Hello,
I recently completed your 8 step virus removal. I had been having problems using Google search, so I did all the step and the logs are attached. Please let me know what you find.
Thanks,
Roger

Attached Files

	hijackthis.log (13.5 KB, 2 views)
	mbam-log-2009-11-19 (11-42-28).txt (25.2 KB, 4 views)
	SUPERAntiSpyware Scan Log - 11-19-2009 - 17-35-22.log (5.0 KB, 2 views)

Hello Roger

You will have better luck if you post your logs in the correct area.
Please review the Malware Forum, and also the stickies at the top here.

That said... I am not a mod, but
Welcome to

When I arrived, one of the Mods welcomed me with these helpful hints.

You should read how to post a new thread in this Guide.

Before posting you should read all the Posting Guidelines.

To access technical support you may go to the Forums.

Many users like to post system specs in their Profile.
System Specs are always helpful when you seek support, (see the first two suggestions).
And helpers may ask that you post some of your specs in your thread.

You can access many other online TechSpot guides Here.

Enjoy your Stay

Hi Roger, following B00kWyrm's excellent Welcome information is recommended.

We can get started on the malware. You have a considerable amount.

The Mbam log has No Action Taken on all the entries because you did not check the line in MBAM that says:
Make sure that everything is checked, and click Remove Selected.
Please update Mbam and attach new log in next reply.

SAS has a similar line. It does not appear you checked that either
Make sure everything found has a checkmark next to it,then press 'Next'.
so update SAS, check that line and rescan. Attach new log in next reply.

It appears you may be using a program called Error Nuker. This is a rogue program and I recommend that you uninstall it now.

Please rescan with HijackThis. Paste the new log into your next reply.

We will go from there.

NOTE: Do not use System Restore as the restore points have malware. I will have you remove them when the system is clean.

And a Comment: You are loading way too many processes on startup. All of these run in the background using system resources. Programs like the Fax, InstaVerse, Registration reminder service for WinDVD, TabletWorks, Second Copy, and a multitude of other processes, including almost everything on auto-updates do not need to be running all the time and can be started as needed from All Programs.

You need to get control of the Tracking Cookies:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

Ok, thanks for your help! I followed your recommendations, and the new logs are attached.

Attached Files

	mbam-log-2009-11-23 (17-16-09).txt (864 Bytes, 2 views)
	SUPERAntiSpyware Scan Log - 11-23-2009 - 18-28-40.log (945 Bytes, 2 views)
	hijackthis.log (13.8 KB, 2 views)

Are you still getting the redirect?

Is the system slow? Why do you have the Fax, InstaVerse, TableWorks, Second Copy, MS Streets & Trips, Quick Books, SODCPreLoad (Related to Eclipse Used with IBM My Help) running in the background? Did you know that these don't need to start on boot and can be started manually when needed?

To remove Desktop entries:
O24 - Desktop Component 0: (no name) - http://www.machinerytrader.com/image...e/72647260.jpg
O24 - Desktop Component 1: (no name) - http://webmail.afo.net/data/openwebmail/images/webmailintro.gif>>>

Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player:

To remove, find and remove Viewpoint Media Player

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

• Click on Start > Run and type: services.msc> OK
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.
• Click on Start > Settings > Control Panel >Add/Remove Programs
• Highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist: Open Windows Explorer> Programs:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Empty the Recycle Bin

Are you still experiencing the redirects? Any other system problems?

Please run this online AV scan and attach log in next reply:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Rescan with HijackThis and paste the new log into new reply.

Thanks for your continued help. I do need the Fax and InstaVerse to run, but I think I've stopped everything else. Attached are the logs from ESET and HJT. I am still experiencing the redirects, if that's what it is. I can't seem to search anything from Google. Nothing else is wrong as far as I know.

Attached Files

	log.txt (2.0 KB, 2 views)
	hijackthis.log (10.6 KB, 1 views)

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\MATTHEW ZIMMERMAN\My Documents\Downloads\ScreenshotCaptorSetup.exe	
  C:\Program Files\Copy of WinFax\WFXDTI32.DLL	
  C:\Program Files\ScreenshotCaptor\DcKeyHk.dll	
  C:\Program Files\ScreenshotCaptor\DcMouseHk.dll	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis and attach new log in addition to Combofix report and record of OTMoveIt Moved files..



You should seriously consider taking some of those processes off of startup.

Thanks again for your continued help. Following and attached are the logs. I actually removed the 4 files noted below as "not found" yesterday before I received your reply.


All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Documents and Settings\MATTHEW ZIMMERMAN\My Documents\Downloads\ScreenshotCaptorSetup.exe not found.
File/Folder C:\Program Files\Copy of WinFax\WFXDTI32.DLL not found.
File/Folder C:\Program Files\ScreenshotCaptor\DcKeyHk.dll not found.
File/Folder C:\Program Files\ScreenshotCaptor\DcMouseHk.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 77234 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: MATTHEW ZIMMERMAN
->Temp folder emptied: 783711 bytes
->Temporary Internet Files folder emptied: 2247614 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 65840366 bytes
->Google Chrome cache emptied: 8711220 bytes
->Apple Safari cache emptied: 16619023 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 509763 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4218067 bytes
%systemroot%\System32 .tmp files removed: 12710417 bytes
Windows Temp folder emptied: 138139 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 498920 bytes

Total Files Cleaned = 107.28 mb


OTM by OldTimer - Version 3.1.2.0 log created on 12012009_064315

Files moved on Reboot...

Registry entries deleted on Reboot...

Attached Files

	hijackthis.log (10.2 KB, 2 views)
	ComboFix.txt (21.0 KB, 4 views)

Okay, looks good. But the comment "I'm still having the redirects, if that what it is" needs explanation. You didn't give indication of the problem at the beginning.

The logs look okay, so tell me exactly what the problem is- don't just say 'redirect'- that's too vague.

Ok, sorry for the lack of information. When I try to do a search using google or yahoo, the intended page will not load. It'll just sit there (in Firefox) with the little circle on the tab spinning and spinning, like it's trying to load, but never does. In IE, it does the same thing, but sometimes it will pop up saying "unable to connect, diagnose connection problems." I have another search engine called GoodSearch, which is powered by Yahoo, that works fine. That one had been acting up some, but since I got rid of alot of my malware, its been working again. So, I'm not sure it is a re-direct problem, it just doesn't load anything.

One more thing; I can load websites from links on other sites, or from my bookmarks, just not directly from the Google, Yahoo, or Bing search bars. Thanks.

Okay, then you have a connection or server problem likely due to a setting in IE. A Google redirect is caused by malware. When a search is input and a site is chosen, instead of the site coming up, the malware redirects to anyther site- nothing you'd want or ask for!

Type or copy and paste this into the address bar: http://www.techspot.com/vb/

Use Firefox, then IE. Does is load?

I'd like you to check this also: their is a mouse feature that I call the 'Flying Carpet'. What you describe- the fast spinning circle-sound like you might be engaging this feature. I'm on a laptop now but I think it's usually strated using the center wheel on a mouse. Open the Mouse in the Control Panel. There should be a Scroll tab> click on that and check the settings. Let me know what they are.

The page opened fine in both IE and Firefox when I pasted it in the top address bar and also in the Google search bar. I tried opening another website by typing the name in the address bar, and it worked fine. When I typed the same thing in the Google search bar, it didn't work. The settings under the scrolling tab for the mouse are as follows: Enable vertical scrolling - checked; Enable accelerated scrolling - checked; Enable horizontal scrolling with tilt wheel - checked.

You can't type a site URL in Googler Search> that' s to put a word or two to "search."

The only place you should be typing a URL is in the Address Bar.

The Google search box and the Address Bar are not interchangeable.

UNCHECK this: Enable accelerated scrolling > Apply> OK
That should solve the problem. It's why the bookmarks are opening> they open right in the Address bar, not the Google search.

Ok, I did that and it still does not work.

Ok, this is what happens. I will type a word or phrase like "does it work" in the Google or Yahoo search bar and hit enter or click on "Search". It will do nothing but sit there saying "loading" on the tab with the little "circle" spinning. This holds true for Firefox, IE, and Chrome. I've tried each one and waited a couple minutes, but nothing changes, not even an error page loading. I just installed Chrome this morning, and also uninstalled and re-installed Firefox and IE8. I installed Chrome before I uninstalled Firefox, and transferred all my bookmarks and settings from Firefox to Chrome, so maybe something didn't get deleted that should have by doing that, but why would that affect IE? I don't know what's goin on; I'm baffled. If I type the intended web address in the top address bar, it works fine in all 3 browsers.

Unless you have customized your mouse to show something different, you would normally see an hour glass while a site it loading.

You are not having a redirect. You have some kind of connection problem with search.

Are you using the Google Toolbar? If you are, uninstall it, then reinstall it.

This isn't a malware problem. If it continues, please go to the Windows Os forum and post there.

I did uninstall and re-install the Google toolbar. Nothing changed. I know what you mean by the hour glass, but that takes the place of the mouse pointer when a page loads, correct? The circle I'm talking about is on the tab of the web page itself, and also on the address bar. I'll post on the OS Forum. Thanks again for your help.

Now I know which 'circle' you mean. It has got to be from a setting in the browser- top right of the Address bar, right?