Help with IE redirect

Lets start with a few comments. It appears that CCleaner was not run as per the Read and RUn Instructions.
It would appear as though you downloaded the Panda program rather than running the online scan. It needs to be removed as you have Norton installed.

It also looks as though you downloaded Service Pack 2 from a warez P2P ...the files are infected.

having Counterspy remove them may make the download impossible to uninstall.

So the first suggestion would be a system restore to before that installation.

Party Poker, MyWebSearch and Titan Poker have brought in some nasties.

You did not update your Java.
You should uninstall:
J2SE Runtime Environment 5.0 Update 10
and Install:
J2SE Runtime Environment 6 as directed in the Read and Run First.
These files need to be deleted:
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
C:\Program Files\??stem


You also have a Wareout infection. HJT needs to remove these items.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk572KNUS
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe G
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{207DD189-AEC7-4BF9-8DAC-AF834EEA5548}: NameServer = 85.255.116.99,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7CFC2A9-FE3E-48DD-A9B3-937A833E417A}: NameServer = 85.255.116.99,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCF816D0-DA2E-428D-84D1-5AAA0BCFC851}: NameServer = 85.255.116.99,85.255.112.152
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.152
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.99 85.255.112.152

But I am loathe to do anything until I know what action you wish to take regarding the SP2 installation.

If it uninstalls properly or you do a system restore to before the download, please re-do the entire Read and Run Instructions.

 

We may be hampered if you can't access other accounts. Some of the problems may exist on those accounts and they need to have the same proceedures run on them also.

Re-run Counterspy and have it remove/quatantine everything it finds.


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.



Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

* Run Fixwareout.
* Click Next,
* then Install,
* make sure Run fixit is checked
* and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

* Go into Control Panel -->Network Connections.
* Right click on your connection
* and click Properties.
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties. This will bring up another page.
* Select Obtain DNS Server Automatically.
* Click the ok button. The page will close.
* Press ok on the page in front of you.
* Restart the computer.
* Reconnect to the Internet using Internet Explorer.
* Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

Attach the logs from the above proceedures as well as:
ShowNew
HJT

 

Run HJT and have it fix this item:

O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

Try to find this folder on your drive:

"C:\Program Files\"
STEM~1 Dec 6 2006 "??stem"

Created on that date (right click the folder and choose properties).

Don't do anything with it yet....just tell me what if anything is in it.

 

You still show signs of a few problems. One of them is a PurityScan infection (which is indicated by the ??tem folder). The below tool usually helps make removal of this easier.

1. Now Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

 

Sweet ....That found what we were looking for.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

No problem..