Google results are redirected

[Jorsoft]

I picked up a nasty the other day. Spybot removed it and Malwarebytes gave me a clean scan but my Google results are still being redirected. My HJT log is attach, can anybody take a look?

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:36 PM, on 5/17/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C}

- C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-

4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} -

C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -

C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-

Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe

/detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe

/detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program

Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49}

- C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DF0E777-07A1-4C4B-A767-944D0A63579B}:

NameServer = 192.168.2.1
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1

\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG9\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. -

C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program

Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program

Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program

Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd -

C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare -

C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program

Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware -

C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common

Files\Steam\SteamService.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program

Files\TeamViewer\Version5\TeamViewer_Service.exe

--
End of file - 7157 bytes

 

[Osiris]

Can you san with hijackthis 2.4 and make sure the entries are all screwed up like below, makes it hard to read.

 

[Jorsoft]

I assume you mean 2.0.4 as it is the latest...log file attached

 

[Osiris]

Copy this to notepad and close IE

Remove

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Then run Combofix and post its log.

Then you need to update to IE8 and install all the Windows Updates after that,

Then you may want to clean up some garbage by running ccleaner and cleanup.

 

[Jorsoft]

Attached.
​

 

[Osiris]

I cant seem to open that file, says its corrupt.

 

[S0ULphIRE]

I think it was just your download, looks fine to me.

 

[Osiris]

Hmmm....Not sure what happend but I was able to open with Winrar.

Anyways looks like you had a bad infection, a rootkit. Combofix fixed it

Make sure system restore is disabled, reboot and then run it again, need to see if it returns after you reboot.