Google Search Results Diverted[INACTIVE]

[rakeshca]

I'm at my wit's end... Please help.

Result pages from Google(and other search engines are) rewritten so that a click is redirected to some ad page. Access to some sites is also blocked (e.g. typing to besttechie.net gives the unable to connect message). The problem pesists both with Firefox 3.0.1 as well as IE7.

I'm using dynamic DNS and there is no proxy. Below are examples of rewritten URLs,HJT log, as well as Melwarebytes' log. I have also tried Adaware and Windows Defender, but they find no malware. (Note the ending on redirected URL is 711.691.111.46, which seems to be an IP address in Kobe Japan per http://www.geobytes.com/ipLocator.htm.)

Examples of Redirected URLs

http://go.google.com/?u=XhLpB9B6kwMxWShkHT...F711.691.111.46

http://go.google.com/?u=QJ5CW2FgfFClmN60C5...F711.691.111.46

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:17:23 PM, on 8/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\IT Connection Manager\SRUserService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe

C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe

C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe

C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe

C:\Program Files\Toshiba\TAudEffect\TAudEff.exe

C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE

C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Toshiba\TapButton\TapButt.exe

C:\Program Files\Microsoft Office Communicator\Communicator.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

D:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://msw/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itgproxy.redmond.corp.microsoft.com:80

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe

O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe

O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"

O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\Toshiba\TAudEffect\TAudEff.exe /run

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

MALWAREBYTES' LOG

Malwarebytes' Anti-Malware 1.24

Database version: 1012

Windows 5.1.2600 Service Pack 3

3:12:15 PM 8/30/2008

mbam-log-8-30-2008 (15-12-15).txt

Scan type: Full Scan (C:\|)

Objects scanned: 95244

Time elapsed: 22 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[sarahw]

Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

[sarahw]

1.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
   
2. It will say "Java Plug-in" under the icon.
   Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
   
3. If you are unable to update you can manually update by going here:http://www.java.com/en/download/manual.jsp
   

[*]After the reboot, go back into the Control Panel and double-click the Java Icon.

[*]Under Temporary Internet Files, click the Delete Files button.

[*]There are three options in the window to clear the cache - Leave ALL 3 Checked

• Downloaded Applets
  Downloaded Applications
  Other Files
  

[*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

[*]Click OK to leave the Java Control Panel.

2.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).

Click Scan.

When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad.

Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.

Click the Logs tab.

Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

3.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
  
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.