Jump to content

I am a victum of the Browser Rediret Virus

Recommended Posts

Like several others, one of the computers on my home network is infected with the Google / Browser redirect virus. If I click on a link in a the results returned by a Google search, it is redirected to some other random website. The infected computer is running McAfee total protection (apparently not so total). I have also installed an run Malwarebytes and Spybot. None of these find the source of the problem.

Here is the most recent Malwarebytes' Anti-Malware log file:

Malwarebytes' Anti-Malware


Database version: 7084

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/12/2011 6:32:53 PM

mbam-log-2011-07-12 (18-32-53).txt

Scan type: Quick scan

Objects scanned: 165361

Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the DDS Log:

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Edmond White at 13:32:49 on 2011-07-12


============== Running Processes ===============





C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\wLite\wLite.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


C:\Program Files\No-IP\DUC30.exe

C:\WeatherLink\WeatherLink 5.9.2.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe



C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe



C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Edmond White\Desktop\Defogger.exe

C:\Documents and Settings\Edmond White\Desktop\dds.scr


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter


============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = about:blank

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uURLSearchHooks: H - No File

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110610190734.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

uRun: [wLite] "c:\program files\wlite\wLite.exe" -auto

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\henry white\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {AECD14A8-F662-11D1-A395-00805F535788} - hxxp://www.investors.com/member/ocx/plotwon.ocx

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: DhcpNameServer =

TCP: Interfaces\{CED82A8A-1C8A-4F4B-8483-0FC25BF3EEEF} : DhcpNameServer =

TCP: Interfaces\{DEF5215A-0310-425C-A452-E551997B5739} : DhcpNameServer =

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


============= SERVICES / DRIVERS ===============


R? Boonty Games;Boonty Games

R? BulkUsb;Genesys Logic USB Scanner Controller NT 5.0

R? hamachi_oem;PlayLinc Adapter

R? MBAMProtector;MBAMProtector

R? MBAMService;MBAMService

R? MBAMSwissArmy;MBAMSwissArmy

R? McOobeSv;McAfee OOBE Service

R? mfendisk;McAfee Core NDIS Intermediate Filter

R? mferkdet;McAfee Inc. mferkdet

R? RT80x86;Linksys WPC600N/WMP600N Wireless-N Card Driver

R? SlingAgentService;SlingAgentService

R? wxpSvc;webcamXP Service

R? XDva136;XDva136

S? cfwids;McAfee Inc. cfwids

S? LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter

S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service

S? McMPFSvc;McAfee Personal Firewall Service

S? McNaiAnn;McAfee VirusScan Announcer

S? McProxy;McAfee Proxy Service

S? McShield;McAfee McShield

S? mfeavfk;McAfee Inc. mfeavfk

S? mfebopk;McAfee Inc. mfebopk

S? mfefire;McAfee Firewall Core Service

S? mfefirek;McAfee Inc. mfefirek

S? mfehidk;McAfee Inc. mfehidk

S? mfendiskmp;mfendiskmp

S? mfetdi2k;McAfee Inc. mfetdi2k

S? mfevtp;McAfee Validation Trust Protection Service



=============== Created Last 30 ================


2011-07-12 00:47:00 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-07-09 20:16:07 -------- d-----w- c:\documents and settings\edmond white\application data\Malwarebytes

2011-07-09 20:14:25 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-09 20:14:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-09 20:13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-09 13:44:37 -------- d-sh--w- c:\documents and settings\edmond white\PrivacIE

2011-07-09 13:32:28 -------- d-sh--w- c:\documents and settings\edmond white\IETldCache

2011-07-09 13:23:01 -------- d-----w- c:\windows\ie8updates

2011-07-09 13:10:42 -------- dc-h--w- c:\windows\ie8

2011-07-09 12:54:19 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-07-09 12:54:07 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-07-09 12:54:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-07-09 12:54:00 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-07-09 12:53:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-07-09 12:53:47 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-07-09 12:53:44 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-07-09 12:53:23 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-06-16 21:44:39 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-06-16 21:44:39 -------- d-----w- c:\windows\system32\wbem\Repository


==================== Find3M ====================


2011-07-01 11:24:32 52352 ------w- c:\windows\system32\drivers\volsnap.sys

2011-05-15 18:33:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys


============= FINISH: 13:45:36.11 ===============

The ARK.TXT and Attack.txt files are in the attached file (attach.zip)

Thank you for your assistance.


Ed White


Link to post
Share on other sites

Hello EdW and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

***Note: In order for ComboFix to run properly McAfee must be uninstalled. Please go here and follow the instructions to uninstall McAfee.

McAfee needs to remain uninstalled until I tell you its safest to reinstall it.


I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure Advanced Mode is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck Resident TeaTimer and OK any prompts

You can re-enable TeaTimer once your system is clean.


Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


In your next reply, please include:

  • C:\ComboFix.txt
  • TDSSKiller log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.