Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Both IE and Firefox redirecting Google links

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Both IE and Firefox redirecting Google links

Unread postby croat » April 7th, 2010, 8:27 am

Hi folks,

Seems like my laptop got hit by some nasty crap that's redirecting both IE and Firefox to spam sites. I forgot which site I went to but my anti-virus lit up big time but said it deleted them all. However now what happens is when I do a search in google for something and then I click on the link from search results it redirects me somewhere else

I ran Malwarebytes Anti-Malware and it found one infection which got deleted
I also ran Antivirus scan and didn't find anything
Ran GMER, didn't find anything

Here are the logs from ComboFix and HijackThis
Thanks

EDIT: It wouldn't let me post here from my laptop and I had to go to another PC

ComboFix:

ComboFix 10-04-05.06 - mxfilipo 04/06/2010 14:01:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.707 [GMT -3:00]
Running from: c:\documents and settings\mxfilipo\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1203752577-1241443622-2225589205-500
c:\recycler\S-1-5-21-1862811806-3962937336-1497286466-500
c:\recycler\S-1-5-21-572454927-3277439761-1653462319-500
c:\recycler\S-1-5-21-72185382-2121258603-1256799619-500
c:\recycler\S-1-5-21-839522115-412668190-725345543-500
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax

.
((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-03-12 19:18 . 2010-03-12 19:18 162656 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-03-12 19:18 . 2010-03-12 19:18 474032 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.MFC_8.0.50727.762.exe
2010-03-12 19:18 . 2010-03-12 19:18 292704 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 13:00 . 2009-06-10 01:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 12:28 . 2008-12-17 14:10 -------- d-----w- c:\documents and settings\mxfilipo\Application Data\LogMeIn Rescue
2010-04-06 11:50 . 2009-05-23 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 19:11 . 2009-07-17 17:47 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 03:46 . 2009-05-23 00:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 03:45 . 2009-05-23 00:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 19:18 . 2008-08-26 19:59 -------- d-----w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks
2010-03-12 19:18 . 2008-08-26 19:59 37464 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Setup\uninstall.exe
2010-03-01 20:17 . 2008-08-28 23:43 -------- d-----w- c:\documents and settings\mxfilipo\Application Data\Skype
2010-03-01 20:07 . 2008-08-28 23:45 -------- d-----w- c:\documents and settings\mxfilipo\Application Data\skypePM
2010-03-01 12:55 . 2009-07-30 14:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-23 18:33 . 2010-02-23 18:32 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-02-19 00:27 . 2010-02-19 00:27 183680 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\uninstall.exe
2010-02-19 00:27 . 2010-02-19 00:27 87408 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsCboxBroker.exe
2010-02-19 00:27 . 2010-02-19 00:27 79216 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsCboxServiceDll.dll
2010-02-19 00:27 . 2010-02-19 00:27 701808 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsCboxUI.exe
2010-02-19 00:26 . 2010-02-19 00:26 14336 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\isPowerUser.dll
2010-02-19 00:19 . 2010-02-19 00:19 18944 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_FR.dll
2010-02-19 00:19 . 2010-02-19 00:19 18944 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_DE.dll
2010-02-19 00:19 . 2010-02-19 00:19 16896 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_KO.dll
2010-02-19 00:19 . 2010-02-19 00:19 16384 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_ZH_CN.dll
2010-02-19 00:19 . 2010-02-19 00:19 16384 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_ZH.dll
2010-02-19 00:19 . 2010-02-19 00:19 18432 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_ES.dll
2010-02-19 00:19 . 2010-02-19 00:19 16896 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\dsWinClientResource_JA.dll
2010-02-19 00:07 . 2010-02-19 00:07 17408 ----a-w- c:\documents and settings\mxfilipo\Application Data\Juniper Networks\Secure Meeting 6.5.0\psapi.dll
2010-01-19 14:53 . 2010-01-19 14:54 36030 ----a-w- C:\Audit Trail.zip
2010-01-19 14:10 . 2010-01-19 14:11 22479950 ----a-w- C:\Jan 19 RDC crash.zip
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2009-03-06 7086080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-20 339968]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-839522115-1801674531-2895\Scripts\Logon\0\0]
"Script"=logonCC.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-839522115-1801674531-2895\Scripts\Logon\1\0]
"Script"=setcomputerdescription.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2008-12-17 18:36 50520 ----a-w- c:\documents and settings\mxfilipo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\mxfilipo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [1/23/2009 4:51 AM 64480]
R2 i2050QoSSvc;Nortel IP Softphone 2050 QoS;c:\program files\Nortel\IP Softphone 2050\i2050QosSvc.exe [7/31/2007 5:25 PM 94208]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [6/2/2008 11:19 AM 11113]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 1:26 PM 80384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [9/2/2004 9:30 AM 32640]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [6/2/2008 11:19 AM 790528]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [6/2/2008 11:19 AM 149952]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KXDDAPOG
*NewlyCreated* - MFERKDK
*Deregistered* - kxddapog
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = https://voffice.innovatia.net
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: aliant.ca\sslvpn.bell
Trusted Zone: aliant.icn\connexion
Trusted Zone: cara.com\access
Trusted Zone: imageshack.us\toolbar
Trusted Zone: innovatia.net\voffice
Trusted Zone: innovccma
Trusted Zone: youtube.com\www
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxps://centra.nortel.com/SiteRoots/mai ... aterAx.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue-enterprise ... ontrol.cab
DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} - hxxp://innovccma/common/controls/todg8.cab
DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://access.cara.com/nortel_cacheable/iewiper.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://rja-secureaccess.rjf.com/dana-c ... Client.cab
FF - ProfilePath - c:\documents and settings\mxfilipo\Application Data\Mozilla\Firefox\Profiles\e3t0kt7v.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 14:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89A07AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbfc3
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d27b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577ffe
ParseProcedure -> ntkrnlpa.exe @ 0x80576c60
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577ffe
ParseProcedure -> ntkrnlpa.exe @ 0x80576c60
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71f0ba0
PacketIndicateHandler -> NDIS.sys @ 0xf71dfa0b
SendHandler -> NDIS.sys @ 0xf71f3b31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1704)
c:\program files\Juniper Networks\Secure Application Manager\samnsp.dll
.
Completion time: 2010-04-06 14:13:07
ComboFix-quarantined-files.txt 2010-04-06 17:13

Pre-Run: 1,162,801,152 bytes free
Post-Run: 4,266,475,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C5888718EFCCF445825745FBEEBF08CF





HijackThis:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:38:04 PM, on 4/6/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\ClarifyCRM12_Oracle\ClarifyClient\clarify.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\telnet.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://voffice.innovatia.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O1 - Hosts: 198.206.164.1 clarifyattach.ca.nortel.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: DctmWDKBho Class - {B6D89134-E693-4D2A-882A-7C0844674AF2} - C:\Progra~1\Arbortext\Editor\adapters\DctmWDKocx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://connexion.aliant.icn
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: http://*.innovccma
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - https://centra.nortel.com/SiteRoots/...aUpdaterAx.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue-enterpr...cueControl.cab
O16 - DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} (True OLE DBGrid 8 Control) - http://innovccma/common/controls/todg8.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://bogus.ssemc.com/XTSAC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1268080842642
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://bogus.ssemc.com/msrdp.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://access.cara.com/nortel_cacheable/iewiper.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sslvpn.bell.aliant.ca/dana-c...erSetupSP1.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://rja-secureaccess.rjf.com/dan...etupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = STJH.INNOVATIA.INC
O17 - HKLM\Software\..\Telephony: DomainName = STJH.INNOVATIA.INC
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F634A61-21AD-4773-999A-352231B2A5FB}: NameServer = 142.134.135.20,142.134.135.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = STJH.INNOVATIA.INC
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = STJH.INNOVATIA.INC
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe
croat
Active Member
 
Posts: 2
Joined: April 6th, 2010, 1:29 pm
Advertisement
Register to Remove

Re: Both IE and Firefox redirecting Google links

Unread postby croat » April 9th, 2010, 11:20 am

Anyone?

TIA
croat
Active Member
 
Posts: 2
Joined: April 6th, 2010, 1:29 pm

Re: Both IE and Firefox redirecting Google links

Unread postby NonSuch » April 9th, 2010, 2:06 pm

We're sorry, but it is necessary to close your topic because you have replied to it prior to receiving a response from a helper.

Due to adding on to your topic with your second post it is highly unlikely that you would have received a response. Our helpers are looking for topics with zero responses. When you post replies to your own topic, it no longer has zero responses, and so it appears that you have received help when in fact, you have not.

If you still require help, please open a new thread in the Malware Removal forum and wait for assistance. Please do not attempt self fixes, or run additional programs until requested to do so by a helper. Your helper will ask for additional logs as needed. DO NOT reply to your own topic until you have received a response from a helper.

Be patient. There are others who have been waiting longer than you, so do not expect an immediate reply. If your situation is emergent and you do not feel that you can wait for help, then your best option may be to take your computer into a trusted local shop rather than wait for help on a free, volunteer supported, online forum.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware