8 steps completed after antivirus 2009 infection and google redirect problems

BitTorrent is still on your machine:

Please reopen HijackThis to 'do system scan only'. Check each of the following if present:
All of these removals are optional. I recommend they all be removed. See Option 1 and 2 for reasons:

C:\Program Files\DNA\btdna.exe
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll>> See Option 1
R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll>> See Option 1
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)>>See Option1
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O3 - Toolbar: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe">> See Option 2:

Option 1: Foistware: This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it.
1. Ask Toolbar: related to Ask.com Search Assistant. Known for putting adware on the system. I would recommend you uninstall it - decide after taking a look at this article:
http://www.benedelman.org/spyware/ask-toolbars/
2. IObitCom Toolbar: - a Conduit "Community Toolbar" - modifies the default IE URL search hook. Conduit toolbars are reputed to have a certain trackware functionality.

Option 2: P2P/File Sharing:
Bit Torrent>> previously discussed

Close HijackThis and click on "Fix Checked"

If you have decided to removal all of the optionals, finish removals as follows:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on the Control Panel> Add/Remove Programs> highlight each of the following> Uninstall:
BitTorrent
AskPBar
IObitCom Toolbar

Using Windows Explorer: (Windows key + E):
Navigate to My Computer> Double click Local Drive (C)> find each of the following and do a right click> Delete on the folder:
C:\Programs\BitTorrent
C:\Program Files\AsksBar
C:\Program Files\IObit.com\unins000.exe
Close Windows Explorer

Did the DNS flush make any difference? That entry is gone.

I removed all the files you've suggested. I couldn't unistal Iobit Toolbar, when I tried this information came up: "could not open INSTALL.LOG file". I successfuly unistaled the Ask Bar and DNA but Bit Torrent folder was not there.

The DNS flush made a difference. Thanks for your help!

Few days ago I also experienced a 'blue screen error' followed by a system shutdown. Would that be caused by the malware I haed on my computer?

Okay, I noticed you have Advanced Care from IOBit. The Toolbar may be embedded in the program yourself. don't worry about that it..

As for the BSOD, I don't have enough information to troubleshoot that. did it happen once? What were you trying to do at the time? If the system running well otherwise? If it repeats, do this:

You will be looking for the Error hat corresponds to the time of the BDOD:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. Check the computer clock on BSOD.

I'd like you to run an online virus scan to make sure we haven't missed anything:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include the Eset log in your next reply.

The error only happened once, and the system is running just fine.

Although I runned all of the spyware programs, I've still noticed that some of the sites (like amazon.com) still redirect me to ads from time to time. There is no record in the History of me going to these sites at all.

I've runned the ESET Online Scanner as advised and I'm attaching the log as requested.

amazon.com isn't redirecting you. Adware or spyware is doing it.

I'd like you to run one more malware cleaning program and rescan with HJT. If they're clean, I'll have you remove the cleaning tools- okay?

Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Follow with the HJT scan. Leave both logs on next reply.

I've tried to run SDFix but it didn't want to close after the restart. The removal process did not finish and there seems to be no hard drive activity. I've tried to run it twice, but the situation just repeated.The blue screen was still there when I restarted the computer.

SD Fix finally turned itself off. I've runned hijack this and checked the internet browser, but it still redirects to ads. I've also experienced some problems with firefox, which I use as my default browser: on few occasions it shutdown itself for no reason without displaying an error message.

Please uninstall SDFix and it's report in the SDFix folder as Report.txt

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach Combofix report to next reply.

Are you getting any specific type of ads?

I downloaded Combofix as suggested, but the program did not install. I've tried to install it twice but it only showed initiall progress window and then just stopped.

The ads are quite random: some sites are simply being redirected to a site with ads (page usually says 'add served by primavega' with a skip link that redirects to the site that I wanted) other sites are accompanied by pop-up ads.

Get a version of "Spybot Search and Destroy" and run it in safe mode. I had a similiar issue and it fixed it for me.

Follow my instructions to check the Event Viewer:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. You're looking for any errors that correspond to either the failed downl or run.

This is the only error I could find. There was no system errors corresponding to the time when I tried to run the app.


Event Type: Error
Event Source: Google Update
Event Category: None
Event ID: 20
Date: 07/02/2010
Time: 12:54:14
User: NT AUTHORITY\SYSTEM
Computer: NETBOOK
Description:
The description for Event ID ( 20 ) in Source ( Google Update ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, direct connection.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, direct connection.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=auto, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7..

That error wouldn't make a difference. Try renaming the Combofix file, then run it.

I renamed the Combofix file during the first attempt. I tried to download it again and run it, but the result was the same.

I found today a program on the Add/Unistall list, it was called 'loudmo contextual': I didn't install it myself, and when googled it found warnings that it was an adware, so I unistalled it. During the process the program tried to download something, which i prevented and change my homepage to something else. I managed to get rid of it eventually, and the adds don't seem to appear anymore.

I still have a problem with the google redirect though: it redirects to different search sites, but when I try to go back, it shows the site that I initially wanted.

Since we don't know how long it's been on the system, some repeated scans are in order:

For LoudMo: Definitely marketing adware: http://forums.digitalpoint.com/showthread.php?t=1604846

Just seeing they promote trash like this: "Zango, formerly ePIPO, 180solutions and Hotbar, was a software company that provided users access to its partners' videos, games, tools and utilities in exchange for viewing targeted advertising placed on the system" would be enough to remove it.

Please update and rescan with Superantispyware.

Try Combofix again. Then rescan with HJT.

Leave new logs for SAS and HJT and Combofix report.

I've scanned with the Superantispyware, but it didn't find anything. Combofix still doesn't want to install. I'm attaching the log from HJT.

Not sure what you renamed it to, but you need to rename combofix specifically - Combo-Fix.exe

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1




--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the C:\ComboFix.txt along with a HijackThis log so Bobbye can continue cleaning the system.

Thank you Blind Dragon.

I haven't tried to run the combofix yet. I have another serious problem though. My computer dosen't want to start! While I was using it today an information came up about for the instalation of the automatic updates. I turned it off and waited for the instalation to start. A blue screen came up, informing me that there was an error and it dosen't want to start again. It keeps coming up with the information that the windows couldn't start propery and with options for going into a safe mode. When i try to run it from any of the options, a windows start up shows, it's going into blue screen for few seconds and tries to restart again; after that exactly the same thing happens.

The information on the blue screen is as follows:
"A problem has been detected and windows has been shut down to prevent the damage to your computer (...) check to be sure you have adequate disc space (...) or check with the manufacturer for driver updates. (...) Check with your hardware vendor for any BIOS updates etc.

Tachnical Information:
***STOP: 0x0000007E (0xC0000005, 0x8050D532, 0xF7A2E3B8, 0xf7A2E0B4). "

I think it may be connected to me trying to run Combofix few times, as I do not tend to switch off my computer and leave it to hibernate. I'm using a Samsung netbook.

I don't know what to do. Please help!

See [post=766270]How to recover your folders/files when Windows won’t boot[/post]

This may help to at least let you back up your data as you try to fix the other problems (and know you have a backup copy of your data should you decide it's best to reformat and reinstall)

HOWEVER, be careful when connecting the backup to another machine and trying to access it as it may also be infected with your current malware problem (and you don't want it to spread to a new machine)

Technical Information:
***STOP: 0x0000007E (0xC0000005, 0x8050D532, 0xF7A2E3B8, 0xf7A2E0B4)

Click to expand...

From Microsoft:

Causes:

• If this issue occurs after the first restart during Windows Setup or after Setup is complete, the computer might not have sufficient hard disk space to run Windows XP.
• The computer BIOS might be incompatible with Windows XP, or it might have to be updated.
  * The video adapter drivers might be incompatible with Windows XP.
• A device driver or a system service might be damaged.
• If the issue is associated with the Win32k.sys file, it might be caused by a third-party remote control

Click to expand...

Scroll down to this section: Advanced troubleshooting on the site for resolutions:
http://support.microsoft.com/kb/330182