Search engines (google, yahoo etc.) redirect - possible malware, Dont know how to remove?

[alexmndz]

Hello,

I would appreciate you guys if you can take a look at this logs from malwarebytes and hijackthis. I keep scanning with malware bytes and keep getting the same infections after removing and restarting.

Thanks for all your help.

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:16:38 PM, on 11/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\zulema.SANCHEZOG\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 64.86.16.97 google.ae

O1 - Hosts: 64.86.16.97 google.as

O1 - Hosts: 64.86.16.97 google.at

O1 - Hosts: 64.86.16.97 google.az

O1 - Hosts: 64.86.16.97 google.ba

O1 - Hosts: 64.86.16.97 google.be

O1 - Hosts: 64.86.16.97 google.bg

O1 - Hosts: 64.86.16.97 google.bs

O1 - Hosts: 64.86.16.97 google.ca

O1 - Hosts: 64.86.16.97 google.cd

O1 - Hosts: 64.86.16.97 google.com.gh

O1 - Hosts: 64.86.16.97 google.com.hk

O1 - Hosts: 64.86.16.97 google.com.jm

O1 - Hosts: 64.86.16.97 google.com.mx

O1 - Hosts: 64.86.16.97 google.com.my

O1 - Hosts: 64.86.16.97 google.com.na

O1 - Hosts: 64.86.16.97 google.com.nf

O1 - Hosts: 64.86.16.97 google.com.ng

O1 - Hosts: 64.86.16.97 google.ch

O1 - Hosts: 64.86.16.97 google.com.np

O1 - Hosts: 64.86.16.97 google.com.pr

O1 - Hosts: 64.86.16.97 google.com.qa

O1 - Hosts: 64.86.16.97 google.com.sg

O1 - Hosts: 64.86.16.97 google.com.tj

O1 - Hosts: 64.86.16.97 google.com.tw

O1 - Hosts: 64.86.16.97 google.dj

O1 - Hosts: 64.86.16.97 google.de

O1 - Hosts: 64.86.16.97 google.dk

O1 - Hosts: 64.86.16.97 google.dm

O1 - Hosts: 64.86.16.97 google.ee

O1 - Hosts: 64.86.16.97 google.fi

O1 - Hosts: 64.86.16.97 google.fm

O1 - Hosts: 64.86.16.97 google.fr

O1 - Hosts: 64.86.16.97 google.ge

O1 - Hosts: 64.86.16.97 google.gg

O1 - Hosts: 64.86.16.97 google.gm

O1 - Hosts: 64.86.16.97 google.gr

O1 - Hosts: 64.86.16.97 google.ht

O1 - Hosts: 64.86.16.97 google.ie

O1 - Hosts: 64.86.16.97 google.im

O1 - Hosts: 64.86.16.97 google.in

O1 - Hosts: 64.86.16.97 google.it

O1 - Hosts: 64.86.16.97 google.ki

O1 - Hosts: 64.86.16.97 google.la

O1 - Hosts: 64.86.16.97 google.li

O1 - Hosts: 64.86.16.97 google.lv

O1 - Hosts: 64.86.16.97 google.ma

O1 - Hosts: 64.86.16.97 google.ms

O1 - Hosts: 64.86.16.97 google.mu

O1 - Hosts: 64.86.16.97 google.mw

O1 - Hosts: 64.86.16.97 google.nl

O1 - Hosts: 64.86.16.97 google.no

O1 - Hosts: 64.86.16.97 google.nr

O1 - Hosts: 64.86.16.97 google.nu

O1 - Hosts: 64.86.16.97 google.pl

O1 - Hosts: 64.86.16.97 google.pn

O1 - Hosts: 64.86.16.97 google.pt

O1 - Hosts: 64.86.16.97 google.ro

O1 - Hosts: 64.86.16.97 google.ru

O1 - Hosts: 64.86.16.97 google.rw

O1 - Hosts: 64.86.16.97 google.sc

O1 - Hosts: 64.86.16.97 google.se

O1 - Hosts: 64.86.16.97 google.sh

O1 - Hosts: 64.86.16.97 google.si

O1 - Hosts: 64.86.16.97 google.sm

O1 - Hosts: 64.86.16.97 google.sn

O1 - Hosts: 64.86.16.97 google.st

O1 - Hosts: 64.86.16.97 google.tl

O1 - Hosts: 64.86.16.97 google.tm

O1 - Hosts: 64.86.16.97 google.tt

O1 - Hosts: 64.86.16.97 google.us

O1 - Hosts: 64.86.16.97 google.vu

O1 - Hosts: 64.86.16.97 google.ws

O1 - Hosts: 64.86.16.97 google.co.ck

O1 - Hosts: 64.86.16.97 google.co.id

O1 - Hosts: 64.86.16.97 google.co.il

O1 - Hosts: 64.86.16.97 google.co.in

O1 - Hosts: 64.86.16.97 google.co.jp

O1 - Hosts: 64.86.16.97 google.co.kr

O1 - Hosts: 64.86.16.97 google.co.ls

O1 - Hosts: 64.86.16.97 google.co.ma

O1 - Hosts: 64.86.16.97 google.co.nz

O1 - Hosts: 64.86.16.97 google.co.tz

O1 - Hosts: 64.86.16.97 google.co.ug

O1 - Hosts: 64.86.16.97 google.co.uk

O1 - Hosts: 64.86.16.97 google.co.za

O1 - Hosts: 64.86.16.97 google.co.zm

O1 - Hosts: 64.86.16.97 google.com

O1 - Hosts: 64.86.16.97 google.com.af

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sanchezog.com

O17 - HKLM\Software\..\Telephony: DomainName = sanchezog.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sanchezog.com

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe (file missing)

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 8718 bytes

-----------------------------------------

mbam log

Malwarebytes' Anti-Malware 1.41

Database version: 3133

Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/9/2009 1:54:39 PM

mbam-log-2009-11-09 (13-54-39).txt

Scan type: Full Scan (C:\|)

Objects scanned: 185593

Time elapsed: 41 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)