Spyware won't go away

You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

And then post a HijackThis log as a .txt file attachment to your message.

Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

 

Please run the online scanners indicated in the READ ME FIRST thread too. Do that while I start to work on your log. You have some additional problems besides the redirects.

 

Okay I beat you back. Forget the online scans for now and do the below.

What have you disabled from running in startup using msconfig? I want to understand the reason for this next line:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Run HijackThis and put check marks on all the below lines and click FIX:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=hc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=hc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=hc

I believe the below 4 items are part of your problems. Unless you recognize them to be something valid follow the steps below too.
Fix these too:
O4 - HKCU\..\Run: [SP3264or] C:\WINDOWS\system32\SP3264or.exe
O4 - HKCU\..\Run: [s-SPmsSPsy] C:\WINDOWS\system32\s-SPmsSPsy.exe
O4 - HKCU\..\Run: [ms64or] C:\WINDOWS\system32\ms64or.exe
O4 - HKCU\..\Run: [MBo4RfMtT] mcacatex.exe

Now enable viewing of hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650
Reboot in safe mode:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
Use Windows Explore to rename (we will just rename instead of deleting to make sure they are not something you need):
C:\WINDOWS\system32\SP3264or.exe to SP3264or.ebad
C:\WINDOWS\system32\s-SPmsSPsy.exe to s-SPmsSPsy.ebad
C:\WINDOWS\system32\ms64or.exe to ms64or.eba
This next file may be in anyone of three places. Either C:\WINDOWS\system32 or C:\WINDOWS\system or C:\WINDOWS
Also rename it:
mcacatex.exe to mcacatex.ebad

Now reboot in normal mode and tell me how things are working.
Also post a new HJT log attachment to double check.

 

That's why I always ask everyone to run those scans but so many people still skip them.

Try looking for mcacatex.exe in one of your sub-folders of c:\documents and settings
It must be under one of the user-id there someplace.

I don't thinks this "SpywareGuardPlus" is a valid application. Did you install this? There is such a thing as SpywareGuard but not SpywareGuardPlus. I think we have to fix this too.

 

Do this too:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com (or whatever you want for a homepage, just tell me what you changed it to so I know what to expect). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

Okay! Did some further checking (I thought I did work on a problem like this before) on SpywareGuardPlus, it is definitely bad. Its is the Trojan.Win32.Startpage.

Bring up Task Manager by hitting CTRL-ALT-DEL and click Processes and end the winmm64.exe process.

Then run HJT and fix the line:
O4 - HKCU\..\Run: [SpywareGuardPlus] C:\WINDOWS\system32\winmm64.exe

Now reboot in safe mode and delete:

​

C:\WINDOWS\system32\winmm64.exe

 

Sounds pretty good. Let's try one more thing in an attempt to locate that file (mcacatex.exe)

How to use windows XP search mechanism to look for hidden files:
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter mcacatex.exe
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders

Then click the Search button.
Let me know if this finds anything. If not, it was probably cleanup along the way with removing the other bad programs.

 

Delete all of them from Prefetch and empty your recycle bin too.