Browser Redirect & Admin Access Problem

Dell Inspiron 537 mt desktop computer (i...
April 29, 2010 at 11:31:48
Specs: Windows XP Pro 2002 sp3, Dell Inspiron 537 Pentium(R) Dual-Core E5400 2.70 GHz 1.96 GB RAM
I'm trying to fix the family computer. It seemed to have an XP Defender like virus. I scanned the computer with Spybot & AVG, it came up clean even though there was an obvious popup with the typical XP Defender screen and behavior. So I did a system restore to the earliest restore point.

But then things got weirder. The defender screen was gone. Everything seemed fine except when we tried to use the web the Browser started going to all sorts of sites we didn't input, even NAUGHTY sites (you know what I mean). This is BAD because we have kids in the house :(

I have scanned with

AVG 9 - clean
AdAware Free - just cookies, deleted
Bazooka - Clean
Spybot - Clean
Malwarebytes - Clean
Spyware Doctor - just cookies (can't delete, don't own paid version)

Tried to install Windows defender and got error
"The system administrator has set policies to prevent this installation"

I scanned a HijackThis file and according to the analyze tool I used on a website, nothing seemed a red flag (although a couple of items that are real windows files could be fake. I can't tell. So I didn't touch them.)

I went to just reinstall windows. But then is asked for my Administrator password. We never set up an administrator password. We set up the PC with 1 user with Admin access and 1 disabled Guest account. So no reintall.

Doesn't matter anyway because as I discovered, the Windows Product Key on the PC is for Windows 7. The PC came with 2 disks, Windows XP and Windows 7. My family prefer not to have windows 7 on the computer. It came with XP installed and that's what we wanted to keep.

Windows update returns: Internet Explorer cannot display the webpage
Although most other webpages load just fine.

Some things I noticed too. When the browsers redirect, sometimes it gets stuck on what seems to be the redirect page. This page is hosted (it seems) from

Another thing I noticed was the presence of the element qing.ico in some of the source code of the redirect pages.

This is affecting Opera, Firefox and IE8
It redirects when we search and click a link
The search results seem bogus sometimes too.

Again, everything comes up pretty darn clean.

Please advise.

See More: Browser Redirect & Admin Access Problem

Report •

April 29, 2010 at 11:57:12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:28 PM, on 4/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Paul Shunamon\Desktop\6225\HitmanPro35.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\DELL\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\DELL\DellDock\DellDock.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)

End of file - 6225 bytes

Report •

April 29, 2010 at 12:02:58
Hitman Pro 3.5.5 found in
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\


and within a subfolder


I tried it with trial version. I deleted and quarantined what was suggested. If it doesn't work I'll post.

Report •

April 29, 2010 at 12:11:52
When I started up, the Hitman Pro scan was clean. Immediately after, AVG said it caught Opera (which was opening in another window) opening this:

Then next I did
So I tried to stop Dell Dock (which is giving errors) as well as

An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes.

I do not know why this happens because when Windows loads in regular mode, there is no select user screen. This is the only account on the computer.

When I start in safe mode, there IS an Administrator account and I do not know the password. One was never set up. No idea how that account got there.

next thing
So I opened IE to look up the error message from MS config and in the browser I get:

Danger: AVG Active Surf-Shield has detected active threats on this page and has blocked access for your protection. 
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

Name: Rogue scanner (type 1056)

Report •

Related Solutions

May 4, 2010 at 12:40:45
Hi, could you reply if this has this been resolved as yet? I too have had this problem for more than a week now, and have been noticing it appearing in more and more google searches from other people too... i'm not willing to reformat my hard drive and would rather solve it with a virus killer!

Report •

Ask Question