Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 hoseking

hoseking

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 31 August 2011 - 11:33 AM

I have a machine that is having issues with a browser redirect in IE8 and Firefox. I have reset IE to default settings, recreated the host file, checked for proxy info in IE and network connections. I have run Malwarebytes, SuperAntiSpyware, and VIPRE Antivirus. All of them have come back clean. I am unable to get TDSSKiller to run for some reason. Machine is acting perfectly normal other than the browser redirect. I can browse websites using direct URL's, but any search engine will redirect me. Machine is fully updated. Thank you in advance for any help, it is very much appreciated. Let me know if there is any additional information required.

Machine is a HP dc5800
Win XP SP3

Here is the HijackThis log followed by the process log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:08 AM, on 8/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\RemoteSupportManager\DaMaint.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\RemoteSupportManager\rmgui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe"
O4 - HKLM\..\Run: [DA Remote Management GUI] "C:\Program Files\RemoteSupportManager\rmgui.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe /q /c"
O4 - HKUS\S-1-5-18\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinCalendarV3] "U:\My Documents\WinCalendarV3\WinCalendarV3_SysTray.exe" /q /c (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.10:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC2A} (Encrypt Class) - https://192.168.1.10:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HUFF.local
O17 - HKLM\Software\..\Telephony: DomainName = HUFF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HUFF.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HUFF.local
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O20 - AppInit_DLLs: DAinit.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0000881223489622) (0000881223489622mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\000088~1.EXE (file missing)
O23 - Service: DA Remote Management Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\RemoteSupportManager\DaMaint.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Support Manager (RemoteSupportManager) - ScriptLogic Corporation - C:\Program Files\RemoteSupportManager\DesktopAuthority.exe
O23 - Service: Sage Service Host (v1.1) (Sage.LS1.ServiceHost.1.1) - Sage Software, Inc. - C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe

--
End of file - 9019 bytes


Process list saved on 11:21:26 AM, on 8/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
616 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation
688 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation
736 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation
748 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation
924 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1028 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1256 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.6024 Microsoft Corporation
1368 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe 3.0.7311.0 Microsoft Corporation
1448 C:\Program Files\RemoteSupportManager\DaMaint.exe 1.0.0.48 ScriptLogic Corporation
1508 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe 1.0.4.0 InterVideo
1564 C:\Program Files\PDF Complete\pdfsvc.exe 3.5.22.2001 PDF Complete Inc
1616 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe 4.0.4112.7935 Intuit
1676 C:\Program Files\RemoteSupportManager\DesktopAuthority.exe 1.0.0.48 ScriptLogic Corporation
1736 C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe 1.1.0.0 Sage Software, Inc.
1872 c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe 2005.90.5000.0 Microsoft Corporation
1904 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
2076 C:\WINDOWS\Explorer.EXE 6.0.2900.5512 Microsoft Corporation
2468 C:\WINDOWS\system32\igfxtray.exe 6.14.10.4864 Intel Corporation
2520 C:\WINDOWS\system32\hkcmd.exe 6.14.10.4864 Intel Corporation
2544 C:\WINDOWS\system32\igfxpers.exe 6.14.10.4864 Intel Corporation
2572 C:\WINDOWS\system32\igfxsrvc.exe 6.14.10.4864 Intel Corporation
2580 C:\Program Files\Analog Devices\Core\smax4pnp.exe 6.0.32.138 Analog Devices, Inc.
2604 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe 5.2.0.52 Analog Devices, Inc.
2688 C:\WINDOWS\SMINST\Scheduler.exe 1.0.4.1
2800 C:\Program Files\RemoteSupportManager\rmgui.exe 1.0.0.48 ScriptLogic Corporation
2924 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe 9.4.0.195 Adobe Systems Inc.
2940 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
2992 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe 20.0.4012.0 Intuit Inc.
484 C:\Program Files\Internet Explorer\IEXPLORE.EXE 8.0.6001.18702 Microsoft Corporation
3404 C:\Program Files\Internet Explorer\IEXPLORE.EXE 8.0.6001.18702 Microsoft Corporation
2096 C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe 2.0.0.4 Trend Micro Inc.

Edited by hoseking, 31 August 2011 - 11:39 AM.


BC AdBot (Login to Remove)

 


#2 hoseking

hoseking
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 September 2011 - 08:20 AM

I was able to resolve my own problem by using tools seen in other similar threads. After running fixTDSS it no longer redirects. Thank you, you may close the thread.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:03 PM

Posted 01 September 2011 - 11:47 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users