Google redirects

[Nogs]

I have had exactly same problem, have run OTL scan, here are my logs attached:

Extras.Txt

OTL.Txt

[kahdah]

Hello Nogs

Welcome to Malwarebytes.

=====================

Please download Rootkit Unhooker and save it to your desktop.

• Double-click RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth Code, Files, and Code Hooks
  
• Uncheck the rest, then click OK
  
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  
• Wait till the scanner has finished then go File > Save Report
  
• Save the report somewhere you can find it, typically your desktop. Click Close
  
• Copy the entire contents of the report and paste it in your next reply.
  

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

[Nogs]

The RkU scan comes up with a box saying 'Getting list of files and directories (C:\)' and then does nothing.

[Nogs]

Worked in end, report attached!

Report.txt

[kahdah]

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Nogs]

Hi TDDS and Combofix logs attached

Combo_fix_log.txt

TDSSKiller.2.4.3.0_29.09.2010_09.03.54_log.txt

[kahdah]

Are these something you recognize:

Search.vbs that is in the startup folder.

c:\program files\-dcch$v < this has no info about it.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[Nogs]

Malware bytes log as follows:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4715

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

29/09/2010 13:38:32

mbam-log-2010-09-29 (13-38-32).txt

Scan type: Quick scan

Objects scanned: 235200

Time elapsed: 22 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Nogs]

ESET log as follows:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=c9f52b02b58e7344a7daebfb40fd071f

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-09-29 02:26:16

# local_time=2010-09-29 03:26:16 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=8192 67108863 100 0 133 133 0 0

# scanned=106517

# found=3

# cleaned=3

# scan_time=6156

C:\Documents and Settings\andy.dickens\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-4e264eba Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP991\A0202236.dll a variant of Win32/Kryptik.GUI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP991\A0202237.dll a variant of Win32/Kryptik.GUI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[kahdah]

Looks good how are things running?

• Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.
    

[Nogs]

Slight problem - Symantec Endpoint protection is now malfunctioning saying "Your protection definitions may be damaged or you product installation may be corrupt" - any ideas?

[kahdah]

Hi seems like it is an issue with Symantec software.

See if this log sheds any light on it.

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\liveupdate.log

IF it is large you can attach the log here form me to look over.

[Nogs]

I got Symantec running thanks but I think the problem might have been caused by running OTL - I did disable virus protection and firewall before running as instructed but still got a message saying it wasnt disabled, I thought it must be an error so ignored it - perhaps not a good idea!

[kahdah]

It wasn't from OTL it only scans the system doesn't do anything to the system.

Either way go ahead and run OTL with the instructions in my previous post and post the log please.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!