# I keep getting redirected to other sites when I click on links in Google Searches



## AllenUK (Oct 31, 2010)

Hello everyone.
For the past couple of weeks every time I do a Google Search and click on a link, I get redirected to other sites, sites like dating sites, comparison sites or search engine sites. I have attempted to find any viruses or addware/malware/spyware on my laptop using Microsoft Security Essentials and Malwarebytes anti malware tool but all to no avail.

After searching around I noticed I was not alone in this situation and most people who have been able to solve it have used a program called HiJackThis and then someone points out affected files or something. I'm a computer newbie.

Here is my HiJackThis file log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:01:14 PM, on 31/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\igfxext.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Games\Game Data\Guild Wars\Gw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Paul\Desktop\HJT\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.philips.com/pc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Messenger Plus Live UK Toolbar - {77f40091-495b-4c46-9068-2b24c4133157} - C:\Program Files\Messenger_Plus_Live_UK\tbMess.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Messenger Plus Live UK Toolbar - {77f40091-495b-4c46-9068-2b24c4133157} - C:\Program Files\Messenger_Plus_Live_UK\tbMess.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Messenger Plus Live UK Toolbar - {77f40091-495b-4c46-9068-2b24c4133157} - C:\Program Files\Messenger_Plus_Live_UK\tbMess.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca80218f1f4ac5) (gupdate1ca80218f1f4ac5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

--
End of file - 11046 bytes

I really don't know what I'm looking for so can someone help me? Thank you in advance.


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:

Please download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press *N* then press *Enter* twice.
If nothing unusual is found just press *Enter*
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
Please post the contents of that file.

*
NEXT*

Please download *DDS* from either of these links

*LINK 1* 
*LINK 2*

and save it to your *desktop.*

Disable any script blocking protection
 Double click *dds.pif* to run the tool. 
When done, two *DDS.txt's* will open. 
Save both reports to your *desktop.*
---------------------------------------------------
*Please include the contents of the following in your next reply:*

*DDS.txt*
*Attach.txt*.

*NEXT*

Download *GMER Rootkit Scanner *from *here**http://www.gmer.net/download.php*http://www.gmer.net/download.php to your desktop. It will be a randomly named executable.

 Double click the exe file.
 If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*, then use the following settings for a more complete scan.


_Click the image to enlarge it_

 In the right panel, you will see several boxes that have been checked. Ensure the following are *unchecked*
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _


----------



## AllenUK (Oct 31, 2010)

Hi, thank you for your help in this matter.

I have followed the steps you set and have attached 3 files (all .txt)

These files include MBRCheck.txt, DDS.txt and GMER.txt

Thank you so far!


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:

Download *ComboFix *from either of these locations:
*Link 1* 
*Link 2 *


VERY IMPORTANT !!! Save ComboFix.exe to your *Desktop *

* IMPORTANT - *Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here 

Double click on *ComboFix.exe* & follow the prompts.
As part of it's process, *ComboFix will check to see if the Microsoft Windows Recovery Console* is installed. With malware infections being as they are today, it's *strongly recommended *to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.











Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:











*Click on Yes*, to continue scanning for malware.
When finished, it shall produce a log for you.* Please include the C:\ComboFix.txt in your next reply.*
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

*Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now*


----------



## AllenUK (Oct 31, 2010)

Hi,

I downloaded ComboFix and saved it to my desktop as instructed, but when I double click on it, it does nothing. I have also tried running it in compatability mode for Windows Service Pack 2 but it doesn't seem to do anything. 

Any ideas?


----------



## CatByte (Feb 24, 2009)

Hi

delete the copy that you have on your desktop > download a fresh copy but rename it to *svchost.exe* before saving it

now try it . if it still wont run...boot into safe mode and run it from safe mode

To Enter Safemode 

Go to *Start> Shut off your Computer> Restart*
As the computer starts to boot-up, Tap the *F8 KEY* repeatedly,
this will bring up a *menu.*
Use the *Up and Down Arrow Keys* to scroll up to *Safemode *
Then press the *Enter Key* on your Keyboard 
go into your usual account


----------



## AllenUK (Oct 31, 2010)

I tried renaming it svchost.exe after re downloading it, and it still doesn't work. Even when I go into Safe Mode, sometimes it just will show the green bar then disappear, other times it will come up with the terms and conditions then disappear.

Is there any way you can tell me if there are any suspicious processes running on my laptop from the data I have sent already? I have seen other cases online where people have been told of suspicious processes running from using HiJackThis. So far, all of the reports I have seen, after closing processes that were seen as suspicious, have said that the redirecting no longer happened.

Sorry if i appear like I'm questioning your knowledge, I am very grateful for your help, but you must understand how annoying this is.


----------



## CatByte (Feb 24, 2009)

Hi,

I do believe you are infected with a hidden rootkit so you wont see any suspicious processes running.

The fact that the infection is shutting down the tool I am trying to use is an indication of that.

we have other options:

Please run the following tool

Note: If "cure" is not presented as an option, then choose "skip" - do not choose "delete" or "quarantine"

Please download TDSSKiller.zip
Extract it to your desktop
Double click *TDSSKiller.exe*
Press *Start Scan*
Only if *Malicious* objects are found then ensure *Cure* is selected
Then click *Continue* > *Reboot now*

Copy and paste the log in your next reply
_A copy of the log will be saved automatically to the root of the drive (typically C:\)_


*NEXT*


Download *OTL* and save it to your desktop.
Double click on the







icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top, make sure *Standard output* is selected.
Under the *Extra Registry* section, check *Use SafeList*
Download the following file *scan.txt* to your *Desktop*. *Click here to download it*. You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying *"Click Ok to load a custom scan from a file or Cancel to cancel"*
Click the Ok button and navigate to the file *scan.txt* which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the *Run Scan* button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (*Edit->Select All, Edit->Copy*) the contents of these files, one at a time and post them in your topic


----------



## AllenUK (Oct 31, 2010)

sorry but OTL.txt wont upload, even if i just copy and paste its contents. I don't know why.


----------



## AllenUK (Oct 31, 2010)

wont upload...


----------



## CatByte (Feb 24, 2009)

see if you can zip it up and attach it.

Give ComboFix another try as well, it may run now TDSSKiller has removed one of the problems


----------



## AllenUK (Oct 31, 2010)

The OTL.txt file is 9,210KB big, when compressed to a .zip folder it is still 674KB, which exceeds the 500KB limit on attachment uploads.


----------



## AllenUK (Oct 31, 2010)

I tried to use ComboFix again, the program ran successfully until it was creating the log file, at this point a blue screen appeared telling me Windows was shutting down for protection or something. And it mentioned something about Dumping Physical Memory?


----------



## CatByte (Feb 24, 2009)

did you reboot the machine, that occurs sometimes when a certain type of infection is onboard,
ComboFix should continue after a reboot and produce a log

see if one was created in C:\ ComboFix.txt

as for the unbelievably large OTL log (I've never seen one that big, I'm almost afraid to look at it lol)

please upload it to Mediafire and post the sharing link. 
and post the sharing link


----------



## AllenUK (Oct 31, 2010)

http://www.mediafire.com/?radovk7qq4ak4ko

This is the OTL.zip file. I dont understand why it is so big? It doesnt have that much text in it!


----------



## AllenUK (Oct 31, 2010)

ComboFix did not produce a .txt file anwhere, i have even searched through the contents of my C drive and its not there. Also, since using this program, my computer has suddenly got loads of folders and .sys files in it. Such as bootmgr, hiberfil.sys, pagefile.sys, and other folders such as Boot which all have the normal folder icon except for the fact they are faded. Almost see through even.


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:

Run *OTL.exe*

Copy/paste the following text written *inside of the code box* into the *Custom Scans/Fixes* box located at the bottom of OTL


```
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKCU..\Run: [fsm]  File not found
O33 - MountPoints2\{4feab841-b2c3-11dd-85c3-001b24ac7e38}\Shell - "" = AutoRun
O33 - MountPoints2\{4feab841-b2c3-11dd-85c3-001b24ac7e38}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^svshosts.exe.lnk - C:\Windows\WINDOWS\svshosts.exe - File not found
MsConfig - StartUpReg: [b]svshosts[/b] - hkey= - key= - C:\Windows\WINDOWS\svshosts.exe File not found
[2010/10/29 19:18:14 | 000,017,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\vruqribw.sys
[2010/10/29 16:47:16 | 000,017,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\yzgyfjih.sys
[2010/10/28 19:09:52 | 000,017,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\rxdxrqpn.sys
[2010/10/30 12:27:39 | 000,017,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wcauogpy.sys

:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL log


----------



## AllenUK (Oct 31, 2010)

I ran OTL.exe and it produced the log, I'm just curious to know if the massive OTL.txt I sent you before means problems for me? 

The attached OTL2.txt is the log produced by running the fix in OTL.


----------



## CatByte (Feb 24, 2009)

Hi

No, most of those files were junk, temporary internet files etc. They have been cleaned out now.

Please give ComboFix another try now.

Please download a fresh copy - rename it to *explorer.exe*

make sure all your security programs are disabled and all other programs closed

start it with the following command:

Go to







> *Run* > *copy/paste* the following single line command in the runbox & click *OK*

*"%userprofile%\desktop\explorer.exe" /killall*


----------



## AllenUK (Oct 31, 2010)

Here is the ComboFix.txt file. This was in my C:/ComboFix/ folder.


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:

Please download *Malwarebytes' Anti-Malware * 

Double Click *mbam-setup.exe* to install the application.
Make sure a *checkmark* is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click *Finish.*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

Using Internet Explorer or Firefox, visit *Kaspersky On-line Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2.* To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3.* Click *Run* at the Security prompt. 
The program will then begin downloading and installing and will also update the database. 
Please be patient as this can take several minutes. 

Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan. 
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined. 
Click *View scan report* at the bottom.










 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## AllenUK (Oct 31, 2010)

i tried to run Kappersky but it takes far to long to scan, in 1 hour it had completed only 9% of its scan. my computer is not on for more than 5 hours at a time so this scan cannot be completed.


----------



## CatByte (Feb 24, 2009)

Hi

Try this scanner instead:

Go *here* to run an online scanner from *ESET.*

*Note:* You will need to use *Internet explorer* for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activeX control to install
Click *Start*
Make sure that the option *Remove found threats* is unticked and the *Scan Archives* option is ticked.
Click on Advanced Settings, ensure the options *Scan for potentially unwanted applications*, *Scan for potentially unsafe applications*, and *Enable Anti-Stealth Technology* are ticked.
Click *Scan*
Wait for the scan to finish
Use *notepad* to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.


----------



## AllenUK (Oct 31, 2010)

Hi,
Just to let you know the issue has now stopped. Thank you for all of your help! The rootkit found by TDSSKiller must have been the issue.

Thank you again!.


----------



## CatByte (Feb 24, 2009)

Hi

It would be good to finish completely,

if you could complete the ESET scan to make certain there are no left over infected files, then we can clean up the tools used.


----------

