Browser keeps being redirected

Everytime i use a search engine and get the results, select the link i want, my browser gets redirected to some random page. I close the redirected window (multiple times), select the link again and get the page i want. I have tried McAfee Enterprise VirusScan and AntiSpyware 8.5.0i, Spybot Search and destroy, Spyware Blaster, CA Spyware Adaware, and they all say my computer is clean. Any help would be greatly appreciated. This web address displays prior to my being redirected www.directrdr.com

WinXp Pro SP3 (All patches up to date)
McAfee Enterprise VirusScan and AntiSpyware 8.5.0i
Windows Firewall

I’ve attached the hijackthis logfile

[attachment deleted by admin]

Hi,

I think you can fix these entries :

      C:\WINDOWS\system32\scanner.exe
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://hsslvpn.honeywell.com/dana-na/auth/url_default/welcome.cgi
O1 - Hosts: 127.0.1.11 MD61IS100.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.30 MD61NTVMTS109.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.30 MD61NTVMTS109.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.23 MD61NTVMTS101.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.23 MD61NTVMTS101.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.16 uswebmail.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.27 MD61NTVMTS103.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.27 MD61NTVMTS103.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.10.15 AeroAtlas.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.13 uspop.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.22 imap.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.20 AZ18NT288.Honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.10.13 MD61NTVMTS200.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.10.13 MD61NTVMTS200.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.26 MD61NTVMTS102.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.26 MD61NTVMTS102.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.28 MD61NTVMTS104.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.28 MD61NTVMTS104.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.32 webmail.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.10.11 clmar002.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.25 dicitrix1.global.ds.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.25 dicitrix1.global.ds.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.29 MD61NTVMTS201.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.29 MD61NTVMTS201.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.21 pop.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.19 AZ18NT287.Honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.24 MD61NTVMTS100.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.24 MD61NTVMTS100.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.12 smtp.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.10 dmweb.allied.com			Must be fixed! 
O1 - Hosts: 127.0.1.31 MD61NTVMTS105.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.1.31 MD61NTVMTS105.ad.honeywell-tsi.com			Must be fixed! 
O1 - Hosts: 127.0.10.18 AZ18IS101.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.1.14 usimap.honeywell.com			Must be fixed! 
O1 - Hosts: 127.0.10.12 az18nt004.honeywell.com			Must be fixed!
O4 - HKLM\..\RunOnce: [DeleteScanner] C:\WINDOWS\system32\DeleteOcx.cmd
O18 - Filter hijack: text/html - {b794481b-9442-4949-af20-8b9a73789b81} - C:\WINDOWS\system32\mst120.dll

please fix those and post a new hijackthis log. also post if you’re still redirected or not.

best regards,
eXPerience

Thanks for the quick response. The hosts below are the company i work for… Honeywell… Those have always been listed in my hosts file. Were there any others that jumped out at you that i should correct? Thanks in advance

also unplug your router for about 10 seconds then plug it back in. This will reset your router

if your being redirected,
1)check your network connections (probably the network adaptor) and look at the dns server address. Is it normal??

O4 - HKLM\..\RunOnce: [RestoreHostsFile] cscript "D:\\Documents and Settings\\All Users\\Application Data\Juniper Networks\restore.vbs"
Does your work use Juniper Networks???

I ask this because when I search for “Juniper Networks\restore.vb” in yahoo search. It had nothing nice to say about it

http://search.yahoo.com/search;_ylt=A0geutd2TBVLJ5AA7hJXNyoA?p=Juniper+Networks\restore.vbs"&fr2=sb-top&fr=yfp-t-701&sao=0

Honeywell in the netherlands ? If so, alles goed ?

Please try What to do if you’re infected - eXPerience Rev.3.
After you are finished, please provide us with the A-Squared and Hijack This logs and the name(s) of the found virus(es).
This will give us the information we need to help you further, if needed.

eXPerience

Im pretty sure honeywell is worldwide…144000 plus employees. We do use Juniper for our web vpn site. Using wireless and DNS is set to auto config.

Fixing to try the what to do if ur infected experience rev3 and post the results.

I’ve attached the latest Hijackthis log and couple of A-squared logs…not suree if i posted the a2 logs correct. Also, a couple of Trojans were listed. I’ve also included the Malwarebytes AntiMalware log…

Trojan.Agent/Gen; Trojan.Agent/Gen-Nullo[Short]; Trojan.Hugipon; and Adware.Tracking Cookie…these have all been quarantined.

Again, thanks for your help with this matter…

[attachment deleted by admin]

Hi,

if you quarantined the files from MBAM, I sujest you only fix this one :
O18 - Filter hijack: text/html - {b794481b-9442-4949-af20-8b9a73789b81} - C:\WINDOWS\system32\mst120.dll

is your browser still redirected ?

eXp

Unfortunately, yes. I’m still being redirected when i use any search engine. Along with the directrdr.com i’m getting pops with the url http://¦/ not sure what to make of this. I followed your suggestion and tried correcting:

O18 - Filter hijack: text/html - {b794481b-9442-4949-af20-8b9a73789b81} - C:\WINDOWS\system32\mst120.dll

When i select the fix checked option in HijackThis, it does not remove…nor can i locate this file anywhere in the specified directory.

This smells like a rootkit.

Please scan with GMER and Rootrepeal

http://www.gmer.net/

And see what turns up…

here’s the log from gmer…i’m running rootpeal at the moment and will post my findings when its completed. thanks for the help…

[attachment deleted by admin]

Looks like your atapi.sys is infected

Can you compare this c:\windows\system32\atapi.sys with the version in c:\windows\ServicePackFiles\i386\atapi.sys ?

You can also use this tool to check the files signature.

they appear to be different…one is from MS and the other is unknown… is this something i can delete or replace by simply copying the one from the servicepack directory and replace the one in the system32\drivers directory…

There wasnt an atapi.sys file in the system32 directory…it was in the drivers directory

I think you can try in Safe-Mode or else you need a boot and or rescue CD…

Can you upload that file to www.virustotal.com and post the result url here ?

www.virustotal.com/analisis/86137e6e1d84db6421b0030dbcccfc6448400e8b403dbf52f48f521c5f4b11cf-1259864126#

Well i would try to replace the file with the “backup” however I’m not sure if it will get “reinfected” again after boot… but it’s worth a try

Reports from RootRepeal…

[attachment deleted by admin]

From McAfee Rootkit Detective

[attachment deleted by admin]