Getting redirected when pressing a link on Google

[duyn]

So, I keep getting redirected everytime I press on a link after searching something up on Google. I've read other threads and I have scanned my computer with Malwarebyte Anti-Malware (mbam) and this is my log from after the scan (I am still being redirected from Google) :

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3960

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/6/2010 8:26:56 AM
mbam-log-2010-04-06 (08-26-56).txt

Scan type: Quick scan
Objects scanned: 115935
Time elapsed: 15 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Duy Ngo\Desktop\YOURUNINSTALLER2008KEYGEN.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Duy Ngo\Local Settings\Temp\scanroemxw.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.




-Please help, thanks.

 

[Bobbye]

Welcome to TechSpot, duyn. I'll help with the malware. There are more preliminary steps I'd like you to complete:
Please follow the steps HERE. You can skip Malwarebytes and go right on to Superantispyware, followed by HijackThis.

When you have finished, please paste the 2 logs into your next reply. I'll review them and decide on the next step.

 

[duyn]

Here is the two other files.

 

[Bobbye]

I am not sure, but I think the following is related to Pando:
O4 - Startup: ViiKiiDesktopPlugin.lnk = C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe

P2P or 'file sharing':
The Pando Media Booster is a product that is powered by the Pando P2P Networking Engine.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall PMB for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
C:\Program Files\Pando Networks\Media Booster\PMB.exe.

I'd like you to follow up the preliminary scans with the following:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
And then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Pease attach the Combofix report and the Eset log in your next reply. There will be some entries in Combofix that I will need to move.

 

[duyn]

I cannot locate the Combofix log

edit: Nevermind, I found it.

 

[duyn]

Here are the Combo-Fix and ESET logs.

 

[Bobbye]

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\xhunter1.sys
c:\windows\vtany.sys 
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\GameMon.des -service
c:\windows\system32\XDva311.sys
c:\windows\system32\XDva327.sys
c:\windows\temp\themes.exe

Firefox::
Firefox-: Profile - c:\documents and settings\Duy Ngo\Application Data\Mozilla\Firefox\Profiles\n2f714t0.default\
Firefox-: plugin- c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll


Folder::
c:\windows\Internet Logs\xDB8.tmp
.
Registry::

Driver::
xhunter1
vtany
Viewpoint Manager Service
npggsvc
XDva311
XDva327

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

This was found by Eset: Trojan:Win32/Qhost.BI - it modifies the hosts file to redirect online banking sites to sites of the attacker's choice (possibly for phishing attempts). It modifies the hosts file periodically.

Download HostXpert
See image here: http://i28.photobuck...HostsXpert4.jpg

• Unzip HostsXpert to it's own folder.
• Run HostsXpert.exe
• Click: Make Writable? in the upper left corner.
• Click: Download
• Click: MVPs Hosts
• Click: Replace
• Click: OK
• Click: Make ReadOnly
• Close HostsXpert.

Courtesy spywareinfoforum

This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

 

[duyn]

On the HostXpert part, There is a button for "Make Readonly" not "Make Writable", after I run the HostXpert.exe what do i do if it's like this?

EDIT: Nevermind I found out. Thank you for you're help! If there are anymore problems, I'll reply back

 

[Bobbye]

I need to see the CFScript log and if the problems have been resolved, I'll have you remove the cleaning tools. I'd hate for you to come this far and not finish up!

 

[duyn]

Oh, ahahaa. Okay! There we go.

 

[duyn]

just now my zonealarm detected" Rootkit.Win32.TDSS.ap was found in C:\WINDOWS\system32\drivers\pciide.sys" and it keeps repairing it. I don't know what to do now.

 

[Bobbye]

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

• This will have the program write a detailed log
• The screen will resemble this black screen:

• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
• You should get a screen like this:

• A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
• Follow the prompts and attach the report to your next reply.

========================================
I see new game-related entries in the Combofix report. Please don't do any new installing or uninstalling while I'm helping you unless I ask you to. Every time this is done, it adds entries and I have to check them out. Allowing me to work on a system that is static, with no new intentional additions or changes makes my job a whole lot easier.
2010-04-10 01:0 C:\Funmily
2010-04-09 02:14 c:\program files\Funmily

For instance: C:\WINDOWS\system32\drivers\pciide.sys is a process for Generic PCI IDE Bus Driver belongs to the software Microsoft Windows Operating System or PCIIde by Microsoft Corporation. ZoneAlarm is telling you that it is infected with a Rootkit. Could this have come from something that is a new download, or is a Rootkit already on the system infecting other drivers?