please help...hijacker redirect from google searches

Hi...
I have followed steps 1-7 as I was supposed to in "READ & RUN ME FIRST Before Asking for Support ". While all steps were somewhat helpful, and very informative, I am still getting a redirecting hijacker on Google's first couple of search returns. Attatched are pandasoft scan report, the activescan report, and the hijack this report. Any help you can give will be appreciated.

-ntaglioli

 

Hello and welcome to Major Geeks.

Empty the Norton Antivirus Quarintine folder.
Empty the Norton Protected Recycle Bin.

Scan with HijackThis and fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running Ewido Security Suite and Running WinPfind by OldTimer.

Post the Ewido and WinPFind logs and a fresh HijackThis log.

 

Appreciate your help!
Here are the attatchments you requested...

 

Uninstall UnSpyPC if it exists.

Reboot to Safe mode.

Open REGEDIT navigate to the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"UnSpyPC" = "%ProgramFiles%\UnSpyPC\UnSpyPC.exe" <---- Delete this Key

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BF69DF00-4734-477F-8257-27CD04F88779} <---- Delete this Key
HKEY_CURRENT_USER\Software\UnSpyPC <---- Delete this Key
HKEY_LOCAL_MACHINE\Software\UnSpyPC <---- Delete this Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnSpyPC <---- Delete this Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UnSpyPC <---- Delete this Key

Reboot to Normal Mode.

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post the contents of the log.

 

Thanks for your help, here is the attatchment you requested...

 

You have some elements of a RootKit lurking on your system.

Do the following:

Just in case anything strange is lurking in the run keys, run this batch script.

Download to your Desktop
- getrunkey.zip

Extract getrunkey.bat from the zip file and run getrunkey.bat by double clicking on it. This will create a file named c:\runkeys.txt.

Post runkeys.txt as an attachment.

After I examine the contents of runkeys.txt I'll post back with a fix.

 

thanks for the info...here is the attatchment you requested

 

Boot to Safe Mode.

Open Regedit; navigate to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run; locate dmwnf.exe <<------ Delete it.

Exit Regedit.

Open Windows Explorer; navigate to and delete the following:

REBOOT to Normal Mode.

How is your computer running?

 

Thanks for the help...computer/surfing speed is fine,(I keep my startup and services to a minimum) however, I am still getting redirected from the correct pages in my google searches. I have not noticed a problem any where else.

I also didn't find "dmwnf.exe" when using regedit from extention...
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run;

Also didn't find any of the following in explorer...
C:\WINDOWS\system32\csjue.exe
C:\WINDOWS\system32\dmwnf.exe
C:\WINDOWS\system32\favset.exe
C:\WINDOWS\system32\filesafer23.exe

Hope this helps

 

Follow the directions for Running Spy Sweeper.

Post the SpySweeper log and a fresh HijackThis log.

 

I ran Spysweeper and deleted the selected files, but I think spysweeper deleted my internet explorer. I can't run IE at all now, and iexplore.exe doesn't exist in its internet explorer directory. Its not in SpySweeper's quarantine, or the recycle bin. Is there a way to get IE on my cpu without having an internet browser, or buying it? Any help is appreciated. I will post the spysweeper log file and HJT file as soon as I get a browser.

 

Oh...I'll be checking the page remotely, so please reply asap

 

Reinstall Service Pack 2. If you don't have a CD it is available form Microsoft as a standalone installer.

http://www.microsoft.com/downloads/...be-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en

 

Got the browser back. Here are the files...

 

Download FixWareout by Lonny and save it to your Desktop.

• Please locate your download of FixWareout and INSTALL it.
• Be sure that Run fixit is checked.
• Click Finish to begin the fix.
• Follow the prompts and Reboot when asked to do so.
• Upon Reboot, follow the prompts and HijackThis should open.

NOTHING TO FIX. CLOSE HIJACKTHIS.
​

Download Blacklight Beta from here: http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

here are the contents of both scans

 

Boot to Safe Mode.

Open Windows Explorer and delete the following:

C:\WINDOWS\SYSTEM32\CSYQJ.EXE
C:\WINDOWS\SYSTEM32\DMQBN.EXE

REBOOT

Run FixWareout again and post the log. Post a fresh HijackThis log.

 

here they are...

 

Your logs are clean.

Disable System Restore and then enable System Restore. This will flush all your restore points and create a new clean one for your system.

System Restore
How to Protect yourself from malware!

Safe surfing.