Search Engine Redirect Virus w/ Google

[jayescee316]

Hi,

I've recently gotten a possible virus where I search something on Google, click on a link, and then having been redirected to another website that is not relevant to what I wanted. The virus has got serious where I now have to be on SAFE MODE to be able to use the internet cause it has totally cut me off when its on normal mode.

Thanks!


DDS Log (not sure if correct since I did it on Safe Mode):

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by User at 21:20:09 on 2012-01-01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.766 [GMT -8:00]
.
AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchqu.com/406
BHO: {1252b80d-9470-4041-839c-c4551fdb1a1d} - c:\documents and settings\user\local settings\application data\ServiceSys32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~4\datamngr\toolbar\searchqudtx.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~4\datamngr\toolbar\searchqudtx.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Policies Update] rundll32 "c:\documents and settings\user\local settings\application data\adobe\adobeupdate\Adobeup.dll",DllRegisterServer
uRun: [DisplayBackupBackup] rundll32.exe "c:\documents and settings\all users\application data\DisplayBackupBackup.dll",DllRegisterServer
uRun: [GNU Update] rundll32 "c:\documents and settings\user\local settings\application data\temp\tempupdate\Tempup.dll",DllRegisterServer
uRun: [Privacy Protection] c:\documents and settings\all users\application data\privacy.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{6C8BC5C1-AACB-4CE1-962C-FC33BB5BFF43} : DhcpNameServer = 68.87.76.182 68.87.78.134
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
AppInit_DLLs:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\od56xxqk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&appid=119&systemid=406&sr=0&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-8-17 188272]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-8-17 64080]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-08 05:09:17 842752 ----a-w- c:\documents and settings\all users\application data\privacy.exe
2011-11-07 00:14:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-06 06:13:31 0 ---ha-w- c:\documents and settings\user\jecownkgxo.tmp
2011-10-29 06:50:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-29 06:49:49 339968 ----a-w- c:\documents and settings\all users\application data\DisplayBackupBackup.dll
.
============= FINISH: 21:20:31.39 ===============

[vict0r]

Hello.

My nickname is vict0r and I will help you with the malware issues on your computer.

Please read the following information carefully.

IMPORTANT: Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

To make cleaning this machine easier:

• Continue to respond to this thread until I I tell you that the logs are clean!
• Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
• Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
• Please follow all instructions in the order posted.
• If you have any questions or do not understand instructions, please ask before continuing.
• Please reply to this thread. Do not start a new topic.
• Your security program(s) may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

I am currently reviewing your log and will return, as soon as possible, with further instructions.

Meanwhile please answer this question:
Do you have another computer/device to access the internet?

[jayescee316]

Yes, I do have another computer that can be access to the internet.

Thanks for helping me out vict0r!

[vict0r]

Please run the scans below and post the logs. Please use one reply per log.

CKScanner

Please download CKScanner ... Save it to your desktop.
This program should only be run once!
Make sure that CKScanner.exe is saved directly on your desktop before running the application!

1. Double-click on the CKScanner.exe icon... then click the Search For Files button.
2. When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
   A text file will be created on your desktop named "ckfiles.txt"
3. Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
4. Please copy/paste the contents of ckfiles.txt in your next reply.

Scan with WVCheck:

Please download WVCheck and save it to the desktop.

• Double click on WVCheck.exe and follow the prompts.
• The scan may take some time depending on the Hard-Drive size.
• Please post the contents of the notepad file WVCheck_1436_dd-mm-yyyy that can be located on the desktop.

Remember to post:

• CKScanner log.
• WVCheck log.

[jayescee316]

Should I be posting the logs in the infected computer on SAFE MODE?

[vict0r]

Yes, please. Start the computer in safe mode with networking and access this topic to download the programs. Do not use a usb stick or similar to transfer files to your existing computer.