Inactive [Closed] Search Engines redirect to 404s

Status
Not open for further replies.

idrizmiftari

Posts: 15   +0
Helping a computer illiterate friend recover his PC from viruses. At first it wouldn't load windows but I ran a battery of removers and now the only issue is that all search engines cannot be accessed. What is strange is if I physically disconnect the line and reconnect I can access them, however resetting through ipconfig doesn't work.

I ran Malwarebytes, sypbot, adware, nod32, AVG, hijackthis and Combofix. Also scanned with RKUnhooker but got to afraid to touch anything. Unfortunately time is not with me, I have logs of Hijackthis and Combofix, I forgot to take logs of the others. With Combofix it stated AVG scanner is present even though I uninstalled it and used AppRemover but still shows the alert; however it seemed like it ran fine. I will be heading off to work but will be back in 9 hours. Thank you tremendously in advance for your time and patience.

[HJT log removed by Broni]

**************************
COMBOFIX***********
**************************
ComboFix 11-09-15.05 - LT BABY 09/16/2011 11:15:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1635 [GMT -4:00]
Running from: c:\documents and settings\LT BABY\Desktop\lobster.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
.
.
2011-09-16 05:09 . 2011-09-16 05:09 388096 ----a-r- c:\documents and settings\LT BABY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-16 05:09 . 2011-09-16 05:09 -------- d-----w- c:\program files\Trend Micro
2011-09-15 15:16 . 2011-07-19 09:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-15 05:44 . 2011-09-15 05:44 -------- d-----r- c:\program files\Skype
2011-09-15 05:15 . 2011-09-15 05:15 -------- d-----w- c:\program files\iPod
2011-09-15 05:12 . 2011-09-15 05:12 -------- d-----w- c:\program files\Bonjour
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-09-15 05:11 . 2011-09-15 05:12 -------- d-----w- c:\program files\QuickTime
2011-09-15 05:07 . 2011-09-15 05:07 -------- d-----w- c:\program files\Lavasoft
2011-09-14 14:28 . 2011-09-14 14:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-14 14:26 . 2011-09-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-11 22:46 . 2011-09-14 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-09-11 22:06 . 2011-09-14 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\winrm
2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\GroupPolicy
2011-09-11 21:55 . 2011-09-11 21:55 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-09-11 17:32 . 2011-09-11 17:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-11 17:32 . 2011-09-11 17:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\AVG2012
2011-09-11 17:30 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-09-11 17:28 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-11 05:51 . 2011-09-11 05:51 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Sakura
2011-09-11 04:45 . 2011-09-11 04:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 04:10 . 2011-09-11 04:10 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\ESET
2011-09-11 03:59 . 2011-09-11 03:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-09-11 03:04 . 2011-09-11 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-11 01:33 . 2011-09-11 05:55 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Malwarebytes
2011-09-11 01:32 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 01:32 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 01:04 . 2011-09-11 01:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-08 21:57 . 2011-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\mJ21101PpGeC21101
2011-09-05 20:24 . 2011-09-11 00:25 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Conduit
2011-09-05 20:24 . 2011-09-05 20:25 -------- d-----w- c:\documents and settings\LT BABY\Application Data\GetRightToGo
2011-09-05 01:37 . 2011-09-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2011-09-03 13:59 . 2011-09-03 13:59 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Unity
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 04:55 . 2011-09-03 04:55 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-09-03 04:51 . 2011-09-03 04:51 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Unity
2011-09-03 04:38 . 2011-09-03 04:38 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc5AC.tmp
2011-08-26 22:21 . 2011-08-26 22:21 42392 ----a-w- c:\windows\system32\xfcodec.dll
2011-08-18 14:46 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 14:46 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-11 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-19 06:40 . 2008-11-02 04:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2004-08-11 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2004-08-11 21:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2004-08-11 21:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-11 21:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-11 21:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-03 06:01 . 2011-09-15 13:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-16_05.31.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-16 15:08 . 2011-09-16 15:08 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzIyNDAyMDA5LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1796&mid=5188a9f4d2a647d1a4bad153e62412d6-f43308e76f07837a7ea13e9f5929462580b6ee3d" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 02:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2004-02-19 09:23 61440 ----a-w- c:\dell\bldbubg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 20:48 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-09-11 08:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 05:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 12:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Toolbar Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://www.intranet.farmingdale.edu:8080/av/symantec/xp/webinst.cab
FF - ProfilePath - c:\documents and settings\LT BABY\Application Data\Mozilla\Firefox\Profiles\jgxkomdb.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-16 11:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-16 11:26:37
ComboFix-quarantined-files.txt 2011-09-16 15:26
ComboFix2.txt 2011-09-16 05:34
.
Pre-Run: 29,371,850,752 bytes free
Post-Run: 29,359,345,664 bytes free
.
- - End Of File - - 07ED3CEAB329DFC30CC24B6AC14DB852
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

Never run Combofix on your own!
 
Status
Not open for further replies.
Back