Author Topic: [Resolved] Browser Redirection (Read 6031 times)

ohtara1211 · « **on:** February 23, 2010, 10:48:52 AM »

After performing a search in ie7 I get redirected when trying to access any of the websites. I have run SpyBot and RegCure and completed a scan using MS Security essentials. It's almost immpossible to research anything now. Any help or advice you could give would be greatly appreciated

Hoov · « **Reply #1 on:** February 23, 2010, 11:22:50 AM »

We need a hijackthis log to start with. Please read this, http://spywarehammer.com/simplemachinesforum/index.php?topic=88.0 , only use this thread, don't start a new one.

ohtara1211 · « **Reply #2 on:** February 23, 2010, 02:48:56 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:28 PM, on 2/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AsScrPro.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\WINDOWS\AsScrPro.exe
O4 - HKLM\..\Run: [LiveUpdate] C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe auto
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Shortcut to SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://173.9.66.81:8082/SysCamInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.227,93.188.161.28
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.164.227,93.188.161.28
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.227,93.188.161.28
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

--
End of file - 9504 bytes

ohtara1211 · « **Reply #3 on:** February 23, 2010, 02:53:10 PM »

Don't know if this helps, but it seems like the redirections go thru abcsearch.com By the way thanks for your help so far

Hoov · « **Reply #4 on:** February 23, 2010, 03:02:49 PM »

Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

Now onto trying to fix your computer.

Please run ccleaner to remove temporary files from your system, and to improve the scanning time of the other scans we may be running. Then please Malwarebytes' Anti-Malware to check for malware.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.[/COLOR]

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.[/COLOR]

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

ohtara1211 · « **Reply #5 on:** February 23, 2010, 05:57:28 PM »

Here is the Malwarebytes log. I have also run Spybot, MS Security Essentials and a program called RegCure

Malwarebytes' Anti-Malware 1.44
Database version: 3781
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/23/2010 5:32:28 PM
mbam-log-2010-02-23 (17-32-28).txt

Scan type: Quick Scan
Objects scanned: 110415
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.227,93.188.161.28 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000206d.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000592c.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000074b6.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

Hoov · « **Reply #6 on:** February 23, 2010, 06:04:25 PM »

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

ohtara1211 · « **Reply #7 on:** February 23, 2010, 07:47:26 PM »

Here is the ComboFix Log

ComboFix 10-02-23.03 - Jeff 02/23/2010 19:14:35.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1388 [GMT -6:00]
Running from: c:\documents and settings\Jeff\Bluetooth Software\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-346308534-839334332-2326838845-1003
c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-23 23:20 . 2010-02-23 23:20   --------   d-----w-   c:\documents and settings\Jeff\Application Data\Malwarebytes
2010-02-23 23:20 . 2010-01-07 22:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 23:20 . 2010-02-23 23:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 23:20 . 2010-02-23 23:20   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-23 23:20 . 2010-01-07 22:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-23 21:47 . 2010-02-23 21:47   --------   d-----w-   c:\program files\CCleaner
2010-02-23 04:50 . 2010-02-23 17:33   --------   d-----w-   c:\documents and settings\Jeff\Application Data\eMusic
2010-02-23 04:50 . 2010-02-23 04:50   --------   d-----w-   c:\documents and settings\Jeff\Local Settings\Application Data\eMusic
2010-02-23 04:50 . 2010-02-23 17:34   --------   d-----w-   c:\program files\eMusic Download Manager
2010-02-22 23:53 . 2010-02-22 23:53   --------   d-----w-   c:\program files\Trend Micro
2010-02-22 10:00 . 2010-02-22 10:03   --------   d-----w-   c:\documents and settings\Jeff\Application Data\Download Manager
2010-02-21 21:16 . 2010-02-21 23:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 21:16 . 2010-02-21 21:20   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-21 04:42 . 2010-02-21 04:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\RegCure
2010-02-21 04:42 . 2010-02-21 04:48   --------   d-----w-   c:\program files\RegCure
2010-02-21 03:27 . 2010-02-21 03:27   --------   d--h--w-   c:\windows\PIF
2010-02-21 00:16 . 2010-01-14 17:12   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-21 00:06 . 2010-02-21 00:06   --------   d-----w-   c:\documents and settings\Jeff\Application Data\ConsumerSoft
2010-02-21 00:06 . 2010-02-21 01:00   --------   d-----w-   c:\program files\ConsumerSoft
2010-02-20 16:50 . 2010-02-20 16:50   --------   d-----w-   c:\documents and settings\Jeff\Local Settings\Application Data\PCHealth
2010-02-20 16:50 . 2010-02-20 16:50   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-02-20 14:27 . 2010-02-20 14:27   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-02-09 00:01 . 2010-02-09 00:01   --------   d-----w-   c:\documents and settings\Jeff\Local Settings\Application Data\Yahoo
2010-02-08 23:42 . 2010-02-09 00:01   --------   d-----w-   c:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 17:11 . 2009-08-09 23:51   --------   d-----w-   c:\documents and settings\Jeff\Application Data\U3
2010-01-23 22:51 . 2010-01-23 22:51   503808   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6349b862-n\msvcp71.dll
2010-01-23 22:51 . 2010-01-23 22:51   499712   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6349b862-n\jmc.dll
2010-01-23 22:51 . 2010-01-23 22:51   348160   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6349b862-n\msvcr71.dll
2010-01-23 22:51 . 2010-01-23 22:51   61440   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6365fdb7-n\decora-sse.dll
2010-01-23 22:51 . 2010-01-23 22:51   12800   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6365fdb7-n\decora-d3d.dll
2010-01-20 17:12 . 2010-01-20 17:12   --------   d-----w-   c:\program files\Common Files\Java
2010-01-20 17:10 . 2010-01-20 17:10   503808   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-4ac07d12-n\msvcp71.dll
2010-01-20 17:10 . 2010-01-20 17:10   348160   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-4ac07d12-n\msvcr71.dll
2010-01-20 17:10 . 2010-01-20 17:10   499712   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-4ac07d12-n\jmc.dll
2010-01-20 17:10 . 2010-01-20 17:10   61440   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-4ac07d12-n\decora-sse.dll
2010-01-20 17:10 . 2010-01-20 17:10   315392   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4b73100c-n\jogl.dll
2010-01-20 17:10 . 2010-01-20 17:10   20480   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4b73100c-n\jogl_awt.dll
2010-01-20 17:10 . 2010-01-20 17:10   20480   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-3925db03-n\gluegen-rt.dll
2010-01-20 17:10 . 2010-01-20 17:10   12800   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-4ac07d12-n\decora-d3d.dll
2010-01-20 17:10 . 2010-01-20 17:10   114688   ----a-w-   c:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-4b73100c-n\jogl_cg.dll
2010-01-20 17:10 . 2009-10-01 16:59   --------   d-----w-   c:\program files\Java
2010-01-16 14:36 . 2009-06-23 03:51   --------   d-----w-   c:\program files\Common Files\Adobe
2010-01-05 10:00 . 2009-05-20 19:07   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-05-20 19:07   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2009-05-20 19:07   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2009-05-20 19:07   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-17 23:14 . 2009-10-01 16:59   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2009-05-20 19:16   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-05-20 19:07   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2008-04-14 00:54   2145280   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-14 00:01   2023936   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2009-05-20 19:07   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2009-12-02 21:23 . 2009-12-02 21:23   149040   ----a-w-   c:\windows\system32\drivers\MpFilter.sys
2009-11-27 17:11 . 2009-05-20 19:07   1291776   ----a-w-   c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42   17920   ----a-w-   c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2009-05-20 19:07   28672   ----a-w-   c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36   8704   ----a-w-   c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2009-05-20 19:07   11264   ----a-w-   c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2009-05-20 19:06   84992   ----a-w-   c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 05:41   48128   ----a-w-   c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-08-27 735208]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-01-29 1095872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
Shortcut to SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-10 813584]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28   72208   ----a-w-   c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 14:58   40368   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51   3885408   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/22/2009 10:03 PM 55152]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/10/2009 8:58 PM 10384]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 1:26 AM 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 1:26 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 9:49 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 7:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-02-12 20:17]

2010-02-23 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-02-12 20:17]

2010-02-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-02-12 20:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://173.9.66.81:8082/SysCamInst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 19:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys >>UNKNOWN [0x8A3A78C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0fcf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\iaStor -> iaStor.sys @ 0xb9ea0716
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Atheros AR8132 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d69bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d76a21
SendHandler -> NDIS.sys @ 0xb9d5487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-02-23 19:25:55
ComboFix-quarantined-files.txt 2010-02-24 01:25

Pre-Run: 62,325,989,376 bytes free
Post-Run: 62,369,415,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C0FED35051E6A77E24BB707A6BE6443B

Hoov · « **Reply #8 on:** February 23, 2010, 09:24:16 PM »

How is the browser working now?

ohtara1211 · « **Reply #9 on:** February 24, 2010, 11:22:22 AM »

I tryied accessing 3 websites and it appeared to be working. I rebooted just to double check, and the same thing is happening again. I am still getting redirected, either to another sight, or a pricing search engine. Don't know if this helps, but several tiimes I saw this in the first part of the search address bar as I was being transferred to another sight http://smartbizsearch.com/123bounce

ohtara1211 · « **Reply #10 on:** February 24, 2010, 11:25:17 AM »

I've also noticed that when I access sights saved in "Favorites" I do not et directed.

Hoov · « **Reply #11 on:** February 24, 2010, 11:33:15 AM »

Start up Spybot Search and Destroy. update it, and then run the immunize feature. If you are still being redirected, then zip up your hosts file and attach it to your next reply. It is located in C:\Windows\System32\drivers\etc\

ohtara1211 · « **Reply #12 on:** February 24, 2010, 12:14:23 PM »

updated and ran "Immunize" from Spybot. Still being redirected. I've attached a zip of the Host File

Hoov · « **Reply #13 on:** February 24, 2010, 01:29:44 PM »

Open a command prompt (all programs > Accessories > Command Prompt) and type in
Ipconfig /all > ipconfig.txt and then hit enter. Then type in ipconfig.txt to open notepad with the log. Copy it and paste it in to your next response.

How are you connected to the internet?

ohtara1211 · « **Reply #14 on:** February 24, 2010, 04:37:14 PM »

After I reported still being redirected I rebooted. I did nothing other than what is documented here. The only thing I did different was to use the Bing search engine to see if it was just google. It worked fine. I then went back 2 Google and it worked. Rebooted and it still worked. This was using a WiFi connection at work. Came home and hooked up to ethernet cbale and it is still working. It's like there was a timer switch, as I made no changes myself. So, Im not sure I trust it, but it is working. I am posting a copy of the configuration in case you notice anything there. Of course my fear is that the same problem will unexpectedly crop up again. Thanks for checking this out.

Windows IP Configuration

Host Name . . . . . . . . . . . . : JeffsNetbook

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.ar.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.ar.comcast.net.

Description . . . . . . . . . . . : Atheros AR8132 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 00-26-18-76-DA-DD

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 76.125.66.124

Subnet Mask . . . . . . . . . . . : 255.255.254.0

Default Gateway . . . . . . . . . : 76.125.66.1

DHCP Server . . . . . . . . . . . : 68.87.68.10

DNS Servers . . . . . . . . . . . : 68.87.68.166

68.87.74.166

Lease Obtained. . . . . . . . . . : Wednesday, February 24, 2010 3:32:38 PM

Lease Expires . . . . . . . . . . : Sunday, February 28, 2010 7:38:46 AM

Ethernet adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter

Physical Address. . . . . . . . . : 00-25-D3-47-12-91

News:

Author Topic: [Resolved] Browser Redirection (Read 6031 times)

ohtara1211

[Resolved] Browser Redirection

Hoov

Re: Browser Redirection

ohtara1211

Re: Browser Redirection

ohtara1211

Re: Browser Redirection

Hoov

Re: Browser Redirection

ohtara1211

Re: Browser Redirection

Hoov

Re: [In Progress] Browser Redirection

ohtara1211

Re: [In Progress] Browser Redirection

Hoov

Re: [In Progress] Browser Redirection

ohtara1211

Re: [In Progress] Browser Redirection

ohtara1211

Re: [In Progress] Browser Redirection

Hoov

Re: [In Progress] Browser Redirection

ohtara1211

Re: [In Progress] Browser Redirection

Hoov

Re: [In Progress] Browser Redirection

ohtara1211

Re: [In Progress] Browser Redirection