Virus

Welcome to Major Geeks!

Your logs are basically clean. Did you shutdown ALL of Symantec before trying to run ComboFix? We need to get ComboFix to run as it may be the only thing that locates your problem. Try shutting down or uninstalling Symantec if it is necessary and then running ComboFix. Also you could try running ComboFix in safe mode too but you still need to shutdown protection in safe boot mode.

Did you accept the TrendMicro HijackThis license agreement when you ran MGtools? You needed to click the Accept button twice as stated. The log did not show in your MGlogs.zip file. And it does not show as being installed.


Do you know what the below fairly new file and folder are from?

Code:

"C:\WINDOWS\System32\"
olecli~1.dll  Nov 20 2009          12  "OLECLIT32.DLL"
RSFX          Nov 15 2009              "RsFx"

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Users\Sew\AppData\Local\Temp

 

We just have a little more to do.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

After clicking Fix, exit HJT.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

With which browser? Is it in both Internet Explorer and with FireFox? Does it happen in safe boot mode too? Where are you being redirected to?

What is the below used for?
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\Windows\system32\gigagetbho_v10.dll
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s


Note that McAfee states that it could be a problem: http://www.siteadvisor.com/sites/topshareware.com/downloads/11006951/

See if you can get ComboFix to run in normal boot mode. Shutdown ALL Protection software before trying. This includes anything from Symantec and also Windows Defender.

 

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.



Also please run an online scan with Kaspersky Online Scanner as instructed in the viewable process shown here. Attach the log.


Are you still having redirect problems?