Re-Direct Spyware

I'm also experiencing the same problem, and tried different Spyware/MalWare removal tools with no success.

I found two malicious files using "Silent Runners ":

1) HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"dmqfg.exe" = "C:\WINDOWS\system32\dmqfg.exe" [null data]

2) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "cssci.exe" [null data]

Even in safe mode I couldn't find the files in my machine and, couldn't see the entries in registry using RegEdit. Also, the name of files are changing on each system boot.

How can I get rid of this MalWare?

Thank you
Kambiz



P.S. Here is the complete result of Silent Runners.

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = " "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" [ "Skype Technologies S.A."]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [ "Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"D-Link AirPlus XtremeG" = "C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [ "D-Link"]
"WZCSLDR2" = " "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" " [ "Alpha Networks Inc."]
"ccApp" = " "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
"Babylon Client" = "C:\Program Files\Babylon\Babylon.exe -AutoStart" [ "Babylon Ltd."]
"dmqfg.exe" = "C:\WINDOWS\system32\dmqfg.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express "
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*n" (unwritable string)
-> {HKLM...CLSID} = "bho2gr Class "
\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" [ "Headlight Software, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper "
-> {HKLM...CLSID} = "CNavExtBho Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" [ "Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler "
-> {HKLM...CLSID} = "Microsoft Office Outlook "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band "
-> {HKLM...CLSID} = "History Band "
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "cssci.exe" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKLM\Software\Classes\.hta\ = (key not found)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSaveSettings" = (REG_BINARY) hex:00 00 00 00
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"NoActiveDesktop" = (REG_BINARY) hex:00 00 00 00
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Leila\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]


Startup items in "Leila" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" [ "Headlight Software, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Run Full System Scan - Leila" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK: "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca" " [ "Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 33
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" [ "Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{C4069E3A-68F1-403E-B40E-20066696354B} "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" [ "Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [ "Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" [ "Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research "


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, " "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" " [ "Symantec Corporation"]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" { "C:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" " [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, " "C:\Program Files\Norton AntiVirus\navapsvc.exe" " [ "Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, " "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" " [ "Symantec Corporation"]
Norton Protection Center Service, NSCService, " "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE" " [ "Symantec Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" [ "HP"]
SPBBCSvc, SPBBCSvc, " "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" " [ "Symantec Corporation"]
Symantec Core LC, Symantec Core LC, " "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" " [ "Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, " "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" " [ "Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, " "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" " [ "Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, " "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" " [ "Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt12\Driver = "hpzlnt12.dll" [ "HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 211 seconds)

 

Hello and welcome to WindowsBBS Forums.

I've moved your post to its own thread, so we don't get confused.

We need you to post your own HijackThis! log file before we proeecd with any other tools.

Please install as instructed below.

HiJackThis v:1.99.1zip.
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

 

I could get rid of the problem.

Anyway, thank you for your help and support in this forum.

Good luck!

 

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.