Search Engines redirect search results!!!

[jimhannon]

I am having a problem with a computer at my work place. When I use google, yahoo or any search engine for that matter, the search comes up as usual but when I click on a link I am redirected to seemingly random websites. I installed Malwarebytes, AdAwareAE, SuperAntiSpyware and Hijackthis. Malwarebytes would not even run... AdAwareAE and Superantispyware found nothing. I then booted into SafeMode and Malwarebytes would still not run, AdAwareAE found nothing and Superantispyware would not run. I also tried running Microsoft Malicious Software Removal Tool but it would not run either. Symantec Corporate AntiVirus is installed on the computer and after a complete scan found nothing. This is driving my crazy...
Can anybody help please?
I have a Hijackthis log, but have never submitted one before. I might need some help doing so.
Thanks

[glc]

Read the sticky and post the log.

[rjfvillarosa]

Jim are you allowed to get serious with the machines at work or do you have tech support? in other words can you pull the harddrive out and slave it to another machine?

http://forum.pcmech.com/showthread.php?t=204049

[jimhannon]

Here is the log that I created today. Hope I am doing this right...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:49 PM, on 4/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\mysql\bin\mysqld-nt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\srvany.exe
C:\Program Files\OnviSource\OnviCenter\OnviRecordingService.exe
c:\program files\onvisource\onvicenter\onvidataservice.exe
C:\Program Files\Promise\WebPAM\jetty\extra\win32\Wrapper.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Promise\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\CyberTech\Parrot DSC\DSC_server.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pnfecc.com/dispatch.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fa5db0ff56e748a:8080/promise
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: bginfo.lnk = C:\Program Files\bginfo\Bginfo.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1224273780453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1224273831359
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEDE563A-B23C-4A1A-9D77-7B2088A5038B}: NameServer = 166.5.92.24,166.5.92.206
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DigiVoice Cybertech Maintenance Service - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - c:\mysql\bin\mysqld-nt.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: OnviCord Recording Service - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: OnviCenter Data Service (OnviDataService) - OnviSource, Inc. - c:\program files\onvisource\onvicenter\onvidataservice.exe
O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6517 bytes

[jimhannon]

Quote:

Originally Posted by rjfvillarosa Jim are you allowed to get serious with the machines at work or do you have tech support? in other words can you pull the harddrive out and slave it to another machine? http://forum.pcmech.com/showthread.php?t=204049

We do have tech support, but on a national level... I am not willing to pull the hard drive.

[glc]

I would recommend you discuss the possibility of reimaging the workstation with the tech support folks.

[jimhannon]

I take it that nothing stood out on the Hijack log? This is a mirrored raid setup with important recordings on it. I have no problem with reimaging as long as I can save the recordings. Would doing a windows restore work? Should I turn off Windows Restore before scanning?
Basically any other options?

[glc]

Discuss that with your tech support - it's dangerous for us to advise you when there's special stuff on the machine. Before doing anything drastic, I would make SURE I had a good external backup of that important data.

[jimhannon]

Alright, an update and a fix...
After exhausting searches on the subject, I found the culprit "gaopdxcounter" and the fix...
I copied mbam.exe, renamed it to xxx.exe and put it in the same directory as mbam.exe (Malwarebytes). I then started Malwarebytes by using the xxx.exe executable. Malwarebytes opened. I Then updated the program and ran a full scan. It found C:\Windows\System32\gaupdxcounter. After the scan and fix I started Superantispyware by using a tool on their website (Runsas.exe). This opened up the program and I was able to update it and run a full scan. It found and removed files from the same trojan. After rebooting I was able to finlly run MRT (Windows Malicious Software Removal Tool). It found 3 instances of "Alureon" which it fixed.
I rebooted and ran all the scans in Safe Mode just to make sure... Nothing was found. After booting into normal windows I found that I was unable to connect to the Internet. After further review I found that I had to add the DNS server numbers in Network Connections (TCP/IP). For some reason they were deleted. After doing that I had internet and everything worked as it should.
The real trick was getting Malwarebytes, Superantispyware and MRT to run. With the Malwarebytes trick and the download from Superantispyware, I was able to finally scan and fix.
Hope this will help somebody else with similiar problems.

Thanks for the feedback, that's good info.

[rjfvillarosa]

Well done Jim, good find, good fix.