[Closed] Search Engines redirect to 404s

Inactive
By idrizmiftari
Sep 16, 2011
Topic Status:
Not open for further replies.
  1. Helping a computer illiterate friend recover his PC from viruses. At first it wouldn't load windows but I ran a battery of removers and now the only issue is that all search engines cannot be accessed. What is strange is if I physically disconnect the line and reconnect I can access them, however resetting through ipconfig doesn't work.

    I ran Malwarebytes, sypbot, adware, nod32, AVG, hijackthis and Combofix. Also scanned with RKUnhooker but got to afraid to touch anything. Unfortunately time is not with me, I have logs of Hijackthis and Combofix, I forgot to take logs of the others. With Combofix it stated AVG scanner is present even though I uninstalled it and used AppRemover but still shows the alert; however it seemed like it ran fine. I will be heading off to work but will be back in 9 hours. Thank you tremendously in advance for your time and patience.

    [HJT log removed by Broni]

    **************************
    COMBOFIX***********
    **************************
    ComboFix 11-09-15.05 - LT BABY 09/16/2011 11:15:39.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1635 [GMT -4:00]
    Running from: c:\documents and settings\LT BABY\Desktop\lobster.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-16 05:09 . 2011-09-16 05:09 388096 ----a-r- c:\documents and settings\LT BABY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-09-16 05:09 . 2011-09-16 05:09 -------- d-----w- c:\program files\Trend Micro
    2011-09-15 15:16 . 2011-07-19 09:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-15 05:44 . 2011-09-15 05:44 -------- d-----r- c:\program files\Skype
    2011-09-15 05:15 . 2011-09-15 05:15 -------- d-----w- c:\program files\iPod
    2011-09-15 05:12 . 2011-09-15 05:12 -------- d-----w- c:\program files\Bonjour
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-09-15 05:11 . 2011-09-15 05:12 -------- d-----w- c:\program files\QuickTime
    2011-09-15 05:07 . 2011-09-15 05:07 -------- d-----w- c:\program files\Lavasoft
    2011-09-14 14:28 . 2011-09-14 14:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-14 14:26 . 2011-09-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-09-11 22:46 . 2011-09-14 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-09-11 22:06 . 2011-09-14 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\winrm
    2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\GroupPolicy
    2011-09-11 21:55 . 2011-09-11 21:55 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2011-09-11 17:32 . 2011-09-11 17:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-09-11 17:32 . 2011-09-11 17:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\AVG2012
    2011-09-11 17:30 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2011-09-11 17:28 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-09-11 05:51 . 2011-09-11 05:51 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Sakura
    2011-09-11 04:45 . 2011-09-11 04:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-11 04:10 . 2011-09-11 04:10 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\ESET
    2011-09-11 03:59 . 2011-09-11 03:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
    2011-09-11 03:04 . 2011-09-11 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-09-11 01:33 . 2011-09-11 05:55 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
    2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Malwarebytes
    2011-09-11 01:32 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-11 01:32 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-11 01:04 . 2011-09-11 01:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-09-08 21:57 . 2011-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\mJ21101PpGeC21101
    2011-09-05 20:24 . 2011-09-11 00:25 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Conduit
    2011-09-05 20:24 . 2011-09-05 20:25 -------- d-----w- c:\documents and settings\LT BABY\Application Data\GetRightToGo
    2011-09-05 01:37 . 2011-09-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
    2011-09-03 13:59 . 2011-09-03 13:59 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Unity
    2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
    2011-09-03 04:55 . 2011-09-03 04:55 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
    2011-09-03 04:51 . 2011-09-03 04:51 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Unity
    2011-09-03 04:38 . 2011-09-03 04:38 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc5AC.tmp
    2011-08-26 22:21 . 2011-08-26 22:21 42392 ----a-w- c:\windows\system32\xfcodec.dll
    2011-08-18 14:46 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-18 14:46 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2004-08-11 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-19 06:40 . 2008-11-02 04:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-15 13:29 . 2004-08-11 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02 . 2004-08-11 21:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-06-24 14:10 . 2004-08-11 21:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2004-08-11 21:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-11 21:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-09-03 06:01 . 2011-09-15 13:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-16_05.31.40 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-09-16 15:08 . 2011-09-16 15:08 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzIyNDAyMDA5LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1796&mid=5188a9f4d2a647d1a4bad153e62412d6-f43308e76f07837a7ea13e9f5929462580b6ee3d" [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2007-05-11 02:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
    2004-02-19 09:23 61440 ----a-w- c:\dell\bldbubg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2006-07-21 20:48 98304 ----a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2006-09-11 08:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 05:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2006-05-01 12:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
    .
    .
    ------- Supplementary Scan -------
    .
    mSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    IE: &AIM Toolbar Search
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
    DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://www.intranet.farmingdale.edu:8080/av/symantec/xp/webinst.cab
    FF - ProfilePath - c:\documents and settings\LT BABY\Application Data\Mozilla\Firefox\Profiles\jgxkomdb.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-16 11:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
    .
    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user != kernel MBR !!!
    sectors 156249998 (+255): user != kernel
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3044)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-09-16 11:26:37
    ComboFix-quarantined-files.txt 2011-09-16 15:26
    ComboFix2.txt 2011-09-16 05:34
    .
    Pre-Run: 29,371,850,752 bytes free
    Post-Run: 29,359,345,664 bytes free
    .
    - - End Of File - - 07ED3CEAB329DFC30CC24B6AC14DB852
  2. Broni

    Broni Malware Annihilator Posts: 46,130   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Never run Combofix on your own!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.