google redirect problem

Welcome to MajorGeeks!

*Not quite - you didn't attach the requested C:\MGlogs.zip.

We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

Now reinstall FireFox from the file previously downloaded.
Then import your bookmarks file. (similar process to exporting).

Please attach the C:\MGlogs.zip and answer this: "Is FireFox working okay now?"

dr.m

 

Bring up Device Manager by right clicking My Computer and selecting Properties. Then click the Hardware tab and then select Device Manager.

Look under System Devices section, do you see something like [cmz vmkd] or [cmz vmkd] Virtual Bus

If you find a match to what I said to look for then right click on it and select Disable ( not select Delete at this time )

Did you see anything like that?

 

Please use add/remove files to uninstall:
Messenger Plus! 5

Now, use windows explorer to find and delete:
C:\ProgramData\AVG10
C:\Windows\1226A4C56F274C4EAE372B5512DE125A.TMP

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Did you do this:
Be sure the "Save as" type is set to "all files" ??

 

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va001]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7EB441B5-39E5-43FB-9087-56BCDC83CA67}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{00121B5A-4A42-4DAA-A9ED-A8675DCB2443}]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Can you re run TDSSKiller and attach the log please?

 

The type of infection you have is notoriously difficult to fix, it will require alot of patience too as we explore different methods to correct the problem.

Run the below also please.

GMER - running with a random name

SysProt AntiRootkit - How to run

 

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• * This can take a while. Please be patient *.
• Save the report somewhere where you can find it. Click Close.
• Copy the entire contents of this log in you're next reply.
• This log can be lengthy you may have to post it in separate replies.
• Note: You may get the following warning - it is ok - just ignore it:
• "Rootkit Unhooker has detected a parasite inside itself!
• It is recommended to remove parasite, okay?"

Run this too, attach results from each.

Using Radix To Detect Rootkits

 

I want you to try a new tool:

http://www.geekstogo.com/forum/files/download/413-roguekiller/


* Download RogueKiller on the desktop (use the link above)
* Close all the running processes
* Under Vista/Seven, right click -> Run as Administrator
* Otherwise just double-click on RogueKiller.exe
* When prompted, type 1 (SCAN) and then Enter
* A report should open, attach the log to your next reply. (RKreport could also be found next to the executable)
* If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
* Attach the log.

 

Trying very hard to find at least one tool which will reveal the malware so we can target it.

1. When in Device Manager, (under system devices) have you checked "View" and "Show hidden devices"? Does anything like [cmz vmkd] or [cmz vmkd] Virtual Bus or similar show?

2. Boot into safe mode and run TDSSKiller yet again and attach the log.
Download the MBR Rootkit Detector to your desktop.

3.

• Doubleclick mbr.exe and follow prompts.
• A black DOS window will quickly appear then disappear.
• When mbr.exe is finished it will create a log on your desktop.
• Copy and paste contents of that log file to your next reply.

4. Run this Running Rootkit Revealer


5. Then run this and attach the results.

Using ESET's Online Scanner

 

No, just TDSSK in safe mode, the rest can be run normally.

 

Continue with ESET but I also want you to try something else afterwards.

Download the file to your desktop

Kaspersky Virus Removal Tool

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan.

• On the first tab select all elements down to Computer and then select start scan.
• Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop.

Now an analysis scan

• Select the Manual Disinfection tab
• Press the Gather System Information button
• Once done Open the last report saved folder then attach the zip file to your next post.
• The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Please attach that too.

 

Your problem is related to the [cmz vmkd]Kestrel is havoing you looking for. Check other areas in Device Manager. For example, under the View menu selection, enable Show Hidden Devices. Then select Non-Plug and Play Drivers and see if it appears there.

I can see other signs from this infection in the procdll.txt file which is part of MGtools. In it you will see the below hooked into many processes.

\\.\globalroot\systemroot\syswow64\mswsock.dll

Yours may be the second PC running x64 where I have seen this. And due to it being x64 ( which really is harder to infect than previous systems ), it is also more difficult to fix. Reinstall may be the only option. Also do note that this infection is also considered a backdoor infection which is a high security risk and in many cases really means you need to reinstall from scratch anyway in order to ensure security of your PC.

 

I would recommend that you backup your important files and data to a cd and then do a system recovery using the recovery partition. Off hand, I don't recall which F key to hit on start up ( it may be 0 for Toshiba or F9 for others).

Having this type of infection will leave you very vulnerable for additional infections as well as data stealing.

I highly recommend you do the restore to factory settings. Then once back up and running, with AV and AS software in place, you can create a restore disc.

 

What it says, it will restore your computer to what ever time you create it. This is a subject for the software forum. They can guide you in creating a backup disc in case your computer ever crashes.

 

Unfortunately, this is the main infection which we have no methods of removing:
\\.\globalroot\systemroot\syswow64\mswsock.dll

 

Then you have no other choice but to try to restore to factory settings.

 

You would have to go back to a point before the malware got on your system. The only way to check that would be to again run MGTools for us to check you logs.

 

Yes, that should get rid of any infections you have. First thing to do after restoring is to download and install your protection software. You may wish to read this:
How to Protect yourself from malware!

 

Let's not get ahead of ourselves. Do a system restore to as far back as you feel is necessary and then download MGtoolsagain and run the exe. Then attach the new C:\MGLogs.zip for me to check the logs.

 

Then you may be stuck with only having the option to do the restore to factory settings.

 

You're welcome. Sorry there was no easy fix.