Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google keeps redirecting, traditional fixes not working


  • This topic is locked This topic is locked
6 replies to this topic

#1 purplefish

purplefish

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 22 July 2012 - 03:23 PM

When I search in Google and click on a results link, I'm redirected to a different site. Sometimes a green arrow with the words "redirect" appears. This happens in normal operating mode, but not in safe mode. I've tried Symantec, Malwarebytes' Anti-Malware, Hitman Pro, and Kapersky TDSS Killer to no avail. I would greatly appreciate help with this! Thanks in advance. Here is my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Natalie at 15:27:40 on 2012-07-22
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3581.2589 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\HitmanPro\hmpsched.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\HitmanPro\HitmanPro.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.georgetown.edu/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080618
"uInternet Settings,ProxyOverride = *.local"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
"uRun: [Microsoft Games] rundll32.exe ""c:\users\natalie\appdata\local\mozilla\microsoft games\pqnqsewd.dll"",CreateInstance"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
"mRun: [QuickTime Task] ""c:\program files\quicktime\QTTask.exe"" -atboottime"
"mRun: [iTunesHelper] ""c:\program files\itunes\iTunesHelper.exe"""
"mRun: [AirPort Base Station Agent] ""c:\program files\airport\APAgent.exe"""
"mRun: [Adobe ARM] ""c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"""
"mRun: [Malwarebytes' Anti-Malware] ""c:\program files\malwarebytes' anti-malware\mbamgui.exe"" /starttray"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: datastream.com\product
Trusted Zone: ssrn.com\hq
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{16B91D0A-3351-4903-AAAA-29C7E8F4F111} : DhcpNameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{B96CA281-6A11-4063-9CF4-AD3ED6E7056D} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\natalie\appdata\roaming\mozilla\firefox\profiles\5q9la86e.default\
FF - prefs.js: browser.startup.homepage - www.georgetown.edu
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-6-17 73728]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-7-22 105832]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-19 655944]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-19 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-1 113120]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-5-10 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-18 209408]
.
=============== Created Last 30 ================
.
7/22/2012 16:44 -------- d-----w- c:\program files\Ad-Aware Antivirus
7/22/2012 16:44 -------- d-----w- c:\users\natalie\appdata\local\Downloaded Installations
7/22/2012 16:43 -------- d-----w- c:\users\natalie\appdata\roaming\Ad-Aware Antivirus
7/22/2012 16:40 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
7/22/2012 16:40 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
7/22/2012 15:27 -------- d-----w- c:\program files\HitmanPro
7/22/2012 15:27 -------- d-----w- c:\programdata\HitmanPro
7/20/2012 17:13 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8f75cf16-c374-4962-b4f7-95c6525e34d5}\mpengine.dll
7/12/2012 17:02 2047488 ----a-w- c:\windows\system32\win32k.sys
7/11/2012 15:46 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
7/11/2012 15:46 1401856 ----a-w- c:\windows\system32\msxml6.dll
7/11/2012 15:46 1248768 ----a-w- c:\windows\system32\msxml3.dll
7/11/2012 15:46 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
7/11/2012 15:46 278528 ----a-w- c:\windows\system32\schannel.dll
7/11/2012 15:46 204288 ----a-w- c:\windows\system32\ncrypt.dll
6/25/2012 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
==================== Find3M ====================
.
7/3/2012 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
6/2/2012 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
6/2/2012 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
6/2/2012 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
6/2/2012 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
6/2/2012 8:33 1800192 ----a-w- c:\windows\system32\jscript9.dll
6/2/2012 8:25 1129472 ----a-w- c:\windows\system32\wininet.dll
6/2/2012 8:25 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
6/2/2012 8:20 142848 ----a-w- c:\windows\system32\ieUnatt.exe
6/2/2012 8:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
5/31/2012 16:25 237072 ------w- c:\windows\system32\MpSigStub.exe
5/1/2012 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 15:29:21.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 PM

Posted 25 July 2012 - 01:23 AM

Hi,


Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\users\natalie\appdata\local\mozilla\microsoft games\pqnqsewd.dll

Select it and click ok:
Then click the Send File button below.

In case you can't find the file, make sure your hidden files are shown. See here how: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows-vista/

Then, AFTER you have done above and submitted the file, open your taskmanager (type taskmgr in start > search, hit enter). Then look under "Processes" tab, check the "show processes for all Users" below and in the list, search the process: rundll32.exe
Rightclick and choose to end the process.

Then navigate to and delete the following folder: c:\users\natalie\appdata\local\mozilla\microsoft games

In case you are still having problems with deleting that folder, delete it from Windows Safe mode: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 purplefish

purplefish
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 25 July 2012 - 09:04 PM

Thanks for your response, miekiemoes. Your comments were right on.

I ended up uninstalling Firefox yesterday afternoon. After the uninstall, I ran Hitman Pro and it found the problem. I was then able to find the remnants with Malwarebytes. I reinstalled Firefox this afternoon and things appear to be working correctly.

Fortunately for my computer (and sanity) but perhaps unfortunately for discovering the true source of the problem, the "c:\users\natalie\appdata\local\mozilla\microsoft games" directory is no longer present, so I cannot upload a sample of the pqnqsewd.dll file.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 PM

Posted 26 July 2012 - 12:30 AM

Hi,

That's OK. Glad things are working fine again. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 purplefish

purplefish
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 July 2012 - 10:28 AM

Thanks for the references -- I'll check them out. And, thanks again for your help! :)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 PM

Posted 26 July 2012 - 10:42 AM

You're most welcome :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:17 PM

Posted 03 August 2012 - 09:26 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users