Cliking on Google search results redirects me to bogus search sites

Unknown

Cliking on Google search results redirects me to bogus search sites such as thefreedictionary.com, tradedoubler.com, abc search, starware search and wordsea.com.... but only with any three search results clicked. After I click on a fourth search result I am able to view the linked document correctly. Below is the log file generated by HijackThis.

Can anyone help? Thanks in advance.

**********

Logfile of HijackThis v1.99.1
Scan saved at 11:49:21 AM, on 5/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\naqbc.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O2 - BHO: Class - {477C3A3C-BD56-B783-B784-F0E35C51A6A8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\1.tmp
O4 - HKLM\..\Run: [utsgmon] barint.exe
O4 - HKLM\..\Run: [uio] zxc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{0917FB17-8CD3-4177-B5CF-FCEE42027306}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF849D47-897A-481B-8E9D-86F9CECBF9A6}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

Crunchie

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads please do the following;

==

Download CWShredder 2.19 from here.

Download\'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Reboot.

==

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

===============

Download AboutBuster 6.0:

http://www.besttechie.net/tools/AboutBuster.zip
http://www.malwarebytes.org/AboutBuster.zip

Once downloaded, unzip it, and put the folder on your desktop.

Reboot into safe mode following the instructions here.

Start AboutBuster and click Begin Removal.

Click yes to close down any Internet Explorer windows.

When the scan is done, click Ok.

You can then exit the program.

Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan.
Restart your computer in normal mode.

Download CCleaner and install, then run it.

1. Uncheck "Cookies" under "Internet Explorer".
2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
3. Close when finished.

Post a fresh HJT log and the log that was created by 'SpSeHjfix' as well as the log from the Ewido scan and the text log (report.txt) from FixWareout please..

Gazpacho71

I have to install all that stuff??? Is there a simpler solution?

Crunchie

Reformat

Gazpacho71

OK. All done. Here are the logs you requested in order of execution. Some of the entries in the new HJT log still look suspicious, especially the last three O4 and the O17s. Should I wipe them out?

**********

FixWareout log


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\inlmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmlni.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSAWG.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSAWG.EXE 51,281 2006-04-21
C:\WINNT\SYSTEM32\DMLNI.EXE 44,130 2003-06-19

**********

SpSeHjfix log



(5/1/06 9:24:04 PM) SPSeHjFix started v1.1.2
(5/1/06 9:24:04 PM) OS: Win2000 Service Pack 4 (5.0.2195)
(5/1/06 9:24:04 PM) Language: english
(5/1/06 9:24:04 PM) Win-Path: C:\WINNT
(5/1/06 9:24:04 PM) System-Path: C:\WINNT\system32
(5/1/06 9:24:04 PM) Temp-Path: C:\DOCUME~1\MARIOM~1\LOCALS~1\Temp\
(5/1/06 9:24:23 PM) Disinfection started
(5/1/06 9:24:23 PM) Bad-Dll(IEP): c:\winnt\system32\naqbc.dll
(5/1/06 9:24:23 PM) UBF: 4 - UBB: 1 - UBR: 7
(5/1/06 9:24:23 PM) UBF: 4 - UBB: 1 - UBR: 7
(5/1/06 9:24:23 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\winnt\system32\naqbc.dll/sp.html#93256
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\winnt\system32\naqbc.dll/sp.html#93256
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\winnt\system32\naqbc.dll/sp.html#93256
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(5/1/06 9:24:23 PM) Stealth-String not found
(5/1/06 9:24:24 PM) No locked Files to delete. End without Reboot
(5/1/06 9:24:45 PM) Disinfection started
(5/1/06 9:24:45 PM) Bad-Dll(IEP): c:\winnt\system32\naqbc.dll
(5/1/06 9:24:45 PM) UBF: 4 - UBB: 1 - UBR: 7
(5/1/06 9:24:45 PM) UBF: 4 - UBB: 1 - UBR: 7
(5/1/06 9:24:45 PM) Bad IE-pages: (none)
(5/1/06 9:24:45 PM) Stealth-String not found
(5/1/06 9:24:45 PM) No locked Files to delete. End without Reboot

**********

Ewido log

---

ewido anti-malware - Scan report

---

+ Created on: 3:55:17 AM, 5/2/2006
+ Report-Checksum: B35E33C1

+ Scan result:

HKLM\SOFTWARE\Classes\AdAgent.AdvertisementAgent -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.AdvertisementAgent\CLSID -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.AdvertisementAgent.1 -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.BannerListItem -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.BannerListItem\CLSID -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.BannerListItem.1 -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.CompositeItem -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.CompositeItem\CLSID -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.CompositeItem.1 -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.SpotListItem -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.SpotListItem\CLSID -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\AdAgent.SpotListItem.1 -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring -> Adware.NaviPromo : Cleaned with backup
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring\CLSID -> Adware.NaviPromo : Cleaned with backup
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring.1 -> Adware.NaviPromo : Cleaned with backup
HKLM\SOFTWARE\Classes\RMActiveX.RMPlayer -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\RMActiveX.RMPlayer\CLSID -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\RMActiveX.RMPlayer\CurVer -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Classes\RMActiveX.RMPlayer.1 -> Adware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\Gate -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\Hiwire -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\MEDIAMANAGER -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\MEDIAMANAGER\HISTORY -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\MEDIAMANAGER\REPORT -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\Registration -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\wztafm -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\wztafm\Gate -> Adware.HiWire : Cleaned with backup
HKU\S-1-5-21-1004336348-152049171-1202660629-1006\Software\HIWIRE\wztafm\Registration -> Adware.HiWire : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@ehg-espn.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\mariomarcostorres\Cookies\mariomarcostorres@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINNT\system32\ceuninstall.exe -> Dialer.Generic : Cleaned with backup
C:\WINNT\system32\csawg.exe -> Downloader.Agent.uj : Cleaned with backup
C:\WINNT\system32\dmlni.exe -> Trojan.Pakes : Cleaned with backup
C:\WINNT\system32\EGDACCESS_1055.dll -> Dialer.InstantAccess : Cleaned with backup
C:\WINNT\system32\LiveService_9.dll -> Dialer.InstantAccess : Cleaned with backup
C:\WINNT\system32\msklive.dll -> Logger.Mslagent : Cleaned with backup
C:\WINNT\system32\nethv32.dll -> Dialer.EGroup.a : Cleaned with backup
C:\WINNT\system32\netslv32.dll -> Dialer.EGroup.a : Cleaned with backup
C:\WINNT\system32\svcsysnet32.dll -> Dialer.EGroup.p : Cleaned with backup


::Report End
**********

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:16:23 AM, on 5/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Malware Removal Tools\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Malware Removal Tools\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {477C3A3C-BD56-B783-B784-F0E35C51A6A8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\1.tmp
O4 - HKLM\..\Run: [utsgmon] barint.exe
O4 - HKLM\..\Run: [uio] zxc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{0917FB17-8CD3-4177-B5CF-FCEE42027306}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF849D47-897A-481B-8E9D-86F9CECBF9A6}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Malware Removal Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Malware Removal Tools\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

Crunchie

Please go to Jotti's and have these files scanned. Post the results back here.

C:\WINNT\SYSTEM32\CSAWG.EXE
C:\WINNT\SYSTEM32\DMLNI.EXE

==

Can you please do the following.

===============

Scan with HiJackThis, then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {477C3A3C-BD56-B783-B784-F0E35C51A6A8} - (no file)

O4 - HKLM\..\Run: [Services] C:\WINNT\system32\1.tmp
O4 - HKLM\..\Run: [utsgmon] barint.exe
O4 - HKLM\..\Run: [uio] zxc.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{0917FB17-8CD3-4177-B5CF-FCEE42027306}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF849D47-897A-481B-8E9D-86F9CECBF9A6}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{04DBCF53-ABD8-4952-80CF-12DA550D1F4B}: NameServer = 85.255.115.42,85.255.112.114

O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\1.tmp
C:\WINNT\system32\wpa.exe

Search for...

barint.exe
zxc.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Gazpacho71

Done. The hijacking of Google's search results seems to have gone away and my browser seems to be responding much better when I click on links. I will continue to monitor throughout the evening. Thanks.

Here are the results you requested.

**********

Scan of C:\WINNT\SYSTEM32\CSAWG.EXE

File: csawg.exe
Status: INFECTED/MALWARE
MD5 6312309e52f7ee7eab28745471b74edb
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Agent-IU
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.FFZ
ClamAV Found Trojan.Downloader.Agent-262
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.DownLoader.4316

**********

Scan of C:\WINNT\SYSTEM32\DMLNI.EXE

File: dmlni.exe
Status: INFECTED/MALWARE
MD5 7b56ea8394a40e9f72f39e3ae031e611
Packers detected: -
Scanner results
AntiVir Found Heuristic/Trojan.Downloader (probable variant)
ArcaVir Found nothing
Avast Found Win32:Small-EK
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Small.bwx

**********

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 6:49:41 PM, on 5/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Malware Removal Tools\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\Malware Removal Tools\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Malware Removal Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Malware Removal Tools\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

Crunchie

Ok. Delete those two files manually then do the following please;

Start>>Run and type regedit
Press enter.
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Product Activation (wpa)

If Windows Product Activation (wpa)[/b] exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Windows Product Activation (wpa)[/b]

If LEGACY_Windows Product Activation (wpa)[/b] exists then right click on it and choose delete from the menu.


You then need to get youself a decent firewall and anti-virus to help prevent this happening again.
Check the links in my signature.