Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

google searches redirected and unwanted new browser windows opening

This is a discussion on google searches redirected and unwanted new browser windows opening within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello there, My daughter's laptop was recently infected by AV Security Suite. Our computers are on the same network and


 
 
Thread Tools Search this Thread
Old 06-11-2010, 06:46 PM   #1
Registered Member
 
Join Date: Jun 2010
Posts: 2
OS: vista



Hello there,

My daughter's laptop was recently infected by AV Security Suite. Our computers are on the same network and even though we haven't shared files, my browser is now hijacked as well. I ran the GMER scan but it wouldn't let me tick all of the subheadings you requested in your preparation guide. I saved the initial startup scan as requested. Here are the DDS and GMER logs:


DDS (Ver_10-03-17.01) - NTFSX64
Run by Eileen at 16:40:39.42 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8180.5991 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files (x86)\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files (x86)\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Lexmark 7600 Series\lxdwMsdMon.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\OfficeGuardianV2N\Reminder\SacReminder.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\Dell Remote Access\ezi_ra.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\AERTSr64.exe
C:\ProgramData\OfficeGuardianV2N\UACProxy.exe
c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\lxbkcoms.exe
C:\Windows\system32\spool\DRIVERS\x64\3\lxdwserv.exe
C:\Windows\system32\lxdwcoms.exe
c:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe
C:\Program Files (x86)\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\ProgramData\OfficeGuardianV2N\Reminder\SacNetAgent.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Live\Toolbar\wltuser.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe
C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~2\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Eileen\Desktop\gmer\gmer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Eileen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files (x86)\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~2\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files (x86)\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files (x86)\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files (x86)\lexmark toolbar\toolband.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
uRun: [SacReminderHDDV2N] c:\programdata\officeguardianv2n\reminder\SacReminder.exe
mRun: [mcagent_exe] "c:\program files (x86)\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Dell DataSafe Online] "c:\program files (x86)\dell datasafe online\DataSafeOnline.exe" /m
mRun: [Microsoft Default Manager] "c:\program files (x86)\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Lexmark 7600 Series] "c:\program files (x86)\lexmark 7600 series\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
StartupFolder: c:\users\eileen\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\dellre~1.lnk - c:\windows\installer\{f66a31d9-7831-4fba-ba02-c411c0047cc5}\NewShortcut10_F66A31D978314FBABA02C411C0047CC5.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~2\mcafee\msk\MSKAPB~1.DLL
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO-X64: scriptproxy - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [Skytel] Skytel.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [(Default)]
mRun-x64: [Dell DataSafe Online] "c:\program files (x86)\dell datasafe online\DataSafeOnline.exe" /m
mRun-x64: [lxbkbmgr.exe] "c:\program files (x86)\lexmark x1100 series\lxbkbmgr.exe"
mRun-x64: [lxdwmon.exe] "c:\program files (x86)\lexmark 7600 series\lxdwmon.exe"
mRun-x64: [lxdwamon] "c:\program files (x86)\lexmark 7600 series\lxdwamon.exe"

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-3-10 53488]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-10 308296]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2009-3-10 86016]
R2 CFUACProxy_officeguardianv2n;CFUACProxy_officeguardianv2n;c:\programdata\officeguardianv2n\UACProxy.exe [2010-3-29 83848]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\x64\3\lxdwserv.exe [2008-5-16 33960]
R2 McProxy;McAfee Proxy Service;c:\progra~2\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-10 155456]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\officeguardianv2n\reminder\SacNetAgent.exe [2010-3-29 140168]
R3 McSysmon;McAfee SystemGuards;c:\progra~2\mcafee\viruss~1\mcsysmon.exe [2009-3-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-10 102472]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-10 49480]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-12-2 89920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-10 40904]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-06-04 22:14:17 0 d-----w- c:\windows\pss
2010-06-04 21:49:51 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-05-26 02:14:01 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-05-26 02:14:01 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 00:47:37 974848 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-12 00:47:36 738816 ----a-w- c:\windows\syswow64\inetcomm.dll

==================== Find3M ====================

2010-05-12 15:21:16 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-04-12 21:29:27 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-04-12 21:29:26 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-04-12 21:29:25 145184 ----a-w- c:\windows\syswow64\java.exe
2010-04-12 21:29:19 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-04-05 23:33:31 6466 ----a-w- c:\users\eileen\appdata\roaming\wklnhst.dat
2009-12-15 04:11:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-15 04:11:02 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-15 04:11:01 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-15 04:11:01 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-26 19:28:24 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-12-26 19:28:24 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-12-26 19:28:24 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-12-26 19:28:24 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-03-23 04:38:40 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-03-10 07:42:47 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:40:53.37 ===============

You will find the other logs attached. We have a dell pc with windows vista and do not have access to a boot cd.


Thanks in advance,

eoboyle
Attached Files
File Type: zip Attach.zip (2.1 KB, 17 views)
eoboyle is offline  
Sponsored Links
Advertisement
 
Old 06-15-2010, 01:02 PM   #2
Registered Member
 
Join Date: Jun 2010
Posts: 2
OS: vista



Nevermind! We seem to have resolved the issue. Resetting the router and securing the wireless network fixed the problem. I'll open a new thread if the problem occurs again.

Thanks anyway!
eoboyle is offline  
Old 06-15-2010, 08:50 PM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thanks for letting us know, eoboyle. Take care.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:56 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts