Google keeps redirecting to webhp

#1 shashankk


Posted 06 July 2011 - 08:31 PM

My computer keeps redirecting to google/webhp once I try to access a google link. I used steps 6-9 on the following link:



Please help me understand the next steps I should be following. I have attached the attach.txt and ark.txt on this post. Here is a copy of the DDS.txt log:

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by eermer at 18:14:17 on 2011-07-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2987.2329 [GMT -7:00]
AV: eTrust ITM *Disabled/Outdated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
AV: System Smart Security *Enabled/Updated* {95B100EA-BB77-4A4F-ACED-25C6B76B5AFC}
FW: System Smart Security *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lumension\LEMSSAgent\LMAgent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Panasonic\OPDOFF\opdoffsv.exe
C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Documents and Settings\All Users\Application Data\Rpcnet\Bin\rpcld.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Lumension\Patch Agent\GravitixService.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\SecureWave\Sanctuary\Client\RTNotify.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Panasonic\CHGBMODE\ChgBmode.exe
C:\Program Files\Panasonic\OPDOFF\opdoff.exe
C:\Program Files\Panasonic\PPopup\ppopup.exe
C:\Program Files\Panasonic\WheelPad\Touchpad.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Lumension\Patch Agent\pddm.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://jclportal/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://jclportal/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://panasonic.net/pavc/toughbook/site_info/global_link.html
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://jclportal/index.php?init
uInternet Settings,ProxyOverride = 172.16.*.*;jclportal;jclportal2;jclportal.jclnt.jcl.com;jclportal2.jclnt.jcl.com;jclnet;jclnet.jclnt.jcl.com;jclnet2;jclnet2.jclnt.jcl.com;jclapp5;jclapp5.jclnt.jcl.com;jclpsoft*;jclpsoft*.jclnt.jcl.com;<local>;ftp://ftp2.mortenson.com;jcl.resourcescheduler.net;jclwde.wde.jcl.com;
uInternet Settings,ProxyServer =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WSwitch] c:\program files\panasonic\wswitch\WSwitch.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [setfan] "c:\program files\panasonic\setfan\setfan.exe" /resetting
mRun: [Panasonic Hotkey Manager] c:\program files\panasonic\hotkey appendix\HKEYAPP.EXE
mRun: [PCinfo] c:\program files\panasonic\pcinfo\PcInfoUt.exe
mRun: [PRunOnce] c:\util\prunonce\PRunOnce.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [rtnotify] c:\program files\securewave\sanctuary\client\RTNotify.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\econom~1.lnk - c:\program files\panasonic\chgbmode\ChgBmode.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\optica~1.lnk - c:\program files\panasonic\opdoff\opdoff.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcinfo~1.lnk - c:\program files\panasonic\ppopup\ppopup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMAsst.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\touchp~1.lnk - c:\program files\panasonic\wheelpad\Touchpad.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://rjjclhn.jcl.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer =
TCP: Interfaces\{B6CA1273-4111-4178-BB52-FD7CC55EF04E} : DhcpNameServer =
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: www.google.com
Hosts: www.google.com
Hosts: www.google.com.au
Hosts: www.google.com.au
Hosts: www.google.be
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R1 EPS;EPS;c:\windows\system32\drivers\eps.sys [2010-8-10 127856]
R2 ETMService;Intel® Dynamic Power Performance Management Service Application;c:\windows\system32\etmservice.exe [2008-9-26 223768]
R2 LEMSS Agent;LEMSS Agent;c:\program files\lumension\lemssagent\LMAgent.exe [2010-6-16 261960]
R2 OPDOFFSV;Panasonic Opdoff Utility;c:\program files\panasonic\opdoff\opdoffsv.exe [2008-9-26 206480]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\panasonic\pcinfo\PcInfoPi.exe [2008-9-26 54632]
R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\panasonic\pcinfo\PCInfoSV.exe [2008-9-26 189800]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe --> c:\documents and settings\all users\application data\rpcnet\bin\rpcld.exe [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-25 244368]
R3 EtmCpu;EtmCpu;c:\windows\system32\drivers\EtmDevCpu.sys [2008-9-26 25088]
R3 EtmDevGen;EtmDevGen;c:\windows\system32\drivers\EtmDevGen.sys [2008-9-26 18944]
R3 EtmDrvMgr;EtmDrvMgr;c:\windows\system32\drivers\EtmDrvMgr.sys [2008-9-26 46592]
R3 EtmFan;EtmFan;c:\windows\system32\drivers\EtmDevFan.sys [2008-9-26 11264]
R3 EtmGmchMem;EtmGmchMem;c:\windows\system32\drivers\EtmDevGmch.sys [2008-9-26 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-9-25 41216]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-25 110080]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [2008-9-25 47976]
R3 Patch Agent;Patch Agent;c:\program files\lumension\patch agent\GravitixService.exe [2010-11-1 95584]
S0 sk;Sanctuary Kernel;c:\windows\system32\drivers\sk.sys --> c:\windows\system32\drivers\sk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 scomc;Sanctuary Command and Control;c:\program files\securewave\sanctuary\client\scomc.exe [2007-8-28 1619192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 sk-ndis;SK-NDIS;c:\windows\system32\drivers\sk_ndis.sys [2007-8-29 16896]
=============== Created Last 30 ================
2011-07-01 03:31:27 -------- d-sh--w- c:\documents and settings\all users\application data\SSVJIAS
2011-07-01 03:30:30 -------- d-sh--w- c:\documents and settings\all users\application data\f6f949
2011-06-17 23:38:43 0 ---ha-w- c:\documents and settings\eermer\local settings\application data\BIT11.tmp
2011-06-09 23:21:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
==================== Find3M ====================
2011-07-06 21:26:33 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-07-06 21:26:31 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-06-14 16:51:46 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-20 20:44:21 17408 ----a-w- c:\windows\system32\rpcnetp.dll
============= FINISH: 18:15:11.10 ===============

Attached Files

#2 CatByte


  • Malware Response Team
  • Local time:06:28 AM

Posted 09 July 2011 - 12:41 PM


Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

#3 CatByte


  • Malware Response Team
  • Local time:06:28 AM

Posted 15 July 2011 - 04:41 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

