[Inactive]Redirects me to iPad winner page from Google search

[newbiehitwithmalware]

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:03:10 PM, on 12/26/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\CA\eTrustITM\Realmon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sparsh/v1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://puneparkweb/pune.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: SmART AssySt IE Addon - {9C975C50-C50F-4f28-A90B-5050FA5AA152} - mscoree.dll (file missing)
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\deep_halani\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [winWIRpl] rundll32.exe "C:\Users\deep_halani\AppData\Local\DesktopMain32\winWIRpl.dll",fxWeblog BluetoothMapPath
O4 - HKCU\..\Run: [chromium] C:\Users\deep_halani\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O15 - Trusted Zone: *.iscls1apps
O15 - Trusted Zone: *.iscls2apps
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} (Certificates Class) - http://testdirector:8080/qcbin/capicom.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://dc3naccasvpn.limitedbrands.com/auth/taweb.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://dc3naccasvpn.limitedbrands.com/auth/CCALogin.CAB
O16 - DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} (Loader Class v5) - http://testdirector.limited.brands.com:8080/qcbin/Spider10.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ad.infosys.com,hsd1.ca.comcast.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ad.infosys.com,hsd1.ca.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ad.infosys.com,hsd1.ca.comcast.net
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Intel(R) PROSet Monitoring Service - Intel Corporation - C:\Windows\system32\IProsetMonitor.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Windows 7\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Windows 7\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Windows 7\iPassPeriodicUpdateService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: SMS Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\system32\CCM\TSManager.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

--
End of file - 9787 bytes

[Hoov]

Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.


Please run ccleaner to remove temporary files from your system, and to improve the scanning time of the other scans we may be running. Then please run Malwarebytes' Anti-Malware to check for malware. Both sets of instructions are below

1.Download and scan with CCleaner
When you get to the website, there is a dark grey box on the left side with two tabs along the top. Inside this Dark Grey box is a light grey box. Below that light grey box is where the download links are at. The pay amount is for paid support.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab: 

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

[newbiehitwithmalware]

Hi Hoov,

Thanks for the help.

The computer I am using here (and the one hit with malware) is my work computer.

Per your instructions, I've first run CCleaner and have done all the cleanup as advised.

I have also run lwarebytes Anti-Malware and the log information is as below:
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.29.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Deep_Halani :: BLRKEC44073L [administrator]

Protection: Enabled

12/29/2011 5:53:31 PM
mbam-log-2011-12-29 (17-53-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207847
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Awaiting further inputs on the next steps.

Thanks!

[Hoov]

Open a command prompt (all programs > Accessories > Command Prompt) and type in
Ipconfig /all > ipconfig.txt and then hit enter. Then type in ipconfig.txt to open notepad with the log. Copy it and paste it in to your next response.

[newbiehitwithmalware]

Windows IP Configuration

   Host Name . . . . . . . . . . . . : BLRKEC44073L
   Primary Dns Suffix  . . . . . . . : ad.infosys.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ad.infosys.com
                                       hsd1.ca.comcast.net

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Fast Ethernet
   Physical Address. . . . . . . . . : 00-1D-09-40-53-BE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
   Physical Address. . . . . . . . . : 00-1F-3C-7C-29-53
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.2.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, December 30, 2011 8:15:16 AM
   Lease Expires . . . . . . . . . . : Monday, February 05, 2148 3:14:44 PM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 192.168.2.1
                                       209.18.47.61
                                       209.18.47.62
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Check Point Virtual Network Adapter For SecureClient
   Physical Address. . . . . . . . . : 54-95-CD-FD-32-0D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{F7752A6D-E0C1-4D30-9FB8-F59EDE6F8EFB}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{21E12EEC-6B85-4A2E-866C-CB9F29E5A1AA}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D0C27BF0-B360-4A49-B6F9-12F398C27FB0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.Belkin:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

[Hoov]

Go to the control panel and then to System Properties then click on Computer Name then click on change, then click on more. Then you need to delete the entry ad.infosys.com and click OK. Once you have done that, reboot the computer and run ipconfig again just as you did before and repost the log.

Unless you have put that entry in there for a reason.

[newbiehitwithmalware]

That entry is an authentic entry made by the IT org.

[Hoov]

Is this a corporate computer?

[Hoov]

This thread is being closed due to inactivity. If you need it reopened send me a PM. This applies to the originator only. Anyone else please start a new thread.