Jump to content

browser search redirect


Recommended Posts

Hello,

I have managed to get infected by some form of a browser hijacker and cannot get rid of it. Whenever I search for anything using a search engine such as Google or Bing, the page with results gets displayed correctly, however, upon clicking on a result I get redirected to a different page. The page to which the browser redirects varies. At times the target page attempts to open a javascript file (search.js), which I obviously decline to do. The only surefire way to use the search engines now is to copy the link to which the engine points (not by "copy link", but by manually copying the green link underneath the search result), open a new tab and pasting the link there. I might also mention that I suspect that it is this very malware that rendered my Google Chrome completely useless (it crashes so often I had to switch to Mozilla) and that prevents me to install Windows 7 Service Pack 1 due to an unknown rights sharing violation. I usually am able to take care of my business myself, but this particular piece of malicious software has proven to be too much of a challenge for me. Please help...

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_25

Run by MARK at 3:21:15 on 2011-06-30

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2940.1675 [GMT 1:00]

.

AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}

FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

C:\Windows\System32\tcpsvcs.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Eraser\Eraser.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\KeyScrambler\KeyScrambler.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyServer = 123.125.156.82:80

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Google Update] "c:\users\mark\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe

mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

uPolicies-explorer: ClearRecentProgForNewUserInStartMenu = 1 (0x1)

uPolicies-explorer: NoInstrumentation = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71} : NameServer = 156.154.70.22,156.154.71.22

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71} : DhcpNameServer = 10.0.0.1

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71}\072796465677F6F646 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71}\244584572633D263D41593 : NameServer = 156.154.70.22,156.154.71.22

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71}\244584572633D263D41593 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71}\2445F40756E6A7F6E656 : DhcpNameServer = 192.168.22.22 192.168.22.23

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71}\87C6E62627F616462616E646 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{023CEC8E-FC65-44C0-AD56-C2003F865F71}\E696767616 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{0C904E8B-176C-44A1-B1B7-705092B20F3C} : NameServer = 156.154.70.22,156.154.71.22

TCP: Interfaces\{E9CE7E0A-EE1D-4AA0-AEAF-72F20D9186C1} : NameServer = 192.168.137.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\mark\appdata\roaming\mozilla\firefox\profiles\xh1j5jx7.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\mark\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Fast Video Download (with SearchMenu): {c50ca3c4-5656-43c2-a061-13e717f73fc8} - %profile%\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}

FF - Ext: PimpZilla: {a02c0c70-605c-11da-8cd6-0800200c9a66} - %profile%\extensions\{a02c0c70-605c-11da-8cd6-0800200c9a66}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa

.

============= SERVICES / DRIVERS ===============

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-5-2 19088]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-5-2 238960]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-5-2 37592]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]

R1 MpKsl2a8fcf3b;MpKsl2a8fcf3b;c:\programdata\microsoft\microsoft antimalware\definition updates\{b0acd2e9-1b7d-47a8-8928-316b145fbec1}\MpKsl2a8fcf3b.sys [2011-6-29 28752]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2010-11-10 7168]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-10-26 114952]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]

.

=============== Created Last 30 ================

.

2011-06-29 22:26:01 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b0acd2e9-1b7d-47a8-8928-316b145fbec1}\MpKsl2a8fcf3b.sys

2011-06-29 20:45:42 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b0acd2e9-1b7d-47a8-8928-316b145fbec1}\mpengine.dll

2011-06-29 07:47:54 -------- d-----w- c:\windows\system32\SPReview

2011-06-27 11:33:42 -------- d-----w- c:\program files\RegCleaner

2011-06-27 01:44:57 98816 ----a-w- c:\windows\sed.exe

2011-06-27 01:44:57 518144 ----a-w- c:\windows\SWREG.exe

2011-06-27 01:44:57 256512 ----a-w- c:\windows\PEV.exe

2011-06-27 01:44:57 208896 ----a-w- c:\windows\MBR.exe

2011-06-27 01:44:45 -------- d-s---w- C:\ComboFix

2011-06-26 21:32:36 -------- d--h--w- C:\VritualRoot

2011-06-26 20:24:25 -------- d-----w- c:\users\mark\appdata\local\ElevatedDiagnostics

2011-06-26 20:20:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-26 20:20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-26 02:31:24 -------- d-----w- c:\users\mark\appdata\local\COMODO

2011-06-23 20:32:52 -------- d-----w- c:\program files\Panda Security

2011-06-23 14:02:23 352641 ----a-w- c:\windows\system32\drivers\sfi.dat

2011-06-23 13:58:59 -------- d-----w- c:\programdata\Comodo

2011-06-23 13:58:51 -------- d-----w- c:\program files\COMODO

2011-06-20 23:24:45 63488 ----a-w- c:\windows\system32\drivers\wanarp.sys

2011-06-20 23:24:45 48128 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2011-06-20 23:08:25 -------- d-----w- c:\windows\CheckSur

2011-06-20 22:14:52 -------- d-----w- c:\windows\system32\wbem\repository

2011-06-20 14:26:34 -------- d-----w- c:\windows\system32\BestPractices

2011-06-20 14:26:32 -------- d-----w- C:\inetpub

2011-06-15 19:30:46 -------- d-----w- c:\users\mark\appdata\roaming\Malwarebytes

2011-06-15 19:30:19 -------- d-----w- c:\programdata\Malwarebytes

2011-06-15 09:41:27 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-06-15 09:41:25 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll

2011-06-15 09:41:18 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-06-15 04:42:02 311296 ----a-w- c:\windows\system32\drivers\srv.sys

2011-06-15 04:42:02 309760 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-06-15 04:42:01 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-06-15 04:41:54 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-06-15 04:41:53 338944 ----a-w- c:\windows\system32\drivers\afd.sys

2011-06-15 04:41:44 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-06-15 04:41:41 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-06-15 04:41:38 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-06-15 04:41:36 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-06-15 04:39:58 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-06-15 04:39:57 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-06-15 04:39:56 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-06-07 11:35:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-06-07 07:48:33 24448 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys

2011-06-07 07:47:11 -------- d-sh--w- C:\$RECYCLE.BIN

2011-06-07 07:47:07 -------- d-----w- c:\users\mark\appdata\local\temp

2011-06-05 14:56:54 -------- d-----w- c:\windows\system32\EventProviders

2011-06-04 17:52:28 -------- d-----w- C:\foo

2011-06-04 17:28:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-05-31 00:06:53 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-06 10:05:12 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-02 19:36:44 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-05-02 19:36:42 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-05-02 19:36:42 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-05-02 19:36:04 284744 ----a-w- c:\windows\system32\guard32.dll

2011-04-22 19:36:05 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe

.

============= FINISH: 3:25:55.82 ===============

logs.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (Microsoft and Comodo). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.