Google and Yahoo Search Results Being Redirected

[ttjames]

Hello all. Can someone please help me. I have a user that is having the same symptoms as others on this forum with thier "Google and Yahoo Search Results Being Redirected"
I am a my wits end and need help. I am acting as the intermediatary between this person and this forum. He has a Windows XP SP3 laptop. He clicked on what I believe was a fake anti-virus alert and now he says he is getting all kinds of pop-ups and is being redirected. He has McAfee VirusScan Enterprise 8.5i anti-virus installed and I had him install and run MalwareBytes. MalwareBtyes seems to have cleaned everything but the browser hijack.
Any help you could provide would be greatly appreciated. I have had him complete the 8 step preliminary removal guide and I am attaching his log files below for HiJackThis and MalwareBytes.

 

[Bobbye]

I'll start you off and then request that you ask the person you are helping to post here directly. It's really tough to do 'middle person' malware cleaning.

The host files have been hijacked, so they can be removed. But we have different programs we use for preliminary removal.

Please reopen HijackThis to 'do system scan only.;. Check each of the following if present:

O1 - Hosts: 84.16.244.15 www.google.com
O1 - Hosts: 84.16.244.15 us.search.yahoo.com
O1 - Hosts: 84.16.244.15 uk.search.yahoo.com
O1 - Hosts: 84.16.244.15 search.yahoo.com
O1 - Hosts: 84.16.244.15 www.google.com.br
O1 - Hosts: 84.16.244.15 www.google.it
O1 - Hosts: 84.16.244.15 www.google.es
O1 - Hosts: 84.16.244.15 www.google.co.jp
O1 - Hosts: 84.16.244.15 www.google.com.mx
O1 - Hosts: 84.16.244.15 www.google.ca
O1 - Hosts: 84.16.244.15 www.google.com.au
O1 - Hosts: 84.16.244.15 www.google.nl
O1 - Hosts: 84.16.244.15 www.google.co.za
O1 - Hosts: 84.16.244.15 www.google.be
O1 - Hosts: 84.16.244.15 www.google.gr
O1 - Hosts: 84.16.244.15 www.google.at
O1 - Hosts: 84.16.244.15 www.google.se
O1 - Hosts: 84.16.244.15 www.google.ch
O1 - Hosts: 84.16.244.15 www.google.pt
O1 - Hosts: 84.16.244.15 www.google.dk
O1 - Hosts: 84.16.244.15 www.google.fi
O1 - Hosts: 84.16.244.15 www.google.ie
O1 - Hosts: 84.16.244.15 www.google.no
O1 - Hosts: 84.16.244.15 www.google.de
O1 - Hosts: 84.16.244.15 www.google.fr
O1 - Hosts: 84.16.244.15 www.google.co.uk
O1 - Hosts: 84.16.244.15 www.bing.com
O4 - HKUS\S-1-5-18\..\Run: [urjbjfip] C:\Documents and Settings\NetworkService\Local Settings\Application Data\sfsdvqvod\usogycvtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [urjbjfip] C:\Documents and Settings\NetworkService\Local Settings\Application Data\sfsdvqvod\usogycvtssd.exe (User 'Default user')

Close all Windows except HijackThis and click on "Fix Checked."

This domain/server will have to be identified:richmond.amfautomation.int There are numerous entries for it and I can't identify it.

That's about as far as I can go. This will not remove all of the malware

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[ttjames]

Thank you for your assistance. I am contacting the user now to join this forum and do what you ask him to do.
Also, the domain richmond.amfautomation.int listed in the HiJackThis log is our internal FQDN, so I do not think that is of any concern.

 

[Bobbye]

Good. That will be easier on all of us! Okay about the domain- I just have to verify.