Address bar search going to look-up-results.com instead of Google [Archive]

kcmal

2008-02-14, 18:46

On reboot after windows starts with desktop background showing, but before desktop icons are shown/loaded I get:

RUNDLL
Error loading C:\windows\system32\iernonce.dll
The specified process could not be found

I think this was caused by VundoFix. This is the log:

VundoFix V6.7.8

Checking Java version...

Scan started at 8:51:28 PM 2/11/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

My reason for running VundoFix is I am redirected to http://wwww2.look-up-results.com whenever I use the address bar in both Firefox and IE to search for a known site such as yahoo, digg, reddit. Google is supposed to be my default search. If I just use the word yahoo, digg, etc. I get redirected. If I use the word yahoo.com, digg.com I go to the correct site. I use Firefox most and only use IE if forced to. Can't get Windows Updates. After it starts it's prep I get an error 0x8007007F. Can't get Kaprasky online scan to load it's program. All this seems to be ActiveX problems. Ran McAfee complete virus scan, it's clean. Spybot S&D was clean except for 1 tracking cookie. Adaware was clean. McAfee Stinger was clean. The redirect only happens on my dialup connection, only on this laptop. My desktop PC is not affected on the same dialup connection. Also not redirected if I leech off my neighbor's WiFi.

Also ran ComboFix. Here is a part of it's log. Will post complete log on request.

ComboFix 08-02-13.2 - Mike Lindow 2008-02-12 16:29:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -6:00]
Running from: C:\Documents and Settings\Mike Lindow\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.dõj+|Cü¤Ì›v÷+È@™JŸ:®½‰NêGD_©½ºD˜QÄ{¶ÀzÎGD_©½ºD˜QÄ{¶ÀzÎGD_©½ºD˜QÄ{¶ÀzÎGD_©½ºD˜QÄ{¶ÀzÎ÷+È@™JŸ:®½‰Nêõj+|Cü¤Ì›vad S-1-5-18`€HT4?? 6ÚVwoQZC¬¬D¢HÿóMiC:\WINDOWS\SoftwareDistribution\Download\5a61c35c8b16af02e0d6ee9539eece21\WindowsXP-KB946627-x86-ENU.exe–
.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 15:15 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\iernonce.dl_
2008-02-11 22:13 . 2008-02-11 22:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 20:51 . 2008-02-11 20:51 <DIR> d-------- C:\VundoFix Backups
2008-02-11 12:33 . 2008-02-11 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-11 12:10 . 2008-02-11 12:26 <DIR> d-------- C:\fixwareout
2008-02-04 14:34 . 2008-02-04 14:34 335 --a------ C:\WINDOWS\mozregistry.dat
2008-02-02 13:12 . 2008-02-04 11:53 <DIR> d-------- C:\Jobs
2008-02-01 12:18 . 2008-02-01 12:18 <DIR> d-------- C:\Documents and Settings\Mike Lindow\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 22:32 4,978,720 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-12 22:24 59,180 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-12 04:47 --------- d-----w C:\Program Files\directx
2008-02-12 00:41 --------- d-----w C:\Program Files\DAP
2008-02-12 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 22:59 --------- d-----w C:\Program Files\Spybot
2008-02-02 13:44 27,614 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_02_01_19_22_37_full.dmp.zip
2008-01-27 04:46 --------- d-----w C:\Documents and Settings\Mike Lindow\Application Data\uTorrent
2008-01-18 16:57 --------- d-----w C:\Program Files\McAfee
2008-01-16 01:03 --------- d-----w C:\Program Files\Procomm Plus
2008-01-01 20:03 --------- d-----w C:\Program Files\Java
2008-01-01 19:49 --------- d-----w C:\Program Files\Common Files\Java
2007-12-30 19:32 --------- d-----w C:\Program Files\Microsoft GIF Animator
2007-12-30 19:32 --------- d-----w C:\Program Files\IrfanView
2007-09-24 05:51 14,724 ----a-w C:\Program Files\GPS UtilityTrkLog070924_05.txt
2007-09-22 00:02 3,440 ----a-w C:\Program Files\GPS UtilityTrkLog070922_00.txt
2007-09-21 23:59 7,346 ----a-w C:\Program Files\GPS UtilityTrkLog070921_23.txt
2007-09-20 19:30 2,138 ----a-w C:\Program Files\GPS UtilityTrkLog070920_19.txt
2007-09-16 18:23 441 ----a-w C:\Program Files\GPS UtilityTrkLog070916_18.txt
.

Here is complete HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:49 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\McAfee\VsStat.exe
C:\Program Files\McAfee\Vshwin32.exe
C:\Program Files\McAfee\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=dticon006&c=1c02&lc=0409
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\VSCShellExtension.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Cookie Pal] "C:\Program Files\CPal\CPBrWtch.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189205193863
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E6657C-3624-4E1D-95BD-216046450BD2}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\Avsynmgr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6555 bytes