# Solved: Search Engine Redirect - Help!!



## anjwalker (May 5, 2007)

This seems like the best place to get some answers. This redirect problem started a couple days ago...I've figured out how to deal with it for the most part, but I would really like to fix it....I noticed a few other similar threads, but the fix always seems pretty customized.

Here is the latest Hijackthis log if anyone can help.

Thanks in advance.

I've also attached the file if that is any easier.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:29:44 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
G:\Programs\Mobipocket\readernotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\Downloads\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ventura.craigslist.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [\\WALKERARC\EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P35 "\\WALKERARC\EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MoveMinutesQuickCheck] "c:\program files\moveminute\05091201\movemedia.exe" /boot
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] G:\Programs\Mobipocket\readernotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Programs\AdobeReader8\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = G:\Programs\AdobeReader8\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/Road...n/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Aaron\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9294206B-A9B2-4F73-938E-89F694F48101} (MoveMinute Browser Object) - http://xlonhcld.xlontech.net/100348/.../ldsdlprod.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://solutions3.webex.com/client/...ex/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\Program Files\Common Files\Repro Desk\PmProtocol.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FileSaver_Service - Unknown owner - C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 11633 bytes


----------



## anjwalker (May 5, 2007)

In reading some of the other threads this seems to be what is asked for next...the winpfind3.txt file....Hoping this will help save time.

Thanks.


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

*Run HJT again and put a check in the following:*

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)

*Close all applications and browser windows before you click "fix checked".*

What site are you getting redirected to?


----------



## anjwalker (May 5, 2007)

I've done what you said....

I'm getting redirected from Google or Yahoo search engines to completely random websites when I click on the search results that have little if nothing to do with the original search. Sometimes ebay.com, sometimes another search engine...it's completely random. If I click "back" and then click on the link again it will usually take me to the correct location.

Let me know what further info you need.

Thanks so much for your help.


----------



## anjwalker (May 5, 2007)

Here is the new file....


----------



## cybertech (Apr 16, 2002)

*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system.
*Please follow these steps to remove older version Java components and update.*

*Updating Java:* 

Download the latest version of *Java Runtime Environment (JRE) 6u1*. 
Scroll down to where it says "_Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications_". 
Click the "*Download*" button to the right. 
Check the box that says: "*Accept*_ License Agreement_". 
The page will refresh. 
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop. 
Close any programs you may have running - especially your web browser. 
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java. 
Check any item with Java Runtime Environment (JRE or J2SE) in the name. 
Click the *Remove* or *Change/Remove* button. 
Repeat as many times as necessary to remove each Java versions. 
Reboot your computer once all Java components are removed. 
Then from your desktop double-click on the download to install the newest version.

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
Click *Exit* on the Main menu to close the program. 
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
_Please copy and paste the Scan Log results in your next reply *with a new hijackthis log*._

Click *Close* to exit the program.


----------



## anjwalker (May 5, 2007)

I followed your instructions, but while the SuperAntispyware was scanning this morning, at some point I got a blue error screen and I had to reboot. Not sure what caused it, but the screen indicated a hardware problem, which I've never come across before....My computer is at least three years old.

Before I run the SuperAntispyware again I thought I would post the HijackThis Log and see if you had any further advice.

Sorry for taking so long to respond, I had meetings all day yesterday and did not get a chance to scan last night. 

Thanks for your continued help.

The Java is now up to date and I ran the ATF Cleaner.


----------



## cybertech (Apr 16, 2002)

OK, I'll look at your log in a few minutes. I think the daily backups are running and I can't open it at this time...


----------



## cybertech (Apr 16, 2002)

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:20:54 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
G:\Programs\Mobipocket\readernotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
G:\Programs\AdobeReader8\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
G:\Downloads\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ventura.craigslist.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [\\WALKERARC\EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P35 "\\WALKERARC\EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MoveMinutesQuickCheck] "c:\program files\moveminute\05091201\movemedia.exe" /boot
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] G:\Programs\Mobipocket\readernotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Programs\AdobeReader8\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = G:\Programs\AdobeReader8\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner/PestScan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Aaron\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9294206B-A9B2-4F73-938E-89F694F48101} (MoveMinute Browser Object) - http://xlonhcld.xlontech.net/100348/moveminute4/ldsdlprod.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://solutions3.webex.com/client/T24L/webex/ieatgpc.cab
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\Program Files\Common Files\Repro Desk\PmProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FileSaver_Service - Unknown owner - C:\Program Files\Energizer FileSaver\UPSMON_Service.Exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 11529 bytes


----------



## cybertech (Apr 16, 2002)

That is not looking too bad, a bit heavy on the startups. Are you still getting redirected in IE?


----------



## anjwalker (May 5, 2007)

Not quite sure how it's fixed, because when I tested it last night I was still having the problem. Even my first search this morning got redirected....then I started to take a sampling of random searches and they all worked. I restarted the computer and tried again and everything seems to be working fine. Hopefully that will be the end of it. 

I appreciate your help. You mentioned I'm a little heavy on the Start-ups...what can I do to trim this down, it seems like everytime I install a new program it wants to be part of the startup....my computer used to be up and running in less than 15 seconds...now it takes a few minutes.

Thanks again.


----------



## cybertech (Apr 16, 2002)

You can check out programs here: http://www.bleepingcomputer.com/startups/NeroCheck.exe-3619.html to see if you need them running on startup.
This link will open to NeroFilterCheck which is an example of one that is not required.

When you have a full list together run msconfig to disable them from startup.

Click Start - Run, type in MSCONFIG, then click OK - "Startup" tab. Remove the checkmark from:

Click Apply - OK afterwards, then reboot. When the SCU window appears during reboot, ignore the message. Place a checkmark in the window, then click OK.


----------



## anjwalker (May 5, 2007)

Well, that didn't last long....this morning the google was working fine, now I'm right back to having every link redirected to some meaningless web page....stay tuned....I will repost my latest HijackThis file...


----------



## anjwalker (May 5, 2007)

Here is the HijackThis log and a winpfind3.txt file....keeping fingers crossed that there is a solution out there somewhere.


----------



## cybertech (Apr 16, 2002)

Run *Panda ActiveScan* *here*

*Post the results from ActiveScan.*


----------



## anjwalker (May 5, 2007)

Here you go...


----------



## cybertech (Apr 16, 2002)

Click on the link below to download CWshredder.
http://www.intermute.com/spysubtract/cwshredder_download.html

Run the program and let it do it's thing. Make sure to click on *"Fix"* and not scan only.

Run SUPERAntiSpyware again and see if you can get it to finish this time.


----------



## anjwalker (May 5, 2007)

Ran the CWShredder....

And I was able to get Super AntiSpyware to run a complete scan...

Here is the log.

Just checked Google and sites are still being redirected.


----------



## cybertech (Apr 16, 2002)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2007 at 03:40 PM

Application Version : 3.7.1018

Core Rules Database Version : 3228
Trace Rules Database Version: 1239

Scan type : Complete Scan
Total Scan Time : 01:10:12

Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 6959
Registry threats detected : 0
File items scanned : 54125
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\Daddy\Cookies\[email protected][2].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][2].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt
C:\Documents and Settings\Daddy\Cookies\[email protected][1].txt


----------



## cybertech (Apr 16, 2002)

Open IE, go to Tools, Internet Options, Privacy, Advanced, click in the box "Override automatic cookie handling", First-party Cookies select Prompt, Third-party cookies select Block. When those cookies try to install click block.

Download the *HostsXpert 3.8 - Hosts File Manager*.

Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as *C:\HostsXpert*
Click *HostsXpert.exe * to Run HostsXpert 3.8 - Hosts File Manager from its new home
Click *"Make Hosts Writable?" * in the upper right corner (If available).
Click *Restore Microsoft's Hosts file * and then click OK.
Click the *X* to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ventura.craigslist.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

*Close all applications and browser windows before you click "fix checked".*

Go to Internet Options, Programs
Click the *"Reset Web Settings" * Button to reset your home and search pages.


----------



## anjwalker (May 5, 2007)

I changed the IE Settings, I ran HJThis again as instructed. 

Let me know if you would like a new HJThis file...

Here is an example of what is happening....

If I search my name the first link that comes up is an NFL Player with the same name. 

When I click on the top Google Search Link the first time I get directed to Reebok.com
If I click back and click on the same link again, It takes me to an ebay listing,
If I click back again and click on teh same link for a third time, it will take me to the correct NFL web page with the players bio.

I also ran a random search for carrots and the first Google link was a Wikipedia site....when I click on it it directs me to btcar.com, which appears to be a bogus ad site for random crap.

If I click back enough times eventually it will take me to the right site, but the first one is always redirected...I can even see IE hesitate while loading and then steer the click elsewhere somehow....

There has to be a solution to this....would reinstalling IE or my Microsoft programs do anything or is this Malware some how encoded deeper into my system then that?

Thanks again for your continued help...


----------



## cybertech (Apr 16, 2002)

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites: 
http://downloads.subratam.org/Fixwareout.exe 
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. 
The fix will begin; follow the prompts. 
You will be asked to reboot your computer; please do so. 
Your system may take longer than usual to load; this is normal.

Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

*CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.*


Double-click the *Network Connections* icon
Right-click the *Local Area Connection icon* and select *Properties*.
Hilight *Internet Protocol (TCP/IP)* and click the *Properties* button.
Be sure *Obtain DNS server address automatically* is selected. 
*OK* your way out.

Go to Start > Run and type in *cmd*

Click OK.
This will open a command prompt.
Type the following line in the command window:

*ipconfig /flushdns*

Hit Enter
Exit the command window

Now restart your machine. Post the report.txt and a new Hijackthis log.


----------



## anjwalker (May 5, 2007)

Here is the Report.txt and HijackThis Log....

I checked The Google Search function before running HijackThis and it's working fine....I also just checked again just before making this post and so far so good.

I will give it 24 hours and check again after a fresh restart.

Thanks so much for your help.

Keeping my fingers crossed....


----------



## anjwalker (May 5, 2007)

Oh...forgot to mention...when I ran the ipconfig/flushdns I received the following error message:

Could Not Flush the DNS Resolver Cache: Function Failed During Execution


----------



## cybertech (Apr 16, 2002)

Looks good. Let me know if you have any problems.

It's a good idea to Flush your System Restore after removing malware:


 On the Desktop, right-click My Computer. 
 Click Properties. 
 Click the System Restore tab. 
 Check Turn off System Restore. 
 Click Apply, and then click OK. 
 Restart the computer. 

To create a new restore point: 

On the Desktop, right-click My Computer. 
 Click Properties. 
 Click the System Restore tab. 
 Check Turn on System Restore. 
 Click Apply, and then click OK.


----------



## anjwalker (May 5, 2007)

Thanks CyberTech for all your help....problem solved!!!


----------



## cybertech (Apr 16, 2002)

You're welcome!


----------

