Browser Search Results Hijacked, Other problems

[AGB]

Since the last 2 days, I have problems on my Window XP computer. It began when I noticed while browsing, that 2-3 sites popped by (redirects) with odd server names or ip addresses. I realized right away that there was some problem and tried to find out more. I noticed a T.EXE in c:\ drive and removed it. when I got the free TrendMicro anti-virus scanning done, it came back with a problem file called 0U949.sys in the System32\drives folder. It would not go away even after anti-virus cleaning. It would pop back right in. After a 'Safe Boot' of Windows, I was able to get rid of it. I do not have that scan log, but the detailed info from trendmicro site lead to webpage which also mentioned TROJ_AGENT.ISZZ as the trojan name and instructions included how to check and correct specific registry entries, which I verified and found them to be okay in first place.

However, over the next few hours, it became clear that this was more thant a simple malware problem. Next day, I Tried different anti-virus, etc and got some 'removals' done. Those results are placed here. However, there is still some serious problem.

The best consisten indicator of the problem is that the browser search results from Google, Bing etc using IE, Firefox, Chrome, all get hijacked and redirected to different weird websites the second time I come around. The first click on the search results seem to work okay, but an additional browser window/tab is also launched with some unknown site trying to load. Then things get messy for subsequent browsing.

Also I have consistently noticed that the computer slows down to a crawl after some time during all this work I am trying to do to fix the problem.

Placed further below two logs from anti-virus, spy-bot

As per the instructions on your website, I ran the DDS.SCR and attached the zIP file containing the log.


I then tried to run the GMER program, Attempted that serveral times in the last 24 hours, but could not get it to complete succesfully. Initialy 2-3 attmepts the computer slowed down to a crawl and stopped responding during the full scan. Next 2-3 times, it rebooted after progressing much futher into complete scan. The last unsuccessful attempt it ran for 5-6 hours and when I returned, I realized that the PC had rebooted and gone to standby mode (s configured). So I am not able to ge the log for GMER. Note that the last 2-3 attempts where using GMER program with a randomly named file.  I will try again, but not sure if it will finally complete.


I appreciate your help!!

LOG contents

=============================================


Fraud.ActiveSecurity: [SBI $D4BA6A8C] Settings (Registry value, nothing done)
  HKEY_USERS\S-1-5-21-602162358-1993962763-682003330-1004\Software\eee0bd2f-ff2e-46ef-83fb-d4fda84462a3


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-08 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2010-01-12 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-01-12 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-01-12 Includes\HijackersC.sbi (*)
2009-12-15 Includes\Keyloggers.sbi (*)
2010-01-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-12-30 Includes\Malware.sbi (*)
2010-01-12 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-01-12 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-01-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2010-01-12 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-12-08 Includes\Trojans.sbi (*)
2010-01-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



==========================================================
"Scan ""Scan whole computer"" was finished."
"Infections";"12";"12";"0"
"Information";"1"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Friday, January 22, 2010, 6:48:41 PM"
"Scan finished:";"Friday, January 22, 2010, 9:55:01 PM (3 hour(s) 6 minute(s) 19 second(s))"
"Total object scanned:";"626504"
"User who launched the scan:";"Administrator"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmzF.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmz2A.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmz14.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\GTB\Local Settings\Temp\mmz11.tmp\KillTi.exe";"Trojan horse Generic12.BUXN";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\VMGMO1DX\kids[1].htm";"Virus found Exploit";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\VMGMO1DX\Beg_Sound_M[1].htm";"Virus found Exploit";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\QVLL241E\z002102801r0409J0b000601R0143fdeeX76086a53Y3d5bf217Z03007f3530dP000501080[1]";"Trojan horse Vundo.JZ";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\OAS2QPIJ\FlowerM[1].htm";"Virus found Exploit";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\C5BC9ZC3\z002102318801r0409J0b000601R0143fdeeX76086a5fY3d5bf217Z03007f350[1]";"Trojan horse Vundo.JZ";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Local Settings\Temporary Internet Files\Content.IE5\65I1XS7J\matrubhasha_com[1].htm";"Virus found Exploit";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Application Data\Malware Defense\uninstall.exe";"Trojan horse Generic16.BXI";"Moved to Virus Vault"
"C:\Documents and Settings\DAB\Application Data\Malware Defense\mdext.dll";"Trojan horse Downloader.Zlob.AQLT";"Moved to Virus Vault"

"Information"
"File";"Information";"Result"
"C:\Program Files\Pinnacle\Studio 8\OEM\hhupd.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""

=====================================================

[Derek]

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser