Jump to content

Google results redirect in all browser - iexplore.exe running under svchost

Recommended Posts

Google search results are being redirected to random sites in IE, Chrome and FF. IE window closes periodically too.

SysInternals Process Explorer shows an iexplore.exe running under the [svchost -k DcomLaunch] process, with a command line of [C:\Program Files\Internet Explorer\iexplore.exe -Embedded]. If I kill this IE it restarts after a while.

MBAM is reporting svchost.exe being blocked from accessing potentially malicious web sites on and several times a day.

MBAM, Spybot S&D, SUPERAntiSpyware, Symantec Endpoint Protection scans all report nothing found (except a few tracking cookies - usually to doubleclick)

Here's the DDS log:


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Administrator at 12:22:28 on 2011-10-27

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3061.2172 [GMT 1:00]


AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}


============== Running Processes ===============


C:\WINDOWS\system32\svchost.exe -k DcomLaunch


C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe



C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe



C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe


C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe



C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


C:\Program Files\Internet Explorer\IEXPLORE.EXE


============== Pseudo HJT Report ===============


uStart Page = hxxp://server

uDefault_Page_URL = hxxp://server

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://server/Reports_SQLEXPRESS/Reserved.ReportViewerWebControl.axd?ReportSession=bfuvwc555aozov45ffjwlv45&ControlID=ae2ec9e224b749a5adffa4420ba11dfa&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab&Arch=X86

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260281083779

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{373F4763-7CB4-498B-8666-823DAF98251C} : DhcpNameServer =

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL


================= FIREFOX ===================


FF - ProfilePath - c:\documents and settings\administrator.schofields\application data\mozilla\firefox\profiles\5v9dopcf.default\

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll


============= SERVICES / DRIVERS ===============


R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-11 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-11 108392]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-29 366152]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-7-28 576024]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-10-26 439632]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-8-11 1839776]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-29 22216]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111026.025\NAVENG.SYS [2011-10-27 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111026.025\NAVEX15.SYS [2011-10-27 1576312]


=============== Created Last 30 ================


2011-10-27 07:54:35 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{9250e94f-f447-4c4d-a05a-2d57b3e84a4c}\offreg.dll

2011-10-26 19:51:08 -------- d-----w- C:\ComboFix

2011-10-26 18:51:44 -------- d-sha-r- C:\cmdcons

2011-10-26 18:44:40 98816 ----a-w- c:\windows\sed.exe

2011-10-26 18:44:40 518144 ----a-w- c:\windows\SWREG.exe

2011-10-26 18:44:40 256000 ----a-w- c:\windows\PEV.exe

2011-10-26 18:44:40 208896 ----a-w- c:\windows\MBR.exe

2011-10-26 17:44:14 -------- d-----w- c:\documents and settings\administrator.schofields\local settings\application data\Adobe

2011-10-26 15:16:42 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro

2011-10-26 15:06:32 -------- d-----w- c:\program files\WinPcap

2011-10-26 14:08:23 -------- d-----w- c:\windows\pss

2011-10-26 14:03:37 388096 ----a-r- c:\documents and settings\administrator.schofields\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-10-26 14:03:36 -------- d-----w- c:\program files\Trend Micro

2011-10-26 11:51:37 -------- d-----w- c:\documents and settings\administrator.schofields\application data\SUPERAntiSpyware.com

2011-10-26 11:51:02 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-10-26 11:51:02 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-10-26 11:45:47 -------- d-----w- c:\documents and settings\administrator.schofields\application data\Malwarebytes

2011-10-26 11:44:24 -------- d-----w- c:\documents and settings\administrator.schofields\local settings\application data\Mozilla

2011-10-26 11:25:10 -------- d-----w- c:\documents and settings\all users\application data\Ask

2011-10-26 11:18:10 -------- d-sh--w- c:\documents and settings\administrator.schofields\PrivacIE

2011-10-26 11:18:00 293888 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HP1006S.DLL

2011-10-25 12:42:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{9250e94f-f447-4c4d-a05a-2d57b3e84a4c}\mpengine.dll

2011-10-13 10:42:32 -------- d-----w- c:\documents and settings\all users\application data\PC1Data

2011-10-10 14:02:05 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-10-10 14:02:05 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-09-29 15:27:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-29 15:27:49 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-09-29 15:27:49 472808 ----a-w- c:\windows\system32\deployJava1.dll


==================== Find3M ====================


2011-10-21 07:44:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-13 10:42:18 5356304 ----a-w- c:\windows\uninst.exe

2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-11 10:44:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-08-11 10:44:46 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-08-11 09:34:06 87408 ----a-w- c:\windows\system32\FwsVpn.dll

2011-08-11 09:34:06 625032 ----a-w- c:\windows\system32\SymNeti.dll

2011-08-11 09:34:06 242056 ----a-w- c:\windows\system32\SymRedir.dll

2011-08-11 09:34:06 107888 ----a-w- c:\windows\system32\SymVPN.dll

2011-08-11 09:34:04 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

2011-08-11 09:34:04 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys

2011-08-11 09:34:04 284720 ----a-w- c:\windows\system32\drivers\srtsp.sys

2011-08-11 09:33:58 39856 ----a-w- c:\windows\system32\drivers\symids.sys

2011-08-11 09:33:58 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys

2011-08-11 09:33:58 35120 ----a-w- c:\windows\system32\drivers\symndis.sys

2011-08-11 09:33:58 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys

2011-08-11 09:33:58 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys

2011-08-11 09:33:58 145968 ----a-w- c:\windows\system32\drivers\symfw.sys

2011-08-11 09:33:58 12720 ----a-w- c:\windows\system32\drivers\symdns.sys


============= FINISH: 12:28:29.37 ===============

Forgot to attach the DDS Attach.txt...


Link to post
Share on other sites


Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step


Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.