Another google redirect virus

[ttt03]

Computer running slow and being redirected to random websites when clicking links on google search result page. Tried numbers of tools but

got no luck so far. TIA.

Running on Windows XP SP 3 and IE7

Here's the log files from MBAM (with latest udpate) and HijackThis 2.0.4

----------------------------------------------------------------------------------

MBAM logs

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4121

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/20/2010 3:45:50 PM

mbam-log-2010-05-20 (15-45-50).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 219127

Time elapsed: 20 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urlvjyoc (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urlvjyoc (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------------------------------------------------------------------

HT logs

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:36:41 PM, on 5/20/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\lotus\notes\nslsvice.exe

C:\Program Files\Novell\CASA\bin\micasad.exe

C:\lotus\notes\nsl.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\CmgShieldSvc.exe

C:\WINDOWS\system32\EMSService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe

C:\WINDOWS\system32\spoolsv.exe

c:\windows\drivers\e6400\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Connected\AgentSrv.EXE

C:\Program Files\Courion Corporation\Courion Client Manager\CourClientSvr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\cpsyssrv.exe

C:\lotus\notes\ntmulti.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\ABC\Licenser\i386\clientnt.exe

C:\Siaudit2\QPDiscovery.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\WINDOWS\system32\iprntctl.exe

C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\CMGShieldUI.exe

C:\WINDOWS\system32\EmsServiceHelper.exe

C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe

C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe

C:\Program Files\Connected\CBSysTray.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Lotus\Notes\NLNOTES.EXE

C:\Lotus\Notes\ntaskldr.EXE

C:\Documents and Settings\TTu1\Local Settings\Temporary Internet Files\Content.IE5\IFQTWRUZ\windows-kb890830-v3.7[1].exe

c:\6db68166d79cbe990bbfb20adcaf\mrtstub.exe

C:\WINDOWS\system32\MRT.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\TTu1\Local Settings\Temp\jkos-TTu1\binaries\ScanningProcess.exe

C:\Documents and Settings\TTu1\Local Settings\Temp\jkos-TTu1\binaries\ScanningProcess.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\TTu1\Desktop\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://online/

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O4 - HKLM\..\Run: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON

O4 - HKLM\..\Run: [Google Pinyin 2 Autoupdater] "C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe"

O4 - HKLM\..\Run: [NVHotkey] RUNDLL32.EXE nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe

O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe

O4 - HKLM\..\Run: [ZenNotifyIcon] C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe

O4 - HKLM\..\Run: [ZENWorksUserDaemon] C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe

O4 - HKLM\..\Run: [NalView] C:\Program Files\Novell\ZENworks\bin\nalview.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [urlvjyoc] C:\Documents and Settings\TTu1\Local Settings\Application Data\gvrctdcsf\sgmxeldtssd.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [urlvjyoc] C:\Documents and Settings\TTu1\Local Settings\Application Data\gvrctdcsf\sgmxeldtssd.exe

O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe

O4 - Global Startup: SSH Tectia Broker.lnk = C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll

O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll

O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: (no name) - {EF3CEDAA-71DE-494f-A700-9648BD0F0BA9} - C:\Program Files\ieHTTPHeaders\ieHTTPTrace.dll

O9 - Extra 'Tools' menuitem: Display ieHTTPHeaders... - {EF3CEDAA-71DE-494f-A700-9648BD0F0BA9} - C:\Program Files\ieHTTPHeaders\ieHTTPTrace.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.harvardpilgrim.org

O15 - Trusted Zone: *.hphc.org

O16 - DPF: {6C64B50D-0472-4CD6-9312-644BEF37D4E6} (CourLocal2 Class) - https://aim.hphc.org/AIM/Courion/AccessOpti...S/CourLocal.CAB

O16 - DPF: {7663D970-69AA-40EB-9B59-6C4F02DE264D} (CourLocal Class) - https://aim-dev.hphc.org/AIM/Courion/Access...S/CourLocal.CAB

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btconferencing.webex.com/client/T27...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG

O17 - HKLM\Software\..\Telephony: DomainName = EHEALTH.HPHC.ORG

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EHEALTH.HPHC.ORG

O20 - Winlogon Notify: CMGShieldNP - CmgShieldNP.dll (file missing)

O20 - Winlogon Notify: LCredMgr - C:\Program Files\Novell\CASA\bin\lcredmgr.dll

O20 - Winlogon Notify: nzrNotifier - nzrNotifier.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ABC Client Monitor - ABC Enterprise Systems Ltd. - C:\WINDOWS\ABC\Licenser\i386\clientnt.exe

O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: CMG Shield (CMGShield) - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe

O23 - Service: CourClientSvr - Courion Corporation - C:\Program Files\Courion Corporation\Courion Client Manager\CourClientSvr.exe

O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: Monitor System - Unknown owner - C:\WINDOWS\system32\cpsyssrv.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe

O23 - Service: Novell Identity Store - Novell, Inc - C:\Program Files\Novell\CASA\bin\micasad.exe

O23 - Service: Novell ZENworks Agent Service - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Novell ZENworks Remote Management powered by VNC (nzwinvnc) - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe

O23 - Service: QP: Discovery Agent - PS'SOFT - C:\Siaudit2\QPDiscovery.exe

O23 - Service: QP: Discovery Update Agent - Unknown owner - C:\Siaudit2\QPDUpdateService.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\windows\drivers\e6400\stacsv.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

O23 - Service: Novell ZENworks Pre Agent (ZENPreAgent) - Unknown owner - C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe

--

End of file - 12277 bytes

[Firefox]

Hello ttt03,

Please read the following so that you can begin the cleaning process:

We don't work on Malware removal in the general forums.

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

If you are a corporate customer please send an email to corporate-support@malwarebytes.org. (NOTE: An order number is required for corporate support.)

Also, when replying, please use the "ADD REPLY" button or erase what the person you are replying to said, as this makes the forum easier to read.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Thank you