Redirecting when using a search engine

November 4, 2010 at 07:02:52
Specs: Windows Vista
I've been having issues when I do a search in Google or any other search engine. When I click on site I'm taken to a junk site that has nothing to do with what I searched. I've done some research and discovered it's related to a virus that came in via Java. I've removed all old versions of Java and updated to the latest version. I think this has solved the virus issue but I'm still having problems with the search. I ran a hijack this scan and have a log, but I don't know what to do from there. Any help would be great. The log is below. Thanks.

edited by moderator: remove un-requested log


See More: Redirecting when using a search engine

Report •


#1
November 4, 2010 at 08:24:52
So after doing more research the majority of people who had this issue were told to run ComboFix. Which I did. Below is the log that popped up after it was done.

ComboFix 10-11-03.03 - ktimothy 11/04/2010 10:12:59.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3318.1568 [GMT -4:00]
Running from: c:\users\ktimothy.FRONTIER-CLE\Downloads\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *disabled* (Outdated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\ktimothy.FRONTIER-CLE\g2mdlhlpx.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
D:\Autorun.inf

c:\windows\explorer.exe . . . is infected!!

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))
.

2010-11-04 14:33 . 2010-11-04 14:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-04 14:33 . 2010-11-04 14:33 -------- d-----w- c:\users\ngross\AppData\Local\temp
2010-11-04 14:33 . 2010-11-04 14:33 -------- d-----w- c:\users\ktimothy\AppData\Local\temp
2010-11-04 14:33 . 2010-11-04 14:33 -------- d-----w- c:\users\amyers\AppData\Local\temp
2010-11-04 13:49 . 2010-11-04 13:49 388096 ----a-r- c:\users\ktimothy.FRONTIER-CLE\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-04 13:49 . 2010-11-04 13:49 -------- d-----w- c:\program files\Trend Micro
2010-11-04 11:25 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1CE4AE44-873D-4B4A-A595-50E4B93BFF57}\mpengine.dll
2010-11-01 14:35 . 2010-11-01 14:35 -------- d-----w- c:\program files\Common Files\Java
2010-10-15 14:42 . 2010-11-01 14:33 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-15 14:42 . 2010-11-01 14:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-15 12:40 . 2010-08-10 15:02 274432 ----a-w- c:\windows\system32\schannel.dll
2010-10-15 12:39 . 2010-09-06 16:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-15 12:39 . 2010-09-06 14:13 303616 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-15 12:39 . 2010-09-06 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-15 12:39 . 2010-09-06 14:12 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-15 12:39 . 2010-09-06 16:23 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-15 12:38 . 2010-09-10 16:35 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 12:38 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-15 12:38 . 2010-06-28 16:15 1315840 ----a-w- c:\windows\system32\ole32.dll
2010-10-15 12:38 . 2010-06-28 14:31 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-14 20:38 . 2010-10-14 20:38 1409 ----a-w- c:\windows\QTFont.for
2010-10-11 20:11 . 2010-10-11 20:11 -------- d-----w- c:\users\ktimothy.FRONTIER-CLE\AppData\Roaming\Malwarebytes
2010-10-11 20:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 20:11 . 2010-10-11 20:11 -------- d-----w- c:\programdata\Malwarebytes
2010-10-11 20:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 20:11 . 2010-10-11 20:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-11 15:16 . 2010-10-19 15:41 222080 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 13:32 . 2010-09-15 12:24 126464 ----a-w- c:\windows\system32\spoolsv.exe
.

------- Sigcheck -------

[7] 2009-04-11 . D07D4C3038F3578FFCE1C0237F2A1253 . 2926592 . . [6.0.6000.16386] . . c:\windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[-] 2008-10-29 . 57CDCDF73AEB441655AF5BABBA6F5F37 . 2927104 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-02-04 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2008-02-04 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2006-11-02 . FD8C53FB002217F6F888BCF6F5D7084D . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

[-] 2008-01-19 . A3ABDD85A532E09728D452E64A1B32E6 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-19 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[7] 2006-11-02 . D4385B03E8CCCEE6F0EE249F827C1F3E . 95744 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-08-24 39816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 4227072]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-12-04 330776]
"SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-23 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2007-04-30 73728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-17 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\ktimothy.FRONTIER-CLE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-7-1 110592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-7-1 110592]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 gupdate1c996dc7fcf1ea0;Google Update Service (gupdate1c996dc7fcf1ea0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2006-12-04 535064]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-09-21 112688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 00:03]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 00:03]

2009-06-07 c:\windows\Tasks\Norton Security Scan for ktimothy.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

2010-11-04 c:\windows\Tasks\User_Feed_Synchronization-{DB808F90-3517-4A5E-9AE9-EDDC151284A9}.job
- c:\windows\system32\msfeedssync.exe [2010-10-15 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: fleetseek.com\www
Trusted Zone: frontieradjusters.com\fbisystem
TCP: {1FF6A05F-B878-4D39-900F-9F5916FE5745} = 67.225.200.60,67.225.200.22,208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\ktimothy.FRONTIER-CLE\AppData\Roaming\Mozilla\Firefox\Profiles\7m7l1by4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\ktimothy.FRONTIER-CLE\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'Explorer.exe'(4900)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Citrix\GoToMeeting\457\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\457\g2mlauncher.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-11-04 11:20:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-04 15:19

Pre-Run: 5,491,961,856 bytes free
Post-Run: 8,522,350,592 bytes free

- - End Of File - - AE749CE92E61E4E20AD8B7C582F649D7


Report •
Related Solutions


Ask Question