PDA

View Full Version : Google Searches Redirecting to Random Websites


Nikodemos
2011-07-09, 20:30
Title says it all. I've ran Spybot, Malware Bytes and CCleaner (before I saw the sticky where registry cleaners are not recommended) with no results. Backed up my registry with ERUNT (post CCleaner).

Here's my DDS:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Cheryl Barnett at 13:17:43 on 2011-07-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1360 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080513
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearch Bar = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KodakShareButtonApp] c:\program files\kodak\kodak share button app\Listener.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{046F5A84-095B-4052-90AE-997CA7F3D0EC} : DhcpNameServer = 68.87.68.166 68.87.74.166
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslc5ffd174;MpKslc5ffd174;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90621709-4faa-4a71-8da4-1b36c6bbc27c}\MpKslc5ffd174.sys [2011-7-9 28752]
R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-5-13 105984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [2009-7-8 308096]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-9 39984]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-09 18:10:16 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90621709-4faa-4a71-8da4-1b36c6bbc27c}\MpKslc5ffd174.sys
2011-07-09 16:01:33 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-09 16:01:26 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-09 16:01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-09 14:43:11 -------- d-----w- c:\documents and settings\cheryl barnett.mine\application data\HpUpdate
2011-07-09 05:52:37 -------- d-----w- c:\documents and settings\cheryl barnett.mine\local settings\application data\Apple Computer
2011-07-09 05:48:00 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90621709-4faa-4a71-8da4-1b36c6bbc27c}\mpengine.dll
2011-07-09 05:47:47 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-09 05:47:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-09 05:47:35 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-07-09 05:44:40 -------- d-----w- c:\documents and settings\cheryl barnett.mine\local settings\application data\Temp
2011-07-09 05:39:01 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-09 05:34:01 -------- d-----w- c:\program files\Microsoft
2011-07-09 05:33:43 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-07-09 05:33:16 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2011-07-09 05:33:05 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-07-09 05:29:11 74520 ----a-w- c:\program files\common files\windows live\.cache\2201c3961cc3df9\DSETUP.dll
2011-07-09 05:29:11 484632 ----a-w- c:\program files\common files\windows live\.cache\2201c3961cc3df9\DXSETUP.exe
2011-07-09 05:29:11 1670936 ----a-w- c:\program files\common files\windows live\.cache\2201c3961cc3df9\dsetup32.dll
2011-07-09 05:28:08 1013800 ----a-w- c:\program files\common files\windows live\.cache\fc3de4001cc3df8\WindowsXP-KB954708-x86-ENU.exe
2011-07-09 05:22:22 -------- d-----w- c:\documents and settings\cheryl barnett.mine\application data\PriceGong
2011-07-09 05:22:03 -------- d-sh--w- c:\documents and settings\cheryl barnett.mine\IECompatCache
2011-07-09 05:08:45 -------- d-----w- c:\documents and settings\cheryl barnett.mine\application data\Windows Search
2011-07-09 05:01:33 -------- d-----w- c:\documents and settings\cheryl barnett.mine\application data\Malwarebytes
2011-07-09 04:47:14 -------- d-----w- c:\documents and settings\cheryl barnett.mine\local settings\application data\Conduit
2011-07-09 04:47:10 -------- d-sh--w- c:\documents and settings\cheryl barnett.mine\PrivacIE
2011-07-09 04:47:09 -------- d-----w- c:\documents and settings\cheryl barnett.mine\local settings\application data\Yahoo
2011-07-09 04:39:04 -------- d-sh--w- c:\documents and settings\cheryl barnett.mine\IETldCache
2011-07-08 23:52:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-06 14:05:52 674284 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-14 22:17:33 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-16 21:10:16 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2011-04-16 21:10:16 249856 ----a-w- c:\windows\system32\pdfmona.dll
.
============= FINISH: 13:24:44.28 ===============
Nikodemos
2011-07-10, 04:54
Saw that the user here (http://forums.spybot.info/showthread.php?t=63201) was having the same problems I am. In the hopes of being proactive, I went ahead and followed the same first steps he was given. Any help received will be much appreciated. The logs are attached.

Thanks.
tashi
2011-07-10, 08:19
Hello Nikodemos,

Saw that the user here (http://forums.spybot.info/showthread.php?t=63201) was having the same problems I am. In the hopes of being proactive, I went ahead and followed the same first steps he was given. Any help received will be much appreciated. The logs are attached.

Thanks.

FYI:

Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.
Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response. "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

:lip:

Please start a new topic with the DDS logs and provide a link back to this one. :)