Unable to install Spybot, etc to combat Google Redirect Virus

[Youjito]

Everything started with (I think) me accidentally downloading or clicking on AntiVirus 2009 when a pop-up started showing up "warning me of a virus on my computer". I stopped going further when it prompted me to purchase this "antivirus software" however I've already gone too far and I couldn't access the internet anymore unless I pay for this software.

I've then followed a lot of instructions to combat the Virus and was able to remove some files that finally got rid of the pop-up and am now able to access internet, however still experiencing the problems listed below.

I'm using a Dell XPS DXPO51 with Windows XP Media Center Edition SP3. The browser I usually use us IE 7.0.5730.11 but both my Firefox 3.0.4 and Safari 3.1 give me the same issues list below.


1. Google / search engine redirect – click on links in Google, takes you to a different page or no page at all with "IE cannot display the webpage" message. Websites that appear: www.findstuff.com, clearas.com, abcjmp.com (and then redirected somewhere else like primosearch.com).


2. Some websites don’t work when you enter their url in the address bar – i.e. "www.techsupportforum.com", almost all tech support websites (lavasoft, mcafee,etc). Getting the error message, “Internet Explorer cannot display the webpage" as if I wasn't connected to the internet.

3. Cannot install suggested software downloads - keep getting the hour glass for about 5 seconds and then nothing. When I tried to install Spybot, in the middle of installation, it'll be interrupted and say connection lost or something, but the same copy of installation exe works fine on my laptop that i'm using to post for this forum.

I could not even run the gmer.exe as recommended by Reid's "New Thread Instructions"!!! (hourglass for a few seconds then nothing happens), so I was only able to copy and paste the DSS.text and attached the ATTACH.zip without the ARK.text.

Below is my DSS.Text content, PLEASE HELP ME!!! THANK YOU IN ADVANCE!!!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Janet You at 0:02:57.22 on Fri 02/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.562 [GMT -5:00]

AV: avast! antivirus 4.8.1229 [VPS 080923-0] *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\AirPort\APDiskAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Janet You\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [APDiskAgent] "c:\program files\airport\APDiskAgent.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\mclsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/24.16/uploader2.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {A9612E0F-4E33-4256-992C-59F64729C59E} - hxxps://synergy.deloitte.com/SpellChecker.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-15 78416]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-15 147640]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-11-2 126976]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-10-25 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-11-2 122368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-15 250040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-15 348344]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-11-23 114464]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-10-25 245760]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-11 18:30 17,012 a------- c:\program files\common files\ujiqetowip.bin
2008-11-11 18:30 15,721 a------- c:\docume~1\janety~1\applic~1\bihytasad.pif
2008-11-11 18:30 14,590 a------- c:\program files\common files\sazihuqico.vbs
2008-11-11 18:30 11,100 a------- c:\program files\common files\motinuxena.bin
2005-10-31 22:00 56 ---shr-- c:\windows\system32\45EA99FAA7.sys
2005-10-31 22:00 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-11-14 19:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111420081115\index.dat

============= FINISH: 0:04:30.00 ===============

[Ried]

Hello

The first thing that needs to be addresses are the 2 Anti Virus programs that you have installed and running on the system - Avast and McAfee. It's never a good idea to have more than 1 installed at a given time. Nore than 1 Anti Virus will cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

After you've accomplished that....


Let's try to get gmer to run for us. Download this tool from here

Place it next to gmer.exe. Close any open browsers and programs, then double click sgmer.com.

• If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Youjito]

Hi Reid,

I have uninstalled AVAST and Ad-aware and followed your instruction and downloaded sGmer.com. However, when I click on it (placed next to gmer.exe) It takes me to Mozilla Firefox browser and it says "Page not found".

The address in the URL is "file:///C:/Documents and Settings/Janet You/Desktop/sGmer.com.html.

Nothing else is happening. Is this right?

[Ried]

Try this instead.

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Quote:

@copy /y gmer.exe gamer.exe
@Start gamer.exe -protect

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Place the batch next to gmer & double click to launch it.

[Youjito]

It worked!! I have attached the ARK.txt to this reply.

Also just fyi, my McAfee expired a while ago so it hasn't really worked since then. So you don't actually need it during this process, right?

THANK YOU!

Youjito

[Ried]

Good work, youjiyo.

Now let's go after it. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3







* IMPORTANT - Save Combo-Fix.exe to your Desktop

--------------------------------------------------------------------

Please proceed as follows:

• Disable your AntiVirus and AntiSpyware applications or they will interfere with ComboFix.
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Youjito]

Ok it worked. Please see attached.

Thanks again!

ComboFix 09-02-25.02 - Janet You 2009-02-25 2035.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.691 [GMT -5:00]
Running from: c:\documents and settings\Janet You\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 01:04 --------- d-----w c:\program files\McAfee.com
2009-02-24 03:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-24 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-11-11 23:30 17,012 ----a-w c:\program files\Common Files\ujiqetowip.bin
2008-11-11 23:30 15,721 ----a-w c:\documents and settings\Janet You\Application Data\bihytasad.pif
2008-11-11 23:30 14,590 ----a-w c:\program files\Common Files\sazihuqico.vbs
2008-11-11 23:30 11,100 ----a-w c:\program files\Common Files\motinuxena.bin
2005-11-01 03:00 56 --sh--r c:\windows\system32\45EA99FAA7.sys
2005-11-01 03:00 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-11-15 00:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111420081115\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-11-13 21:46:00 c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe

----a-w 344,064 2005-08-06 02:05:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 81,920 2005-06-10 15:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 249,856 2005-06-10 15:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

----a-w 53,248 2005-02-23 21:19:56 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 460,784 2007-03-15 15:09:36 c:\program files\DellSupport\bak\DSAgnt.exe

----a-w 3,739,648 2007-01-01 21:22:02 c:\program files\Google\Google Talk\bak\googletalk.exe

----a-w 68,856 2007-06-22 03:15:55 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 63,024 2007-09-21 14:38:04 c:\program files\iLike\1.1.26\bak\ilikesidebar.exe

----a-w 139,264 2005-06-17 12:56:14 c:\program files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

----a-w 267,048 2008-01-15 08:22:56 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,576 2008-10-01 23:57:12 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 05:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 303,104 2005-09-22 23:29:08 c:\program files\McAfee.com\Agent\bak\mcagent.exe

----a-w 212,992 2006-01-11 17:05:42 c:\program files\McAfee.com\Agent\bak\mcupdate.exe

----a-w 296,488 2006-03-30 18:31:24 c:\program files\McAfee.com\MPS\bak\mscifapp.exe

----a-w 1,005,096 2005-11-11 22:00:56 c:\program files\McAfee.com\Personal Firewall\bak\MpfTray.exe

----a-w 1,694,208 2004-10-13 16:24:37 c:\program files\Messenger\bak\msmsgs.exe
------w 1,695,232 2008-04-14 00:12:28 c:\program files\Messenger\msmsgs.exe

----a-w 385,024 2008-01-10 20:27:36 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-09-06 20:09:14 c:\program files\QuickTime\QTTask.exe

----a-w 26,112 2005-10-25 16:00:08 c:\program files\Real\RealPlayer\bak\RealPlay.exe

----a-w 59,392 2004-08-10 09:04:42 c:\windows\ehome\bak\ehtray.exe

----a-w 15,360 2004-08-10 10:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

----a-w 127,035 2004-12-06 06:05:00 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APDiskAgent"="c:\program files\AirPort\APDiskAgent.exe" [2007-01-15 409600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-18 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-25 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 2297856]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-03-27 167808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AirPortSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
DPF: {A9612E0F-4E33-4256-992C-59F64729C59E} - hxxps://synergy.deloitte.com/SpellChecker.CAB
FF - ProfilePath - c:\documents and settings\Janet You\Application Data\Mozilla\Firefox\Profiles\pv0fh175.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 20:08:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.
Completion time: 2009-02-25 20:09:57
ComboFix-quarantined-files.txt 2009-02-26 01:09:54
ComboFix2.txt 2009-02-26 01:00:00

Pre-Run: 63,658,594,304 bytes free
Post-Run: 63,641,391,104 bytes free

148 --- E O F --- 2009-02-20 05:52:15

[Ried]

Thanks. I'd like to see the report from the first run.

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

A report should pop open for you. Please attach that to your next reply.

[Youjito]

Here it is. I couldn't find it because McAfee did something with it, then I had to remove my McAfee Virus Scan all together in order to get the second report.

Thanks!

[Ried]

Thank you.

Let's continue. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348060-unable-install-spybot-etc-combat-google-redirect-virus-post1991600.html#post1991600

Collect::
c:\Program Files\Common Files\sazihuqico.vbs

File::
c:\Program Files\Common Files\ujiqetowip.bin
c:\documents and settings\Janet You\Application Data\bihytasad.pif
c:\Program Files\Common Files\motinuxena.bin

Folder::
c:\documents and settings\All Users\Application Data\Dell\TransferAgent\bak
c:\program files\ATI Technologies\ATI Control Panel\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\CyberLink\PowerDVD\bak
c:\program files\DellSupport\bak
c:\program files\Google\Google Talk\bak
c:\program files\Google\GoogleToolbarNotifier\bak
c:\program files\iLike\1.1.26\bak
c:\program files\Intel\Intel Matrix Storage Manager\bak
c:\program files\iTunes\bak
c:\program files\McAfee.com\Agent\bak
c:\program files\McAfee.com\MPS\bak
c:\program files\McAfee.com\Personal Firewall\bak
c:\program files\Messenger\bak
c:\program files\QuickTime\bak
c:\program files\Real\RealPlayer\bak
c:\windows\ehome\bak
c:\windows\system32\bak
c:\windows\system32\dla\bak

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[Youjito]

Bad News. I was able to run the ComboFix / CFScript and attached the log.

However, I wasn't able to run the online KasperSky scan. I attached the error message that I received after I clicked "Accept" to the agreement and the program wouldn't download.

Sorry.

[Ried]

No worries, launch Internet Explorer>Tools>Manage Add-Ons>Enable or Disable Add-ons.

Make sure Java Plug in is 'checked'. Restart IE and try the online scan again.

[Youjito]

Followed your procedure and got it to download!! However still no luck, got this attached error message now after the program downloaded and installed i think?

Why won't it update? How should I proceed?

Thank you again. =(

[Ried]

Let's just try another scanner.

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[Youjito]

Just fyi, it's working and scanning now. Fingers crossed!

[Ried]

[Youjito]

wow do you have an icon for everything?? How about super excited but anxious at the same time?? It's only scanned 26% so far in 30min. You think it'll take more than two hours?

[Ried]

How about this one...






Sure, it could take up to 2 hours to complete the scan. It all depends on how many files you have on your hard drive. It will improve the scanning time if you close all programs and walk away from the computer to let it do it's thing.

[Youjito]

haha pretty close! I'm not actually using the infected computer. I'm using my macbook to post on here. I can't even get to this site from my PC! I have to transfer files back and forth using a jumpdrive.

Ok I might have to post the log tomorrow morning then. Good night and Thanks!

[Youjito]

actually it all of sudden finished scanning!! I have disinfected it and attached the log from ActiveScan here.

I'll talk to you tomorrow. Hope this will be able to help you determine what's wrong with my PC!

Thank you.