[birdsofprey02]

I've been working on my parent's computer for a few days trying to get rid of their hijacked browser. Searches (at least within yahoo and google) are being redirected to alternate keyword related sites.

I've ran the ATF cleaner, ran AVG anti-spyware, windows defender, etc. I have updated McAfee Enterprise 8.5 and ran that as well and found a few minor virus but all were deleted by McAfee. AVG found downloader.agent.kib but was able to delete that as well. I'm still having the browser redirect issues. Here is my HijackThis log... Any help would be greatly appreciated. I am using Windows XP with IE 7, all updates are current according to windowsupdate site.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:08 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\65ca1b7ac8fe8237eb48d1b7f5197751\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 4203 bytes

[Advertisements]

and here are the things in the HijackThis backups.... If this is useful...

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080405-173801-450 O20 - Winlogon Notify: faffdffbaadcccacfd - C:\WINDOWS\system32\faffdffbaadcccacfd.dll (file missing)
backup-20080405-173819-131 O17 - HKLM\System\CCS\Services\Tcpip\..\{20E5BF81-07CD-4F6B-922F-F406CAF48827}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-154 O17 - HKLM\System\CCS\Services\Tcpip\..\{C28F825E-D5F0-4027-AA92-0B8244A958B8}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-173 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-306 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-340 O17 - HKLM\System\CCS\Services\Tcpip\..\{6538334A-1E3D-4282-81B9-C0BFF469704F}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-352 O17 - HKLM\System\CCS\Services\Tcpip\..\{06ABA374-F48E-4AF5-8D6A-60C20B9B5EEB}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-505 O17 - HKLM\System\CS1\Services\Tcpip\..\{06ABA374-F48E-4AF5-8D6A-60C20B9B5EEB}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-734 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-980 O17 - HKLM\System\CS2\Services\Tcpip\..\{06ABA374-F48E-4AF5-8D6A-60C20B9B5EEB}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173838-999 O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080405-173851-234 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insignia-products.com/
backup-20080405-173851-243 O2 - BHO: Web Protection Module - {03C59006-FF31-11DC-A920-7C3956D89593} - C:\WINDOWS\system32\kwpm.dll
backup-20080405-173851-726 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
backup-20080405-173851-968 O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
backup-20080405-173914-159 O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
backup-20080405-173914-494 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
backup-20080405-173915-126 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangoc...d84c831d43d35df
backup-20080405-173915-493 O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
backup-20080405-174053-115 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080405-174053-266 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20080405-174053-273 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
backup-20080405-174053-356 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
backup-20080405-174053-386 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080405-174054-414 O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://amer-ml24.am...om/iNotes6W.cab
backup-20080405-174106-634 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
backup-20080405-174106-754 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
backup-20080405-174151-637 O4 - HKUS\S-1-5-21-2911631459-3135379805-2528147993-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'anthony panichello')
backup-20080405-174151-838 O4 - HKUS\S-1-5-21-2911631459-3135379805-2528147993-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'anthony panichello')
backup-20080405-174405-201 O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
backup-20080405-174405-421 O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
backup-20080405-174405-504 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080405-174411-476 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
backup-20080405-174424-201 O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
backup-20080405-174424-379 O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
backup-20080406-154156-719 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-154208-909 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-154511-341 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-154522-383 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-170757-888 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

[birdsofprey02]

and here are the things in the HijackThis backups.... If this is useful...

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080405-173801-450 O20 - Winlogon Notify: faffdffbaadcccacfd - C:\WINDOWS\system32\faffdffbaadcccacfd.dll (file missing)
backup-20080405-173819-131 O17 - HKLM\System\CCS\Services\Tcpip\..\{20E5BF81-07CD-4F6B-922F-F406CAF48827}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-154 O17 - HKLM\System\CCS\Services\Tcpip\..\{C28F825E-D5F0-4027-AA92-0B8244A958B8}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-173 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-306 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-340 O17 - HKLM\System\CCS\Services\Tcpip\..\{6538334A-1E3D-4282-81B9-C0BFF469704F}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-352 O17 - HKLM\System\CCS\Services\Tcpip\..\{06ABA374-F48E-4AF5-8D6A-60C20B9B5EEB}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-505 O17 - HKLM\System\CS1\Services\Tcpip\..\{06ABA374-F48E-4AF5-8D6A-60C20B9B5EEB}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-734 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173819-980 O17 - HKLM\System\CS2\Services\Tcpip\..\{06ABA374-F48E-4AF5-8D6A-60C20B9B5EEB}: NameServer = 208.67.220.220,208.67.222.222
backup-20080405-173838-999 O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080405-173851-234 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insignia-products.com/
backup-20080405-173851-243 O2 - BHO: Web Protection Module - {03C59006-FF31-11DC-A920-7C3956D89593} - C:\WINDOWS\system32\kwpm.dll
backup-20080405-173851-726 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
backup-20080405-173851-968 O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
backup-20080405-173914-159 O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
backup-20080405-173914-494 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
backup-20080405-173915-126 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangoc...d84c831d43d35df
backup-20080405-173915-493 O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
backup-20080405-174053-115 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080405-174053-266 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20080405-174053-273 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
backup-20080405-174053-356 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
backup-20080405-174053-386 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080405-174054-414 O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://amer-ml24.am...om/iNotes6W.cab
backup-20080405-174106-634 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
backup-20080405-174106-754 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
backup-20080405-174151-637 O4 - HKUS\S-1-5-21-2911631459-3135379805-2528147993-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'anthony panichello')
backup-20080405-174151-838 O4 - HKUS\S-1-5-21-2911631459-3135379805-2528147993-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'anthony panichello')
backup-20080405-174405-201 O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
backup-20080405-174405-421 O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
backup-20080405-174405-504 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080405-174411-476 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
backup-20080405-174424-201 O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
backup-20080405-174424-379 O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
backup-20080406-154156-719 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-154208-909 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-154511-341 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-154522-383 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080406-170757-888 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1