Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Redirection

Unread postby ericiii » January 30th, 2009, 8:42 pm

When I perform a google search, the results are listed, but the results bring me to incorrect websites. When hovering over a result link,the following websites are listed :hxxp://206.161.121.115 and hxxp://216.195.52.100. I have tried to remove with Malwarebytes, SuperAntispyware, and some other programs that were recommended on other boards. I have 2 logs for you - HJT and ComboFix.

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37, on 2009-01-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\Bin\W3dbsmgr.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust Antivirus\realmon.exe" -s
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 1962450637
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1962445062
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/ ... 586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = industries.local
O17 - HKLM\Software\..\Telephony: DomainName = industries.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{8167E0FB-CCE4-4BE0-8226-4C8B8E5FA78F}: NameServer = 192.168.100.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = industries.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6348 bytes

******************************
******************************
******************************
ComboFix:
ComboFix 09-01-21.04 - ron 2009-01-30 18:22:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.941 [GMT -6:00]
Running from: c:\temp\ComboFix.exe
AV: eTrust ITM *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-30 17:53 . 2009-01-30 17:54 3,048,418 -ra------ c:\temp\ComboFix.exe
2009-01-30 17:23 . 2009-01-30 17:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 17:22 . 2009-01-30 17:22 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 17:22 . 2009-01-30 17:22 <DIR> d-------- c:\documents and settings\ron\Application Data\SUPERAntiSpyware.com
2009-01-30 17:21 . 2009-01-30 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-30 17:15 . 2009-01-30 17:21 5,966,368 --a------ c:\temp\SUPERAntiSpyware.exe
2009-01-30 16:25 . 2009-01-30 16:25 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-30 16:24 . 2009-01-30 16:24 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-30 16:24 . 2009-01-30 16:24 <DIR> d-------- c:\program files\MSBuild
2009-01-30 16:23 . 2009-01-30 16:24 <DIR> d-------- C:\33e582246e9ab4ba9c24788d
2009-01-30 16:23 . 2008-07-06 06:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-01-30 16:23 . 2008-07-06 06:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-30 16:23 . 2008-07-06 04:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-30 16:23 . 2008-07-06 06:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-01-30 16:23 . 2008-07-06 06:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-30 16:23 . 2008-07-06 06:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-01-30 16:23 . 2008-07-06 06:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-30 16:22 . 2009-01-30 16:38 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-30 14:43 . 2009-01-30 14:45 1,886,800 --a------ c:\temp\install_flash_player_10_active_x.exe
2009-01-30 14:33 . 2009-01-30 14:33 <DIR> d-------- c:\windows\Sun
2009-01-30 14:33 . 2009-01-30 14:33 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-30 14:29 . 2009-01-30 14:28 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-30 14:29 . 2009-01-30 14:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\program files\Java
2009-01-30 14:14 . 2009-01-30 14:14 <DIR> d-------- c:\program files\CCleaner
2009-01-30 14:12 . 2009-01-30 14:14 3,171,208 --a------ c:\temp\ccsetup216.exe
2009-01-30 13:50 . 2009-01-30 13:50 50,688 --a------ c:\temp\ATF-Cleaner.exe
2009-01-30 13:34 . 2009-01-30 13:34 532,480 --a------ c:\temp\cwshredder.exe
2009-01-30 11:45 . 2009-01-30 11:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 11:45 . 2009-01-30 11:45 <DIR> d-------- c:\documents and settings\ron\Application Data\Malwarebytes
2009-01-30 11:45 . 2009-01-30 11:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-30 11:45 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 11:45 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-30 11:44 . 2009-01-30 11:44 2,737,808 --a------ c:\temp\mbam-setup.exe
2009-01-30 10:10 . 2009-01-30 10:12 <DIR> d-------- c:\temp\Delete
2009-01-28 08:25 . 2009-01-28 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SageInstalls
2009-01-28 08:25 . 2009-01-28 08:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sage
2009-01-28 08:25 . 2007-10-08 06:19 1,843,200 --a------ c:\windows\system32\acXMLParser.dll
2009-01-28 08:24 . 2009-01-28 08:25 <DIR> d-------- c:\program files\Common Files\Sage
2009-01-28 08:24 . 2009-01-28 08:24 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2009-01-28 08:24 . 2007-10-08 13:30 3,518,464 --a------ c:\windows\system32\cdintf300.dll
2009-01-28 08:24 . 2007-03-13 19:28 1,265,716 --------- c:\windows\system32\cxlib-1-6.dll
2009-01-28 08:24 . 2007-03-13 19:28 1,249,334 --------- c:\windows\system32\cxlibw-1-6.dll
2009-01-28 08:24 . 2007-12-13 19:23 901,768 --------- c:\windows\system32\pvxodbc.dll
2009-01-28 08:24 . 2007-12-13 19:23 262,792 --------- c:\windows\system32\pvxio.dll
2009-01-27 14:21 . 2009-01-27 14:21 1,071 --a------ c:\windows\AWMODEM.INF
2009-01-27 14:19 . 2004-08-04 06:00 132,608 --a--c--- c:\windows\system32\dllcache\fxsclntr.dll
2009-01-27 14:19 . 2004-08-04 06:00 111,104 --a--c--- c:\windows\system32\dllcache\fxscfgwz.dll
2009-01-27 14:19 . 2004-08-04 06:00 31,744 --a--c--- c:\windows\system32\dllcache\fxsroute.dll
2009-01-27 14:19 . 2004-08-04 06:00 11,264 --a--c--- c:\windows\system32\dllcache\fxssend.exe
2009-01-27 14:18 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-01-27 14:18 . 2008-04-14 00:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-01-27 14:18 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-27 14:18 . 2008-04-14 05:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-01-27 14:18 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-27 14:18 . 2008-04-14 00:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-14 13:52 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-01-14 13:11 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-14 13:11 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-14 13:11 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-14 13:11 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-14 13:11 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-14 13:11 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-14 13:11 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-14 13:11 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-14 13:11 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-10 06:38 . 2008-10-23 06:36 286,720 -----c--- c:\windows\system32\dllcache\gdi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 14:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"Realtime Monitor"="c:\program files\CA\eTrust Antivirus\realmon.exe" [2005-12-10 274432]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\W3dbsmgr.exe [2004-10-05 105472]
Ulead Photo Express 4.0 SE Calendar Checker .lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2008-10-27 69632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3317183837-1499861873-4127397810-1114\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3317183837-1499861873-4127397810-1117\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3317183837-1499861873-4127397810-1119\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=
"c:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"=
"c:\\PVSW\\Bin\\W3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2006-09-05 26304]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
*NewlyCreated* - SASENUM
*NewlyCreated* - SASKUTIL
*Deregistered* - m_qxckcrvkag
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = 127.0.0.1
TCP: {8167E0FB-CCE4-4BE0-8226-4C8B8E5FA78F} = 192.168.100.4
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 18:25:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m_qxckcrvkag]
"ImagePath"="\??\c:\program files\Common Files\System\m_qxckcrvkag32.dll"
.
Completion time: 2009-01-30 18:28:10
ComboFix-quarantined-files.txt 2009-01-31 00:28:07

Pre-Run: 16,494,628,352 bytes free
Post-Run: 16,693,411,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

195 --- E O F --- 2009-01-30 12:26:24
Last edited by ndmmxiaomayi on February 25th, 2009, 9:37 am, edited 3 times in total.
Reason: Disabled links
ericiii
Active Member
 
Posts: 2
Joined: January 30th, 2009, 8:35 pm
Advertisement
Register to Remove

Re: Google Redirection

Unread postby John B. » February 26th, 2009, 11:51 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Google Redirection

Unread postby ericiii » February 26th, 2009, 2:45 pm

Thanks for your help John. I upgraded the client's antivirus from eTrust to Symantec Endpoint Security v11, anf the new AV software caught the trojan immediately. Please close this thread. Thank you
ericiii
Active Member
 
Posts: 2
Joined: January 30th, 2009, 8:35 pm

Re: Google Redirection

Unread postby Gary R » February 26th, 2009, 7:02 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 59 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware