Infected Google Redirect Virus

I have the google redirect virus on my computer. When I select something I've searched in Google it sends me to fake websites. I have run Malwarebytes and superantispyware and nether has fixed it. A friend from school sent me here. I have had the redirect virus on my computer for about a month not know how to fix it and I don't have the xp reformat discs for my computer. Now I also have a virus called scvhost.exe that captures my cpu usage and maxes it out.

I tried running the dds.scr program but it only opens a text file with a language in it I cant read. Not sure what to do there.

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
• Please Do not Attach logs or put in code boxes.
• Tell me about any problems that have occurred during the fix.
• Tell me of any other symptoms you may be having as these can help also.
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

• Please download DeFogger to your desktop.
  
  Double click DeFogger to run the tool.
  
• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.






**NOTE**
In your case for DDS use link 2 or 3 please
**NOTE**


Download DDS:

• Please download DDS by sUBs from one of the links below and save it to your desktop:
  
  
  Download DDS and save it to your desktop
  
  Link1
  Link2
  Link3
  
  Please disable any anti-malware program that will block scripts from running before running DDS.
  
  
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

• In your next post I need the following
  
  
• .logs from DDS
• log from RKUnHooker
• let me know of any problems you may have had

Gringo

Hello

three day bump

It has been Three days since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Gringo,

Sorry for not replying sooner. Yes, I still need your help, thank you.
During the week I was waiting to hear back from someone I didn't listen and went and reinstalled the operating system back to factory setting with the built in reset feature I learned my computer had. Unfortunately this wasn't enough, it did wipe my c drive clean and cleaned off a lot of crap but the google redirect virus is still there. So I ran superantispyware, malwarebytes, and combofix again, then I ran the downloads you suggested, defrogger, dds, and and RKunhookerLE. Again, dds did not run but just open a text file of a language I couldn't read. The computer just recognizes the file as an autocad script but doesn't execute anything. Not sure what to do about this.
I have attached a new combo fix log, and the RKunhooker report.

Thanks again for your help.

Hello

For DDS use link 2 or 3

Link2
Link3



Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results


gringo

the dds results are attached.

Hello
.

I want you to go to this web site and pick the router that you have - https://store.opendns.com/setup/router/

Follow the instructions to change the DNS setting to the ones they have listed


I still need the DDS report please


Gringo

I followed the instructions for my router.

Here is my DDS report.
Attached is the zipped attach file.


DDS (Ver_10-12-12.02) - FAT32x86
Run by a user at 13:59:34.05 on Sat 01/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.734 [GMT -5:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
SVCHOST.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
SVCHOST.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\a user\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\auser~1\applic~1\mozilla\firefox\profiles\r4hvxeho.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-25 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2004-8-30 6784]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-25 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-25 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-26 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-26 20952]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2004-8-30 16000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2011-01-29 03:06:15 -------- d-sh--w- C:\Recycled
2011-01-27 03:23:32 -------- d-sha-r- C:\cmdcons
2011-01-27 03:11:49 98816 ----a-w- c:\windows\sed.exe
2011-01-27 03:11:49 89088 ----a-w- c:\windows\MBR.exe
2011-01-27 03:11:49 256512 ----a-w- c:\windows\PEV.exe
2011-01-27 03:11:49 161792 ----a-w- c:\windows\SWREG.exe
2011-01-27 02:58:32 -------- d-----w- c:\docume~1\auser~1\applic~1\Avira
2011-01-27 02:51:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-27 02:50:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-27 02:50:51 -------- d-----w- c:\docume~1\auser~1\applic~1\SUPERAntiSpyware.com
2011-01-27 02:50:28 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-01-27 02:45:24 -------- d-----w- c:\docume~1\auser~1\applic~1\Malwarebytes
2011-01-27 02:45:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-27 02:44:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-27 02:44:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-27 02:44:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-27 02:25:54 -------- d-----w- c:\program files\MSECache
2011-01-27 01:58:45 -------- d-----w- c:\docume~1\auser~1\locals~1\applic~1\Google
2011-01-27 01:58:23 -------- d-----w- c:\docume~1\auser~1\locals~1\applic~1\Deployment
2011-01-26 20:15:19 -------- d-----w- c:\docume~1\auser~1\locals~1\applic~1\Temp
2011-01-26 19:38:37 -------- d-----w- c:\docume~1\auser~1\locals~1\applic~1\Adobe
2011-01-26 17:09:27 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-01-26 17:05:14 -------- d-----w- c:\program files\common files\Autodesk Shared
2011-01-26 17:05:14 -------- d-----w- c:\program files\AutoCAD 2010
2011-01-26 17:05:14 -------- d-----w- c:\docume~1\auser~1\locals~1\applic~1\Autodesk
2011-01-26 17:05:14 -------- d-----w- c:\docume~1\auser~1\applic~1\Autodesk
2011-01-26 17:04:35 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2011-01-26 17:04:35 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2011-01-26 17:04:30 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2011-01-26 17:04:08 -------- d-----w- c:\windows\Logs
2011-01-26 17:02:31 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-26 17:01:23 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-26 17:01:02 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-01-26 17:01:02 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-26 17:01:02 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-01-26 17:01:02 117760 ------w- c:\windows\system32\prntvpt.dll
2011-01-26 17:01:01 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-01-26 17:01:01 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-01-26 17:01:01 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-01-26 17:01:01 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-01-26 17:01:01 -------- d-----w- C:\6986dbc250cfe2b0eb3f
2011-01-26 16:46:41 -------- d-----w- c:\program files\PowerISO
2011-01-26 03:44:00 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2011-01-25 22:04:21 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-25 22:04:20 -------- d-----w- c:\program files\Avira
2011-01-25 22:04:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-01-25 22:03:00 -------- d-----w- C:\V
2011-01-25 22:02:19 25840 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2011-01-25 22:02:19 24816 ----a-w- c:\windows\system32\mdimon.dll
2011-01-25 22:01:32 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-01-25 22:00:24 -------- d-----w- c:\windows\SHELLNEW
2011-01-25 21:44:53 -------- d-----w- c:\windows\system32\scripting
2011-01-25 21:44:53 -------- d-----w- c:\windows\l2schemas
2011-01-25 21:44:52 -------- d-----w- c:\windows\system32\en
2011-01-25 21:44:52 -------- d-----w- c:\windows\system32\bits
2011-01-25 21:39:34 -------- d-----w- c:\windows\network diagnostic
2011-01-25 21:26:48 -------- d-sh--w- c:\documents and settings\a user\PrivacIE
2011-01-25 21:26:10 135168 ----a-w- c:\windows\system32\igfxres.dll
2011-01-25 21:10:47 -------- d-sh--w- c:\documents and settings\a user\IETldCache
2011-01-25 21:07:48 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2011-01-25 21:07:48 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2011-01-25 21:05:43 -------- d-----w- c:\program files\SystemRequirementsLab
2011-01-25 21:01:21 -------- d-----w- c:\windows\ie8updates
2011-01-25 21:01:11 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-25 21:01:11 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-25 21:01:11 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-25 21:01:11 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-25 21:01:11 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-01-25 21:01:11 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-01-25 21:01:09 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-01-25 20:59:37 -------- d--h--w- c:\windows\ie8
2011-01-25 20:50:07 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-25 20:49:40 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-01-25 20:48:58 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-01-25 20:48:58 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-01-25 20:48:32 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-01-25 20:38:44 -------- d-----w- c:\windows\ServicePackFiles
2011-01-25 20:29:56 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-01-25 20:29:56 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-01-25 20:29:55 357248 ------w- c:\windows\system32\dllcache\srv.sys
2011-01-25 20:29:02 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-25 20:28:53 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-25 20:28:35 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-01-25 20:27:18 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2011-01-25 20:27:18 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-01-25 20:27:18 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2011-01-25 20:27:18 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2011-01-25 20:27:18 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2011-01-25 20:27:18 110592 ------w- c:\windows\system32\dllcache\services.exe
2011-01-25 20:27:17 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2011-01-25 20:27:17 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2011-01-25 20:27:17 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-25 20:27:16 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-25 20:27:16 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-25 20:24:02 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-01-25 20:23:53 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-01-25 20:23:43 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-01-25 20:22:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-01-25 20:22:53 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2011-01-25 20:19:00 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-01-25 20:19:00 -------- d-----w- c:\windows\system32\PreInstall
2011-01-25 20:18:58 -------- d--h--w- c:\windows\$hf_mig$
2011-01-25 20:17:10 -------- d-sh--w- c:\documents and settings\a user\UserData
2011-01-25 17:05:58 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-01-25 17:03:24 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-01-25 17:03:20 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-01-25 17:03:18 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-01-25 17:03:14 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-01-25 17:03:09 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:36 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8025GAS rev.KA023A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89512555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x895187b0]; MOV EAX, [0x8951882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x89543AB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000007d[0x894DC1C0]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x894DBD98]
\Driver\atapi[0x89538178] -> IRP_MJ_CREATE -> 0x89512555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8025GAS_______________________KA023A__#5&166915ea&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8951239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:01:53.33 ===============

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Gringo!!

Thank you so much!! I guess your done because google is not redirecting me and the malwarebytes program isn't stopping an outgoing malicious program every 10 seconds. I'm now going to use firefox from now on instead of internet explorer. If you have any recommendations on free anti virus software, please let me know.

Attached is the zipped file of the combofix log.

Thank you again!!

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

• I would like you to rerun MBAM
  
• Double-click mbam icon
• go to the update tab at the top
• click on check for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
• If you accidently close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis Installer
• Save HijackThis Installer to your desktop.
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

• In your next post I need the following
  
  
• Log From MBAM
• report from Hijackthis
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

Gringo,

Pasted are both Malwarbytes log and Hijackthis log. I had no problems computer seems to be running good.



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5639

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2011 10:22:24 AM
mbam-log-2011-01-30 (10-22-24).txt

Scan type: Quick scan
Objects scanned: 153825
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:30:17 AM, on 1/30/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 5077 bytes

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  
  • O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brakets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• click on the ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the activex control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• copy and paste the results here in this topic
• you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

Here are the results of ESET online scanner.
Also, I have attached a screen shot of my C drive, can I delete any of this stuff?


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=afb32d7d2279354e917b29638983a683
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-30 07:54:05
# local_time=2011-01-30 02:54:05 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 32003544 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=74259
# found=0
# cleaned=0
# scan_time=3463

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

• To re-enable your Emulation drivers, double click DeFogger to run the tool.
  
• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

• turn off all active protection software
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box ComboFix /Uninstall and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• choose your root drive (normally C:)
• after it calculates how much space you will save it will open up a new window
• Select the More options tab at the top of the window
• Choose the option to clean up system restore and OK it.
• go back to the disk clean up tab
• put a checkmark in all - except compress old files (leave this unchecked)
• click Ok then click yes

This will remove all restore points except the new one you just created and clean unneeded files


:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialise and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo