Search Engine Redirecting

Dell / Dim4400...
March 25, 2010 at 15:14:49
Specs: Microsoft Windows XP Home Edition, 1.794 GHz / 1023 MB
To jabuck:
I am having the same problem as sick23's post of 15Mar. I am currently trying to run thru the same process as you offered. Malware scan is running now. I will run reports and post as you instructed for sick23. (sorry about the previous post hijacking - didn't realize it was a no-no).

See More: Search Engine Redirecting

Report •


#1
March 25, 2010 at 15:51:43
exeHelper by Raktor
Build 20091220
Run at 18:50:30 on 03/25/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Report •

#2
March 25, 2010 at 15:54:40
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as JANICE on 03/25/2010 at 18:54:03.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\JANICE\Desktop\rkill.pif


Rkill completed on 03/25/2010 at 18:54:08.


Report •

#3
March 25, 2010 at 16:57:43
Malwarebytes' Anti-Malware 1.44
Database version: 3914
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/25/2010 7:56:52 PM
mbam-log-2010-03-25 (19-56-52).txt

Scan type: Quick Scan
Objects scanned: 187741
Time elapsed: 21 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

Related Solutions

#4
March 25, 2010 at 17:23:30
ComboFix 10-03-25.04 - JANICE 03/25/2010 20:05:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.580 [GMT -4:00]
Running from: c:\documents and settings\JANICE\Desktop\Combo-Fix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 22:35 . 2010-03-25 22:35 104 ----a-w- c:\windows\system32\SBRC.dat
2010-03-25 22:07 . 2010-03-25 22:07 195584 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-78b141b2-n\WMINative.dll
2010-03-25 21:57 . 2010-03-25 21:57 -------- d-----w- c:\program files\Common Files\Java
2010-03-25 21:55 . 2010-03-25 21:55 -------- d-----w- c:\program files\Java
2010-03-25 21:52 . 2010-03-25 21:54 -------- dc-h--w- c:\windows\ie8
2010-03-19 00:44 . 2010-03-19 00:45 -------- d-----w- c:\windows\system32\NtmsData
2010-03-17 02:02 . 2010-03-17 02:02 3584 ----a-r- c:\documents and settings\JANICE\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-03-17 02:02 . 2010-03-17 02:02 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-03-17 02:02 . 2010-03-17 02:02 -------- d-----w- c:\program files\MSECACHE
2010-03-17 00:41 . 2010-03-17 00:41 388096 ----a-r- c:\documents and settings\JANICE\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-17 00:41 . 2010-03-17 00:41 -------- d-----w- c:\program files\TrendMicro
2010-03-15 22:14 . 2010-03-15 22:14 -------- d-----w- c:\program files\DIFX
2010-03-13 15:45 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 04:09 . 2010-03-09 04:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-09 04:09 . 2010-03-09 04:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-08 14:39 . 2010-03-08 14:39 -------- d-----w- c:\windows\Sun
2010-03-08 02:56 . 2010-03-08 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Weskysoft
2010-03-08 02:42 . 2010-03-17 00:10 -------- d-----w- c:\program files\Optimizer Tool
2010-03-07 01:40 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-07 00:42 . 2004-08-04 07:56 11325 ------w- c:\windows\system32\drivers\vchnt5.dll
2010-03-07 00:41 . 2006-05-19 12:59 94720 ----a-w- c:\windows\system32\dllcache\iphlpapi.dll
2010-03-06 22:36 . 2010-03-13 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-06 20:10 . 2010-03-06 20:10 -------- d-----w- c:\documents and settings\JANICE\Application Data\Malwarebytes
2010-03-06 20:10 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-06 20:10 . 2010-03-25 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 20:10 . 2010-03-06 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-06 20:10 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 19:19 . 2010-03-06 19:19 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-06 19:18 . 2010-03-06 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-06 16:36 . 2010-03-06 16:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-06 02:18 . 2010-03-06 02:18 348160 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75714f6a-n\msvcr71.dll
2010-03-06 02:18 . 2010-03-06 02:18 503808 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75714f6a-n\msvcp71.dll
2010-03-06 02:18 . 2010-03-06 02:18 499712 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75714f6a-n\jmc.dll
2010-03-06 02:18 . 2010-03-06 02:18 61440 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6950817b-n\decora-sse.dll
2010-03-06 02:18 . 2010-03-06 02:18 12800 ----a-w- c:\documents and settings\JANICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6950817b-n\decora-d3d.dll
2010-03-06 02:18 . 2010-03-25 21:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 00:27 . 2010-03-05 00:31 73449472 ----a-w- C:\VIPRERescue5746.exe
2010-03-04 23:47 . 2010-03-04 23:47 -------- d-----w- c:\program files\easy gadget
2010-03-04 03:10 . 2010-03-16 21:46 0 ----a-w- c:\windows\Jbuvakuc.bin
2010-03-04 03:10 . 2010-03-17 02:12 120 ----a-w- c:\windows\Pherocohuvilitac.dat
2010-03-04 03:10 . 2010-03-04 03:10 -------- d-----w- c:\documents and settings\JANICE\Local Settings\Application Data\{B4BD0BE9-7A3A-4FB6-BC80-4D614C9262D8}
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-03-03 22:59 . 2010-03-03 22:59 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-03-03 15:36 . 2010-03-16 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-03 13:58 . 2002-02-06 13:53 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-03 13:58 . 2010-03-19 03:15 -------- d-----w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 00:05 . 2007-02-24 17:13 -------- d-----w- c:\program files\TaxCut06
2010-03-18 23:07 . 2002-09-01 22:32 92200 ----a-w- c:\documents and settings\JANICE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 01:07 . 2004-02-14 18:47 -------- d-----w- c:\program files\Design Science
2010-03-17 00:52 . 2007-11-06 23:55 -------- d-----w- c:\documents and settings\JANICE\Application Data\MSNInstaller
2010-03-10 22:17 . 2002-02-09 02:17 -------- d-----w- c:\documents and settings\JANICE\Application Data\MSN6
2010-03-09 00:59 . 2005-10-25 18:50 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2010-03-09 00:45 . 2005-10-25 18:58 50 ----a-w- c:\windows\system32\BRIDF04A.dat
2010-03-08 03:33 . 2010-03-08 03:33 237568 ----a-w- c:\documents and settings\LocalService\NTUSER.DAT.tmp
2010-03-08 03:33 . 2010-03-08 03:33 237568 ----a-w- c:\documents and settings\NetworkService\NTUSER.DAT.tmp
2010-03-07 01:56 . 2002-02-06 13:48 87018 ----a-w- c:\windows\system32\drivers\IdeChnDr.sys
2010-03-06 19:23 . 2002-02-16 20:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-06 01:38 . 2002-02-06 13:46 -------- d-----w- c:\program files\Dell
2010-03-05 00:30 . 2005-08-10 00:09 -------- d-----w- c:\program files\Dell Support
2010-02-14 19:00 . 2010-02-14 18:59 18205512 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026401dupd.exe
2010-02-14 18:58 . 2008-03-07 23:38 -------- d-----w- c:\documents and settings\JANICE\Application Data\TaxCut
2010-02-14 18:57 . 2010-02-14 18:55 -------- d-----w- c:\program files\HRBlock2009
2010-02-14 18:53 . 2008-03-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-14 18:52 . 2009-08-15 21:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-14 18:51 . 2010-03-17 03:33 38784 ----a-w- c:\documents and settings\Administrator.MOM\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 18:51 . 2009-08-15 21:02 38784 ----a-w- c:\documents and settings\JANICE\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-04 22:02 . 2010-01-04 22:02 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-31 16:14 . 2010-03-07 00:41 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2002-04-14 14:56 . 2002-04-13 16:26 427 ----a-w- c:\program files\SSLresp.txt
2002-04-13 16:26 . 2002-04-13 16:28 7331 ----a-w- c:\program files\198F6271.taf
2002-03-23 20:16 . 2002-03-23 20:14 8462 ----a-w- c:\program files\measuredImportReport.log
2002-03-23 20:16 . 2002-03-23 20:14 2534 ----a-w- c:\program files\measuredWizard.log
2002-03-22 02:26 . 2002-03-22 02:25 285762 ----a-w- c:\program files\TaxCut_2001_Florida_InstallerB.exe
2002-02-16 20:00 . 2002-02-16 20:00 8981440 ----a-w- c:\program files\ar505enu.exe
2002-01-14 16:13 . 2002-03-22 02:00 128590 ------w- c:\program files\removetc.exe
2001-05-24 17:59 . 2002-03-22 02:00 162304 ------w- c:\program files\rmtc.exe
2002-03-22 02:24 . 2002-03-22 02:24 98304 ----a-w- c:\program files\internet explorer\plugins\IEHelper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-01-04 959824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SetDefPrt"="c:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2001-10-09 200704]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-06-15 254022]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SBRegRebootCleaner"="c:\program files\Sunbelt Software\VIPRE\SBRC.exe" [2010-01-04 197968]

c:\documents and settings\JANICE\Start Menu\Programs\Startup\
easy gadget.lnk - c:\program files\easy gadget\easy gadget.exe [2010-3-4 95232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SBBD.exe /d \Device\HarddiskVolume2\Program Files\Sunbelt Software\VIPRE\Definitions

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Linksys\\LogViewer\\LogViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 sbaphd;sbaphd;c:\windows\SYSTEM32\DRIVERS\sbaphd.sys [1/18/2010 11:11 AM 13360]
R1 sbtis;sbtis;c:\windows\SYSTEM32\DRIVERS\sbtis.sys [11/17/2008 12:32 AM 202928]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [1/4/2010 6:02 PM 1012080]
R2 sbapifs;sbapifs;c:\windows\SYSTEM32\DRIVERS\sbapifs.sys [1/18/2010 11:13 AM 69936]
R3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [10/13/2009 9:22 AM 95024]
.
Contents of the 'Scheduled Tasks' folder

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2002-02-09 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-09-14 07:56]

2002-02-09 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-09-14 07:56]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 20:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1004)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-25 20:21:00
ComboFix-quarantined-files.txt 2010-03-26 00:20
ComboFix2.txt 2010-03-19 04:10

Pre-Run: 11,170,336,768 bytes free
Post-Run: 11,169,816,576 bytes free

- - End Of File - - 1EA6335F03CD94F4B43D26FDA6E47BDA


Report •

#5
March 25, 2010 at 19:14:15
Another no no is posting these logs without a request from a helper.

And it is a bad idea to run Combofix without being requested to especially if the request comes from from someone that does not know how to even begin to help you repair your computer if the program fails...this tool can render the computer useless.

You can run a quick search for the name of the poster suggesting that you run a repair program on your computer and find out all you need to know.

And if you decide to do run those repair programs on your own abilities then that is where you are...own your own.


Report •

#6
March 25, 2010 at 19:55:42
jabuck -
k - it's obvious I need help. I just followed the steps you gave to sick23 because you seem to know what you're doing (& you're a gold member). What would you suggest next for me? Can you tell if I'm still infected based on my logs?

Report •

#7
March 27, 2010 at 09:41:44
jabuck - where are you? You are obviously the master here. Just so you know - I did not do what tech99 suggested - I'm waiting on word from you only.

Report •


Ask Question