antivirus sites blocked and google hijacked

Dell Vostro 1500 1700, inspiron 1520 152...
February 24, 2011 at 12:25:31
Specs: Windows Vista XP Home SP3, x86 1.6 Ghz / 3 Gb

Having a nightmare.

All my google searches are being hijacked and sent to

I cannot navigate to any antivirus site - getting 440 errors on etc

Its like all my internet queries (from ie and chrome) are going via some sort of proxy server

Any help appreciated


See More: antivirus sites blocked and google hijacked

Report •

February 24, 2011 at 13:34:52
You have to fool the virus & go where the virus doesn't expect you to go. Download mbam-setup.exe from one of the sites on the following page:
Install, update & run it.

How do you know when a politician is lying? His mouth is moving.

Report •

February 24, 2011 at 15:43:55

I downloaded and installed MalwareBytes and ran it through several times in safe mode until I got clean results from both quick and full scans - rebooting whenever prompted to do so.

But now in normal mode, when running it I always get one hit that is persistent ... as per the following logs...
Malwarebytes' Anti-Malware

Database version: 5870

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

24/02/2011 23:25:11
mbam-log-2011-02-24 (23-25-11).txt

Scan type: Quick scan
Objects scanned: 137918
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\config\systemprofile\start menu\programs\startup\mgksnfhg.exe (Trojan.Agent) -> Delete on reboot.

and HiJackThis...
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:26:54, on 24/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\easgdcxp\mgksnfhg.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

End of file - 4955 bytes

Report •

February 24, 2011 at 22:33:12
It's not a known Trojan, and there is no info on the web at all? Did you reboot Malwarebytes and rescan to see if it was removed?
Download and run TDSSkiller next. From this link:

Run HJT again and check the following file.
F2 - Reg: system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\easgdcxp\mgksnfhg.exe,

Run Malwarebytes in safe mode, let it remove what it finds.

Next we need to check your DNS settings
Start- Control Panel- Network and Internet Connections- Connections (tab)- LAN Settings
1) uncheck Proxy Server if its checked already.
2) Make sure the Automatically Detect Settings is checked also.

You need to check your Host file for any problems. You will need to unhide Hidden Files first then do the following.

Report •

Related Solutions

February 25, 2011 at 06:16:23
Search for mgksnfhg.exe in the registry & delete it from there.

How do you know when a politician is lying? His mouth is moving.

Report •

February 25, 2011 at 08:30:32
Thanks for all the help.

Finally got it sorted.

Solution was to take the drive out and put it in an external reader on another machine, then run malwarebytes and avg against it - which found 100's of problems and cleaned them all.

Machine is now back together and running normally.

Thanks again.

Report •

February 25, 2011 at 14:56:47
Glad to hear it. I really like those external readers.

How do you know when a politician is lying? His mouth is moving.

Report •

Ask Question