Jump to content

IE google redirect issue


Recommended Posts

Hi everybody.

I am having issues with my google search links redirecting to spam websites. This only looks like it is a problem is internet explorer, although I have also had firefox problems that might be related. I have reset firefox a couple times while trying to figure out what is going on.

I have followed the directions from this forum post - http://forums.malwarebytes.org/index.php?showtopic=9573 .

Malwarebytes' Anti-Malware - I ran this program and it identified one issue and it said it successfully fixed it.

I have attached the "ATTACH" text file, "ARC" text file, "MBAM log". I have also included the text of the "DDS" log below:

Thank you in advance for any help and advice! I promise to follow directions as close as possible.

DDS LOG below

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_23

Run by Rogers at 18:38:55 on 2011-07-30

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.958.405 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Windows\system32\taskeng.exe

C:\Program Files\Kodak\KODAK Share Button App\Listener.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\Rogers\Desktop\GMERrootkitscanner.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://search.myheritage.com

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\toolbar\ElnkPub.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\toolbar\ProtctIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\toolbar\uninsttb.dll

TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\toolbar\Toolbar.dll

TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

StartupFolder: c:\users\rogers\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: EarthLink Google Search - c:\program files\earthlink totalaccess\toolbar\toolbar\SearchUI.dll/search.html

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

TCP: DhcpNameServer = 192.168.254.254 192.168.254.254

TCP: Interfaces\{0A8142A5-64C7-4DD2-BA59-1E37CC63CFD0} : DhcpNameServer = 192.168.254.254 192.168.254.254

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\rogers\appdata\roaming\mozilla\firefox\profiles\oykxzlb7.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://search.imesh.com/

FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 53798

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\users\rogers\appdata\roaming\mozilla\plugins\np-mswmp.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl89f292f9;MpKsl89f292f9;c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsl89f292f9.sys [2011-7-30 28752]

R1 MpKsld0ac70f9;MpKsld0ac70f9;c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsld0ac70f9.sys [2011-7-30 28752]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-30 41272]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]

.

=============== Created Last 30 ================

.

2011-07-30 22:25:11 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsld0ac70f9.sys

2011-07-30 20:55:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-30 20:55:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-30 20:55:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-30 20:15:31 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsl89f292f9.sys

2011-07-30 19:11:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-07-30 19:11:24 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-30 19:01:21 6881616 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\mpengine.dll

2011-07-30 18:59:13 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{57fbffe9-3260-4479-adb1-ff2ee4a06c29}\gapaengine.dll

2011-07-20 21:53:58 0 ---ha-w- c:\windows\system32\neuelfpjsg.tmp

2011-07-18 23:18:11 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-07-12 14:08:47 54016 ----a-w- c:\windows\system32\drivers\febirb.sys

2011-07-11 17:53:48 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll

2011-07-11 17:48:54 -------- d-----w- c:\program files\Microsoft Security Client

2011-07-04 19:32:19 -------- d-----w- c:\programdata\aI06703BjDaM06703

.

==================== Find3M ====================

.

2011-06-11 23:28:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6000 Disk: ST325082 rev.3.AD -> Harddisk0\DR0 ->

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87E9E4D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87ea47d0]; MOV EAX, [0x87ea484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x82427F3B] -> \Device\Harddisk0\DR0[0x856ED228]

3 nt[0x824B07E2] -> ntkrnlpa!IofCallDriver[0x82427F3B] -> [0x84CA9F18]

5 acpi[0x804D732A] -> ntkrnlpa!IofCallDriver[0x82427F3B] -> [0x84CA6CA0]

\Driver\nvstor[0x85126160] -> IRP_MJ_CREATE -> 0x87E9E4D0

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

detected disk devices:

\Device\00000044 -> \??\SCSI#Disk&Ven_ST325082&Prod_0AS#4&21479b0c&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 18:39:44.28 ===============

Attach_ARC_MBAMLOG.zip

Link to post
Share on other sites

Just to give an update, I followed the advice of some other posts on this forum and I believe I am in good shape. After a fresh reboot, I have run a couple malware and virus scanners and they come up clean. IE and firefox are working great.

Thanks for making this forum such a useful place.

Hi everybody.

I am having issues with my google search links redirecting to spam websites. This only looks like it is a problem is internet explorer, although I have also had firefox problems that might be related. I have reset firefox a couple times while trying to figure out what is going on.

I have followed the directions from this forum post - http://forums.malwarebytes.org/index.php?showtopic=9573 .

Malwarebytes' Anti-Malware - I ran this program and it identified one issue and it said it successfully fixed it.

I have attached the "ATTACH" text file, "ARC" text file, "MBAM log". I have also included the text of the "DDS" log below:

Thank you in advance for any help and advice! I promise to follow directions as close as possible.

DDS LOG below

Link to post
Share on other sites

Warning: possible TDL3 rootkit infection !

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.