Virus hijacking web browsers

I hope you can help as I'm closing in on the sledge hammer and dynamite stage. A virus has infected our family computer (large household, teenagers and a number of adults) that hijacks any browser and redirects it to various search engines titled, "findstuff.com" and "bestwebsearches.com", etc. Also keep getting a Google Update message regarding 'encountered a problem and needs to close. I've followed the malware tutorial and followed most of the instructions with success. However, the virus wouldn't allow me to run either SuperAntiSpyware even though I changed the name (got the message that it encounted a problem and needs to close). I had the same trouble with Spybot. The only way I was able to get these programs on the computer was by loading them to a thumb drive on my laptop and copying them to the desktop machine. I can use Explorer and Firefox to go to most sites if I type in the url, but the virus won't allow me to go to certain sites (like MajorGeek or pctools) or download virus updates from Symantec. I was able to run hijack this and deleted all of the suspicious files identified by various parsing programs. Then I went on a tear and deleted many that weren't identified as bad, hoping to get lucky. Easily have 7 - 8 hours into this by now and am at my rope's end. Would, however, like to avoid taking the machine into the shop and have a new hard drive put in. Would greatly appreciate any help. John

 

Oops, here the zipped file attachment. Couldn't figure another way to do it.

 

In researching why the uploads aren't showing up I've found that when MGtools runs the GetLogs9x.bat, I get a message that the bat file does not support my Windows OS version. I guess the best I can do is attached the most recent log from the HijackThis scan. Hope it can provide a clue.

 

http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!
4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

 

Thanks for you reply. I admit to not being very intuitive w/ computers, but am pretty good about following directions. Followed the Read and Run Me First directions through program cleanup, basic maintenance, removal of duplicate antiviruses and firewalls, removal of files from quarantine, and unistalled the old Java. I did run a recently installed version of UniBlue registry cleaner instead of ccleaner, because I couldn't download ccleaner. The next step is where I got hung up. I was able to get SuperAntiSpyware and SpyBot on to the computer by renaming them them and loading from a thumbdrive first, but I was unable to get them to run. For SAS I get a 'Windows Installer Service could not be accessed' message, and for Spybot I get 'Server name or address could not be resolved'. Also got MGtools9x.exe onto the C drive, but in trying to run that got "Getlogs9x.Bat does not support your Windows version" message. By the way, redid this in the Safe mode but still no luck.
I'm beginning to think there is no solution here and the virus has me licked. One last question though, Does the HijackThis log attached above show anything suspect?
Again, appeciate any help. My son's telling me to forget about it an move to Lennox.
John

 

You should not be running "MGtools9x.exe" as it's for Windows 98. You have WinXP so you should download MGTools.exe from the READ ME. Please read very carefully and follow instructions thoroughly, our guides explain everything.

Also, try Safe Mode if you can't get the scans to run in normal mode. Finally, be sure you follow my previous instructions in RED.

 

bjgarrick,
Yehaahh!!
After reading the instructions much more carefully I found and disabled TDSSservisys. Then was able to run SAS, Spybot, Malwarebytes, Combofix, and the correct version of MGtools. Seems to have cleaned up the system (sure found a lot) and I can now surf without getting hijacked. Will send the log files if you feel they should be reviewed, but don't want to burden you any further if it's not necessary. Can't thank you enough. Beyond the (hopefully) clean computer I now feel a bit more confident about how to keep it that way. Thanks again. John

 

Yes, please attach all requested logs so we can confirm you're clean. I would be willing to bet there are a few leftovers.

 

Okay, here goes. First two attachments. Let's see what nasties are left.
John

 

Here's the second set. Again, you help is greatly appreciated. I've become a hugh advocate.
John