Google Redirect - McAfee/MBAM won't scan

[LDTate]

Have we tried creating a new user with Admin rights?

[newguy]

No we haven't. Not sure how to do that.

[LDTate]

Start > Control Panel > User Accounts.

I know this infection also disable permissions but I'm not sure if it does it on all users.

[newguy]

The user account I've been using is listed as the "computer administrator". Do I still need to add another account?

[LDTate]

Yes, create a new one. Use your name if you want.

Then restart and use the new user

[newguy]

OK, created new account and signed on to it. Cannot connect from this account either.

[LDTate]

lets see another ipconfig /all

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter

ipconfig /all

[newguy]

OK, here it is:

C:\Documents and Settings\Temp>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DELL

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connecti

on

Physical Address. . . . . . . . . : 00-13-20-07-E5-7A

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Friday, October 28, 2011 8:22:01 PM

Lease Expires . . . . . . . . . . : Saturday, October 29, 2011 3:54:12 P

M

[LDTate]

That all looks OK to me.

Lets try this one:

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

netsh winsock reset catalog (hit enter)

netsh int ipv4 reset reset.log (hit enter)

netsh int ipv6 reset reset.log (hit enter)

exit and reboot

[newguy]

netsh winsock reset catalog --> OK

netsh int ipv4 reset reset.log --> "The following command was not found: int ipv4 reset reset.log"

netsh int ipv6 reset reset.log --> IPv6 is not installed

Rebooted. Still no connection.

[LDTate]

My last idea for tonite:

open Add/Remove Programs in Control Panel

- select 'Set Program Access and Defaults'

- select Windows and 'OK"

Windows will run through its little routine

I'll check back tomorrow

[newguy]

Still no change.

[LDTate]

Open Administrative Tools by clicking the Start button , clicking Control Panel, clicking System and Maintenance, and then clicking Administrative Tools.

Look under services:

Computer Browser

DHCP Client

DNS Client

Network Connections

Network Location Awareness

Remote Procedure Call (RPC)

Server

TCP/IP Netbios helper

Wireless Zero Configuration (XP wireless configurations only)

WLAN AutoConfig (Vista wireless configurations only)

Workstation

All of these services should be started, and their startup type should be automatic (or perhaps manual).

If a service is not running, open it's properties and check the dependencies. Check each of the dependencies and see which one is preventing the service from running.

[newguy]

All of the listed services were already started, (except of course WLAN).

[LDTate]

I was really hoping we could find what is causing this.

You wouldn't believe how many topics we have like this and how many are listed at other sites as well.

Open regedit and try this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe <--This is the key that needs to be deleted

Exit regedit and reboot

[newguy]

Couldn't find iexplorer.exe at that location.

I was thinking of trying a repair install of windows. Not sure if that would replace all windows files or just missing ones.

Do you know if anyone has had any luck with that?

[LDTate]

At this point you have nothing to loose.

XP Repair install

http://michaelstevenstech.com/XPrepairinstall.htm

[newguy]

Before I do that I would like to back up some files just in case things don't go well, (mostly photos and music). Is there a way that I can be sure that all traces of the virus are gone, or do we already know that? I was thinking of going back to the setup where I had the infected drive set up as a second drive and then scanning it for viruses. I have seen advice to others to do some sort of online scan (ESET?) after their machines were clean. Is this better than MBAM and can I scan a drive other than a boot drive with this utility.

Sorry, with all this trouble I'm just a little paranoid about the virus coming back or spreading it to other machines.

[LDTate]

Sorry, with all this trouble I'm just a little paranoid about the virus coming back or spreading it to other machines.

I don't blame you.

Good idea about the online scan.

Here's a couple I use.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

-------------------------------------------------

Please download Dr.Web CureIt . Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, select Complete scan.
  
• Click the green arrow at the right, and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  
• Please post the Dr.Web.txt report in your next reply
  
• Close Dr.Web Cureit.
  Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

[newguy]

OK, not sure if I'll get time to do this today, but I'll post back as soon as I can.

When I do post back should I include the eset log?

Thanks again.

[LDTate]

OK, not sure if I'll get time to do this today, but I'll post back as soon as I can.

When I do post back should I include the eset log?

Thanks again.

Yes, please

[newguy]

OK, ran ESET scan and then DrWeb on the infected drive.

When I reinstall the drive as the master I will try to connect again. If that still doesn't work I'm going to try a repair install of windows.

Here are the logs:

ESET:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=b2d7cb054082f7408986174842b4c745

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-10-30 04:03:42

# local_time=2011-10-30 12:03:42 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3073 16777189 80 71 0 1876377 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=8786

# found=0

# cleaned=0

# scan_time=265

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=b2d7cb054082f7408986174842b4c745

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-10-30 05:05:34

# local_time=2011-10-30 01:05:34 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3073 16777213 80 71 0 1876952 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=94222

# found=3

# cleaned=3

# scan_time=3402

F:\Documents and Settings\Rachel\My Documents\Downloads\SoftonicDownloader_for_free-youtube-to-ipod-converter.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP747\A0120781.ini a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\System Volume Information\_restore{345677B9-23C9-45E2-8095-FDFA5CEF3EBA}\RP6\A0001021.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

DrWeb:

dds.scr;F:\Documents and Settings\User.D6WZS771\Desktop;Trojan.MulDrop3.6866;Incurable.Moved.;

dds.scr;F:\Documents and Settings\User.D6WZS771\Desktop\M;Trojan.MulDrop3.6866;Incurable.Moved.;

A0122430.rbf;F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP753;Probably DLOADER.Trojan;Moved.;

A0122436.rbf;F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP753;Probably DLOADER.Trojan;Moved.;

A0126423.exe;F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP756;Trojan.NtRootKit.6725;Deleted.;

A0001023.scr;F:\System Volume Information\_restore{345677B9-23C9-45E2-8095-FDFA5CEF3EBA}\RP7;Trojan.MulDrop3.6866;Incurable.Moved.;

A0001024.scr;F:\System Volume Information\_restore{345677B9-23C9-45E2-8095-FDFA5CEF3EBA}\RP7;Trojan.MulDrop3.6866;Incurable.Moved.;

[LDTate]

System Volume Information\_restore

You'd only need to worry about those if you used the restore point where they're located.

When you have that drive back as master:

xp

Reset System Restore Points

• Click Start > Help and Support
  
• Click Start | Run and type Cleanmgr
  
• Select (C: ) then click OK.
  
• Click the More Options tab.
  
• Click Clean Up in the System Restore Section
  
• Click on ->Undo changes to your computer with System Restore.
  
• Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  
• Close Help and Support Center.].

This will remove all previous restore points except the newly created one.

Reboot your machine to record the changes you have made.

This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware or changes in the Restore settings.

[newguy]

Finally got around to doing the repair install of Windows.

Connectivity is back!!!

I can connect with Firefox but IE returns this error: "The requested lookup key was not found in any active activation context"

Since the repair install I'm back to IE6. Maybe I'll see if I can update via Microsoft Updates and see what happens.

[LDTate]

You need ie8

http://windows.microsoft.com/en-US/internet-explorer/downloads/ie