Sudden Spyware Attack -- Please Help

Hi. Last night, some malware entered my system from the Internet (I have no clue how). Symptoms: while using the net, I'm often getting redirected to crap sites like casinos, cheap buys and such, and just as often, I get the "Page Cannot be Displayed" page. I ran the following scans after turning System Restore off and showing all the hiden files (in Safe Mode, as Administrator):

1) AntiVir (latest vdf, with program configuration practically maxed out for maximum depth of scan): negative.
2) MacAfee Avert Stinger: negative.
3) Ad-Aware (latest definitions and maxed out settings): negative.
4) Spybot -- Search & Destroy (latest everything): negative.
5) CWShredder (Trend-Micro): negative.
6) VX2 Cleaner: negative.
7) Kill2Me: negative.

I run Spyware Blaster and AV Guard at all times. Ditto for the firewall, which is the one on MS XP. My computer is a Toshiba L10 running XP in Simplified Chinese (totally updated), with 256 RAM and 1.6 Pentium M CPU.

I'm still being redirected 20% of the time whenever I open a page, so... should I post a HijackThis log? If so, do I scan with HJT in Safe Mode the first time? Can't remember... Thanx.

 

Hi, Halo. I had already done all of that as per the instructions, with the exception of the two on-line scans, one of which came back negative and the other positive. The other seven programs came back negative, as I said in my first post. I had cleaned up with CCleaner but forgot to mention it. (I don't want to download CounterSpy because the program is a trial. I hope that's OK.)

Bitdefender: negative. I enclosed the report as an attachment.
Panda Active Scan: positive (two objects; couldn't remove). Ditto for the attachment.

(The above two scans were done in normal mode because I can't get on-line in safe mode. The other scans were in safe mode, with the exception of HJT, which was in normal.)

Just in case, I should point out that I first noticed the problem after uninstalling the Tor/TorCP/Privoxy package. (I installed the software -- perfectly legit stuff from what I can tell -- for only about 20 minutes to take a look at it and then performed a normal unistall.) I didn't change any settings on my computer or on any of the three softwares above, so I don't know how could someone get into the laptop but you never know, I guess.

I attached the HJT log as well.

Thanx for the help.

 

Hi, Chaslang.

I had gone over part of step 0 but forgot to check for programs via Add/Remove. Thank you for pointing that out. I went over the list with both Add/Remove and CCleaner and I found these listed in both:

Viewpoint Manager (Remove Only)
Viewpoint Media Player

I uninstalled both. Good call, Chaslang! (I had installed them only a few days ago to look at a simple 3D anatomical figure.)

I can't use Windows Defender safely because the program seems to install in Chinese and I can barely read the language. I've been using XP in Chinese for many months now and I'm pretty used to it but new applications in Chinese, that's another story!

The system is probably near clean now (I'm guessing), but the item inside system32 that Panda Scan had picked up is still there (I cleaned up and restarted before checking). The cookie that Panda picked up is not there anymore but may come back, if it's somehow related to the system32 object.

I'm enclosing the new HJT log here.

 

Hi. C:\WINDOWS\SYSTEM32\CSUninstall.exe is not on the Add/Remove or CCleaner lists. I'm guessing that I have to remove it manually by sending it to the Recycle Bin and then dumping it out. Is this correct? Or should I use Delete Doctor instead? Something else?

 

Hi. Thank you for the help. I deleted the file in question. I also included a new HJT log, just in case. I know that you're very busy with more difficult problems to solve, so I want to thank you again. I'm sorry that I've not installed Windows Defender but the languager issue is a big problem. I'll try to get a better firewall, as per suggested twice before.

 

Forgot the log. Here: