Results 1 to 1 of 1

Thread: Another Case Of Google Redirects

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member
    Join Date
    Nov 2005
    Posts
    35

    Question Another Case Of Google Redirects

    So I have run into the problem of having my google search results redirect to spam sites. I did run Spybot and got rid of the stuff it detected, as well as running hijackthis and destroying items in the log that I could identify as not my legit software.

    Here's the DDS log:
    .
    DDS (Ver_2011-08-26.01) - FAT32x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.0
    Run by Joshua at 10:46:43 on 2012-03-30
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
    uSearchAssistant =
    mSearchAssistant =
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
    TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    TB: {9565115D-C7D6-46D3-BD63-B67B481A4368} - No File
    TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
    TB: VShareToolBar: {7ac3e13b-3bca-4158-b330-f66dbb03c1b5} - c:\program files\vshare.tv plugin\BarLcher.dll
    uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\joshua.northorphq.003\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
    uRun: [RemoteCenter] c:\program files\creative\sblive\remotecenter\rc\Rcman.exe
    uRun: [Steam] "d:\games\sierra\valve\Steam.exe" -silent
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
    StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\joshua.northorphq.003\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
    StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    mPolicies-explorer: <NO NAME> =
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    Trusted Zone: the506.com
    Trusted Zone: the506.com\www
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
    DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
    DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
    DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15118/CTPID.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{15766AB2-C498-49C2-9079-1FE40F8D06C2} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{42DE0B09-5D7A-4D4F-AB53-0DD93B767FCC} : DhcpNameServer = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} -
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows.0\system32\rundll32.exe c:\windows.0\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\joshua.northorphq.003\application data\mozilla\firefox\profiles\zj8xy7h1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - MyStart Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com//?loc=ff_address_bar&a=DidCEEIT1u&search=
    FF - plugin: c:\documents and settings\joshua.northorphq.003\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPGetRt.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - plugin: c:\program files\tabletplugins\npWacomTabletPlugin.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extentions.y2layers.installId - 4029fc6c-7641-4e23-9d01-58092114d645
    FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,SanitySwitch,PageRage,PageRageGlobal,
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2012-03-29 15:40:52 -------- d-----w- c:\documents and settings\all users.windows.0\application data\Spybot - Search & Destroy
    2012-03-14 13:29:57 -------- d-----w- c:\program files\common files\ODBC
    2012-03-13 03:41:47 -------- d-----w- c:\windows.0\Performance
    2012-03-13 03:41:39 -------- d-----w- c:\documents and settings\joshua.northorphq.003\local settings\application data\Microsoft Corporation
    2012-03-13 03:41:21 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2012-03-09 15:35:14 -------- d-----w- c:\documents and settings\joshua.northorphq.003\application data\Boilsoft
    2012-03-09 15:35:12 -------- d-----w- c:\program files\Boilsoft
    2012-03-01 08:25:37 876864 ------w- c:\windows.0\system32\nvhdagenco3220103.dll
    2012-03-01 08:25:37 27968 ----a-w- c:\windows.0\system32\nvhdap32.dll
    2012-03-01 08:25:37 123712 ----a-w- c:\windows.0\system32\drivers\nvhda32.sys
    2012-03-01 07:56:28 -------- d-----w- c:\program files\common files\Creative Labs Shared
    2012-03-01 07:25:39 -------- d-----w- c:\windows.0\system32\Lang
    2012-03-01 07:24:52 17488 ----a-w- c:\windows.0\gdrv.sys
    2012-03-01 07:19:59 2815592 ----a-w- c:\windows.0\ALCWZRD.EXE
    2012-03-01 07:19:58 285288 ----a-w- c:\windows.0\system32\ALSNDMGR.CPL
    2012-03-01 07:19:58 1691480 ----a-w- c:\windows.0\system32\drivers\Ambfilt.sys
    2012-03-01 07:19:57 -------- d-----w- c:\program files\Realtek
    2012-03-01 07:19:50 1284712 ------r- c:\windows.0\RtlExUpd.dll
    2012-03-01 07:18:47 53248 ----a-r- c:\windows.0\system32\CSVer.dll
    2012-03-01 07:17:21 -------- d--h--w- c:\documents and settings\all users.windows.0\application data\{8533ADFA-85F0-4dc1-946A-2A0BA58E78E3}
    2012-03-01 07:17:17 -------- d-----w- c:\documents and settings\joshua.northorphq.003\application data\Splashtop
    2012-03-01 07:16:16 -------- d-----w- c:\program files\Gigabyte
    2012-03-01 07:14:57 20608 ----a-w- c:\windows.0\system32\drivers\usbuhci.sys
    2012-03-01 07:14:57 20608 ----a-w- c:\windows.0\system32\dllcache\usbuhci.sys
    2012-03-01 07:13:17 207400 ----a-r- c:\windows.0\GSetup.exe
    .
    ==================== Find3M ====================
    .
    2012-03-13 15:28:42 294008 ----a-w- c:\windows.0\system32\nvdrsdb1.bin
    2012-03-13 15:28:42 1 ----a-w- c:\windows.0\system32\nvdrssel.bin
    2012-03-13 15:28:38 294008 ----a-w- c:\windows.0\system32\nvdrsdb0.bin
    2012-03-08 20:41:26 230808 ----a-r- c:\windows.0\system32\cpnprt2.cid
    2012-03-01 07:55:40 445016 ----a-w- c:\windows.0\system32\wrap_oal.dll
    2012-03-01 07:55:40 109144 ----a-w- c:\windows.0\system32\OpenAL32.dll
    2012-02-29 23:58:00 881984 ----a-w- c:\windows.0\system32\nvgenco32.dll
    2012-02-29 23:58:00 65536 ----a-w- c:\windows.0\system32\OpenCL.dll
    2012-02-29 23:58:00 5918720 ----a-w- c:\windows.0\system32\nvcuda.dll
    2012-02-29 23:58:00 4309760 ----a-w- c:\windows.0\system32\nv4_disp.dll
    2012-02-29 23:58:00 2522944 ----a-w- c:\windows.0\system32\nvcuvid.dll
    2012-02-29 23:58:00 2437440 ----a-w- c:\windows.0\system32\nvcuvenc.dll
    2012-02-29 23:58:00 2291712 ----a-w- c:\windows.0\system32\nvapi.dll
    2012-02-29 23:58:00 18624512 ----a-w- c:\windows.0\system32\nvoglnt.dll
    2012-02-29 23:58:00 17534976 ----a-w- c:\windows.0\system32\nvcompiler.dll
    2012-02-29 23:58:00 13417632 ----a-w- c:\windows.0\system32\drivers\nv4_mini.sys
    2012-02-29 23:58:00 1000256 ----a-w- c:\windows.0\system32\nvdispco32.dll
    2012-02-29 20:30:32 54272 ----a-w- c:\windows.0\system32\nvwddi.dll
    2012-02-29 20:30:26 15494464 ----a-w- c:\windows.0\system32\nvcpl.dll
    2012-02-29 20:30:26 143680 ----a-w- c:\windows.0\system32\nvcolor.exe
    2012-02-29 20:30:24 164160 ----a-w- c:\windows.0\system32\nvsvc32.exe
    2012-02-29 20:30:24 108352 ----a-w- c:\windows.0\system32\nvmctray.dll
    2012-02-22 14:39:10 141312 ----a-w- c:\windows.0\system32\javacpl.cpl
    2012-02-22 14:39:08 637848 ----a-w- c:\windows.0\system32\npdeployJava1.dll
    2012-02-22 14:39:08 567184 ----a-w- c:\windows.0\system32\deployJava1.dll
    2012-02-20 13:54:24 414368 ----a-w- c:\windows.0\system32\FlashPlayerCPLApp.cpl
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows.0\system32\win32k.sys
    2012-01-31 15:12:38 4423680 ----a-w- c:\windows.0\system32\SET1A.tmp
    2012-01-11 18:06:48 3072 ------w- c:\windows.0\system32\iacenc.dll
    2012-01-09 16:20:26 139784 ----a-w- c:\windows.0\system32\drivers\rdpwd.sys
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Maxtor_6L300R0 rev.BAH41E00 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A87149F]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a878740]; MOV EAX, [0x8a8788b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A93EAB8]
    3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000070[0x8A902F18]
    5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A980940]
    \Driver\atapi[0x8A901BB8] -> IRP_MJ_CREATE -> 0x8A87149F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A8712C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 10:48:26.19 ===============

    Edit
    Hopefully this helps anyone else running into this problem.
    Forum sticky.

    • Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.


    • If someone posts instructions in their own topic, "this worked for me", it will be removed, possibly without notice. Just so you know.
    http://forums.spybot.info/showthread.php?t=288
    Last edited by tashi; 2012-03-30 at 18:41. Reason: Second post removed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •