AV Suite/Google Redirecting issue

Welcome to MajorGeeks, mzxrules.

I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

 

Hello, mzxrules

I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Documents and Settings\default\desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

You should increase your installed RAM to atleast 1GB for properly running XP without experiencing system lags.

*This doesn't belong in this directory: C:\Documents and Settings\default\My Documents\mbam-setup-1.46.exe
Move it to "C:\Documents and Settings\default\My Documents\Downloads"

Step 1:
Important Notice: A new version of SUPERAntiSpyware has been released.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new "Complete scan" of your system. And attach this new log[/b].

Step 2:
Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

Step 3:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and continue on.

Step 4:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Code:

O2 - BHO: (no name) - @&
497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - HA
54162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - ˜A
8ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

After clicking Fix, exit HJT

Step 5:
Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  If it asks you to overide the previous file with the same name, click YES.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 6:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 7:
Now install the latest Sun Java Runtime Environment

Step 8:
Now go to this link MGTools and download the new version of MGtools....overwrite your previous MGtools.exe file with this one.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
• TDSSKiller_log.txt
• updated SASlog.txt

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

Let's see if we can remove this stubborn file:

Please download http://www.itxassociates.com/OT-Tools/OTM.exe by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box

Code:

:Processes
explorer.exe

:Files
C:\WINDOWS\rnapxs
 
:Commands
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

 

Ok - that removed it.

How is your machine running now?

 

Make sure that your Folder Options is still set to

• display system files, and also the option to display hidden files.

Now do a search for BOOT.INI (it should be on C:\ and not in any folders). You can right click on it and choose 'open.' Now you can edit it. Below is the default example for boot.ini for XP.

Save then close your edited file and re-boot your pc. *Tell me if you still get the error message.