== Find3M ====================
.
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:46:23.25 ===============

Attached Files


Edited by etonesealp, 21 March 2011 - 05:52 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 21 March 2011 - 09:22 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Programs > Uninstall a program or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 etonesealp

etonesealp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 22 March 2011 - 08:29 AM

Hi RPMcMurphy

Thanks for helping

Attached is the ComboFix Log as requested.

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 22 March 2011 - 06:01 PM

etonesealp:

How is it running now? Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • How is the computer running now?
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 etonesealp

etonesealp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 23 March 2011 - 03:11 AM

Hi

The redirect seems to have stopped on Google.

Should I be re-installing AVG (uninstalled to run CombiFix) as I am not sure about being online without anti-virus protection????

I have rebooted and no sign of it yet.(Whey hey) If this does work I will definately be sending a small but grateful donation.
Reluctant to be more positve as reading other posts it seems to frequently re-appear.




The Mbam scan did'nt show any issues, so I didn't get the option of disinfecting! Log below.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6133

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22/03/2011 23:26:34
mbam-log-2011-03-22 (23-26-34).txt

Scan type: Quick scan
Objects scanned: 154348
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

eset online scan took ages but came up with 8 threats, however I did'nt get the - Details tab.
so was unable to - Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Copy of eset log

C:\Documents and Settings\Jeff Desktop\Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application
C:\Documents and Settings\Jeff Desktop\Documents\Downloads\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application
C:\Documents and Settings\Jeff Desktop\Documents\Downloads\Setup_FreeVideoConverter(2).exe Win32/Adware.Toolbar.Dealio application
C:\Documents and Settings\Jeff Desktop\Documents\Downloads\Setup_FreeVideoConverter.exe Win32/Adware.Toolbar.Dealio application
C:\Users\Jeff Desktop\Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application
C:\Users\Jeff Desktop\Documents\Downloads\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application
C:\Users\Jeff Desktop\Documents\Downloads\Setup_FreeVideoConverter(2).exe Win32/Adware.Toolbar.Dealio application
C:\Users\Jeff Desktop\Documents\Downloads\Setup_FreeVideoConverter.exe Win32/Adware.Toolbar.Dealio application

I have also attached a word document with screen shots of the eset results

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 23 March 2011 - 07:18 PM

etonesealp:

This will take care of those ESET detections:

Posted Image Open notepad and copy/paste the text in the quotebox below into it:

@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"C:\Documents and Settings\Jeff Desktop\Documents\Downloads\registrybooster.exe" 
"C:\Documents and Settings\Jeff Desktop\Documents\Downloads\Setup_FreeConverter.exe" 
"C:\Documents and Settings\Jeff Desktop\Documents\Downloads\Setup_FreeVideoConverter(2).exe" 

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on fix.bat & allow it to run.

The rest of your logs looked good. Now I have another update and some very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • Rootkit Unhooker
  • MBRCheck
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Re-install an anti-virus program. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please visit this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 etonesealp

etonesealp
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 27 March 2011 - 04:38 PM

Hi RPMcMurphy

Thanks for your help, :thumbsup: it has been a few days now, and no re-occurence of the redirect virus, so fingers crossed etc :clapping: :clapping:

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 28 March 2011 - 09:27 AM

You're welcome, etonesealp. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 28 March 2011 - 09:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users