Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search engine returns are being redirected--google/yahoo/etc

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 25th, 2009, 7:57 pm

Hello, here is the hijakthis log for my dell laptop. Please let me know if you see what my problem might be. I'm running Norton Security Check as virus protection.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:53 PM, on 3/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Landon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Landon\LOCALS~1\Temp\Rar$EX00.687\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Landon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13169442-30B8-49D0-8111-D22774EC3396}: NameServer = 85.255.112.115,85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\..\{C655D90E-7233-4618-9F40-A3165C251FA6}: NameServer = 85.255.112.115,85.255.112.205
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.115,85.255.112.205
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.115,85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.115,85.255.112.205
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10794 bytes
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm
Advertisement
Register to Remove

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby dan12 » March 26th, 2009, 4:34 am

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 26th, 2009, 7:38 pm

Dan,

Thanks so much for your assistance. Here is the app log as requested:


2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AppCore
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AV
Avid DVD by Sonic
Avid FX
Avid Media Composer
Avid Pro Tools® LE 6.5.2
Avid® 3D 1.6
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
ccCommon
Critical Update for Windows Media Player 11 (KB959772)
Dell Touchpad
Digidesign Shared Plug-Ins
DVD Architect Pro 5.0
DVD Solution
getPlus(R) for Adobe
Google Talk Plugin
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
iTunes
Java 2 Runtime Environment Standard Edition v1.3.0_02
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Laptop Integrated Webcam Driver (1.04.01.1011)
Lexmark X74-X75
LG ODD Auto Firmware Update
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
MetaSyncManager
MetaSyncPublisher
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSRedist
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multimedia Launcher
Nero OEM
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
PACE System Files
QuickTime
Roxio Media Manager
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sentinel System Driver 5.42.1 (32-bit)
SigmaTel Audio
Skype™ 4.0
Sorenson Squeeze 4.5
SPBBC 32bit
Sprint SmartView
TomTom HOME 2.5.2.60
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB925720)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC_MergeModuleToMSI
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! SiteBuilder
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby dan12 » March 27th, 2009, 3:45 pm

Highjackthis.exe needs a permanant folder of it's own in order to create backups
Create a folder on the desktop, right click on the desktop, select new folder,and name it HJT Now locate C:\DOCUME~1\Landon\LOCALS~1\Temp\Rar$EX00.687\HijackThis.exe

copy and paste it into the new folder ( HJT ) you created on the desktop.
Do this before you continue.



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt


Post the report and a fresh HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 28th, 2009, 1:21 am

Ok, so slight problem. I downloaded and installed the malwarebytes program, but when I double-click the icon, it doesn't open. I tried re-installing it, and checked the box to "run" the program when finished, and still, nothing happened.

Any ideas?
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby dan12 » March 28th, 2009, 4:02 pm

Please download and try running this: randmbam.exe

It will try to create random names and shortcuts for MBAM if you have it installed already. If this does not work we will try something else.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 29th, 2009, 12:00 am

Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

3/28/2009 8:59:32 PM
mbam-log-2009-03-28 (20-59-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156592
Time elapsed: 33 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{13169442-30b8-49d0-8111-d22774ec3396}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c655d90e-7233-4618-9f40-a3165c251fa6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{13169442-30b8-49d0-8111-d22774ec3396}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c655d90e-7233-4618-9f40-a3165c251fa6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{13169442-30b8-49d0-8111-d22774ec3396}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{c655d90e-7233-4618-9f40-a3165c251fa6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby dan12 » March 29th, 2009, 3:52 am

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows

    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log


RootRepeal - Rootkit Detector
  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.

Post the logs
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 29th, 2009, 5:50 am

Service Pack 2 3 29 2009 02:40:17.375
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver compbatt.sys
Loaded driver \WINDOWS\System32\DRIVERS\BATTC.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver DigiFi~1.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver TPkd.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\processr.sys
Loaded driver \SystemRoot\System32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\System32\DRIVERS\bcmwl5.sys
Loaded driver \SystemRoot\System32\drivers\swmsflt.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\drivers\gearaspiwdm.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\SynTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\sdbus.sys
Loaded driver \SystemRoot\System32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\System32\DRIVERS\wmiacpi.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\pctnullport.sys
Loaded driver \SystemRoot\system32\DRIVERS\RimSerial.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\NWADIenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\drivers\sthda.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \systemroot\system32\drivers\gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMREDRV.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMDNS.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMNDIS.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMFW.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMIDS.SYS
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20090311.001\SymIDSCo.sys
Loaded driver \SystemRoot\System32\Drivers\SYMTDI.SYS
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\Drivers\SRTSPX.SYS
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\OEM02Dev.sys
Loaded driver \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Loaded driver \SystemRoot\System32\Drivers\Aspi32.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Did not load driver \SystemRoot\System32\Drivers\Parport.SYS
Loaded driver \SystemRoot\System32\Drivers\SENTINEL.SYS
Did not load driver \SystemRoot\System32\DRIVERS\avidXPserial.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090328.003\NAVEX15.SYS
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090328.003\NAVENG.SYS
Did not load driver \SystemRoot\System32\Drivers\SRTSPX.SYS
Loaded driver \SystemRoot\System32\Drivers\SRTSP.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby dan12 » March 29th, 2009, 6:02 am

Can I see the other report also :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 29th, 2009, 7:06 am

Sorry, here's the other:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/29 03:52
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAEA3C000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F9000 Size: 8192 File Visible: No
Status: -

Name: gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys
Address: 0xAEE89000 Size: 94208 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAADC6000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gaopdxcounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gaopdxjyymoteppfmqxxdtmwxnsvdxsurubxmk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Landon\Local Settings\Apps\2.0\Q3ZRM9HP.7OO\0YXHXE46.DMH\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Landon\Local Settings\Apps\2.0\Q3ZRM9HP.7OO\0YXHXE46.DMH\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x82e5a180

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x82e59e38

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82cfc190

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x82babc70

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaed99020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x82cae3f0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82d1c568

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaed992a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaed99800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f077c8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x82eaf3a8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82e5bda0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x82d1bb48

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x82b96878

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x82c810f0

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x82fa15c0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x82bb21a8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82c5ae70

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82e58430

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x82c31580

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaed99a50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x825f81e8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x82c5a438

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x82c811c8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x82c5ac38

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x82c5b2b8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82ef8860

Stealth Objects
-------------------
Object: Hidden Module [Name: gaopdxjyymoteppfmqxxdtmwxnsvdxsurubxmk.dll]
Process: iexplore.exe (PID: 2076) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: gaopdxjyymoteppfmqxxdtmwxnsvdxsurubxmk.dll]
Process: iexplore.exe (PID: 2996) Address: 0x10000000 Size: 49152

Hidden Services
-------------------
Service Name: gaopdxserv.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby dan12 » March 29th, 2009, 12:02 pm

Create a NEW folder on your Desktop named: BadFiles


Start Root Repeal and click on the Drivers tab and then click the Scan button.
Then right click on this file: gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys and select Dump File
This will bring up a Dump to file dialog box. Browse or select your Desktop where you created the BadFiles folder.
Then type in the name gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys and save it in that folder.
You can quit Root Repeal now.

Then zip up that file and upload it to: uploads.malwarebytes.org

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista


Start Root Repeal again and click on the Drivers tab and then click the Scan button.
Then right click on this file: gaopdxwmdbymsnswwkthxxnkjppbvdvymggwqp.sys Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Now scan with malwarebytes again quick scan

Post the report
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 29th, 2009, 3:56 pm

I tried to save the file after I clicked on "dump file" but when I go to that file folder, there's nothing in it. I set my folder options to show hidden files and it's still not there, and when I click on the "Badfiles" folder properties, it says there are no files in it, and that it is 0 bytes.

I will hold off on completing the remainder of your instructions until I receive word from you on what the next step is.

Thanks.

Landon
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 29th, 2009, 4:02 pm

Ok, so I tried another idea and put the prefix "delete_" in front and it appeared. When I deleted the prefix, it dissappeared again, so I had to leave it on. I will upload this, but I wanted you to be aware of what I did.

Landon
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm

Re: Search engine returns are being redirected--google/yahoo/etc

Unread postby lando2000 » March 29th, 2009, 5:05 pm

Here's the new log:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

3/29/2009 2:03:50 PM
mbam-log-2009-03-29 (14-03-39).txt

Scan type: Quick Scan
Objects scanned: 73033
Time elapsed: 53 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> No action taken.
lando2000
Active Member
 
Posts: 14
Joined: March 25th, 2009, 7:47 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 309 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware