Help - Redirect bug

[bmongold]

Symptoms:
- redirects links that I click on at google, yahoo, or any random site (IE6, IE7, and foxfire)
- redirects to other search engines, ads for insurance, antispyware, etc.
- blocks mcafee.com websites, and mcafee does not seem to be able to update itself
- no icons appear in notification area during bootup (including mcafee)
- I can open mcafee through the start menu - antivirus and firewall says it is on.

My system:
dell dimension 4600, Win XP Pro SP2, probably 5 yrs old, no issues before this

I installed a Startup Delayer to try to get my icons to show up - everything came back except mcafee.
I turned off several unnecessary startup items but the symptoms are still there.
I ran Spybot before the 8 steps - a few internet cookies were found and deleted.

8 Steps:
1) Antivirus - ran mcafee full scan for what's worth, nothing found
2) CCleaner - done
3) I disabled internet connection and turned off mcafee for steps 4 & 5. I uninstalled Azureus which I used occassionally to download tv shows.
4) Malwarebyte's - found a couple of items and cleaned. (Perfect optimizer was installed after the bug started.)
5) SuperAntiSpyware - nothing found
6) Java - I uninstalled old version and installed latest. But the java verify site isn't recognizing the new installation (?).
7) HiJackThis - done
8) Logs for Malwarebytes, SuperAntiSpyware, and HiJackThis are attached.

After completing these steps the symptoms are still there.

I really hope someone can help me. I'm trying to get more mileage out of this computer, maybe I can afford an upgrade next year.

Thank you!

 

[touch]

Hi bmongold

You have viewpoint on your computer ->

Viewpoint is considered foistware and is not needed on your computer.

Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

ViewpointKiller 1.2 FinalViewpointKiller does exactly what it's name says: Kills Viewpoint Media Player. Viewpoint Media Player is an adware that displays bandwith eating popup ads in IE and on your desktop. It comes silently with an install of AIM and will be reinstalled by AIM if uninstalled.ViewpointKiller fixes all of that. It takes off Viewpoint Media Player once and for all.

Then please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Attach that log in your next reply

 

[LookinAround]

Am curious.... Could you check and see if you can open a command prompt window? and/or registry editor? Or do these fail to open?

Start->Run, enter:
cmd for command prompt, or
regedit for registry editor

 

[bmongold]

Touch - I'll try this tonight when I get back home. thanks!

LookinAround - to answer your question, no I cannot open a command prompt or regedit. I forgot to mention this on my original post. When I try to, the Taskbar disappears for a moment and then reappears. No windows open.

 

[LookinAround]

Yea. This is definitely an infection. I just saw it on a friend's computer a few days ago!

fyi..to anyone reading.. also looks like it might be a "boot sector" virus from what i've seen

to make it worse, they report their computer no longer boots (i.e. it never completes the BIOS POST. Never even gets to Windows Startup). (they live aways from me so haven't seen it since this occured. Not certain if:
-=> Either they have h/w problems as well
=> Or this virus can also infect the BIOS (which would make it very nasty!)

/* EDIT */
Strongly advise you be cautious. Also immediately prepare for the worst (just in case)
=> Run a FULL backup of your computer on seperate drive (and understand that drive may pickup the virus itself in the process. But means you still have a copy of your stuff but must be careful if/when reattaching that device to a computer again)
=> A "ghost image" sector-by-sector backup image is recommended vs. a simple file/directory backup

/* EDIT2 */
As another wise precaution, i'd advise you also turn off Autorun on every drive. (You can install and use TweakUI to do that). And do that BEFORE you connect any external device for the backup

 

[bmongold]

1) I turned off autorun per Lookinaround suggestion (I had already backed up files)
2) Ran viewpointkiller. Log attached. Rebooted. It did not delete viewmgr.exe, but hijackthis says viewmgr.exe is no longer running.
3) 1st attempt at Combofix - it ran a few seconds and then mcafee popped up an unwanted program error, I didn't have time to read it before I got the blue screen of death = BAD_POOL_CALLER ?
4) Powered off/on
5) On reboot, my mcafee icon showed up in notification area! I got a serious system error message to report to microsoft.
6) There was no combofix.txt created. But there was a bug.txt and sti.log file. sti.log file is attached. Mcafee did not log whatever had caused the crash.
7) 2nd attempt at Combofix - I disabled my internet connection and mcafee. Combofix seemed to run ok but I forgot to turn on my external drives. Should I run again with drives connected?? log is attached. The bug.txt file had disappeared after running combofix the 2nd time.

cmd prompt and regedit now open. Let me know if I should try IE again.
Thanks for your help.

 

[touch]

P2P software/programs are a major contributor to infections. I see you have Azureus. Not passing judgment on file-sharing, However will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Uninstall:
c:\program files\Azureus
c:\documents and settings\Brian\Application Data\Azureus

Reboot, attach new combofix log

 

[bmongold]

I agree with you on P2P - not worth it. That's why I uninstalled Azureus as part of Step 3! (see original post)

It is no longer in the add/remove program list. But the empty Azureus folders are still there.
Is this ok, or do I need to delete the folders and rerun Combofix?

 

[bmongold]

I went ahead and deleted the folders and reran combofix (with external drives on this time).
Log attached.

 

[touch]

it also looks clean. Please tell, how things are running now ?

 

[bmongold]

So far so good!
Mcafee was able to access mcafee.com and download updates.
My regedit and cmd prompt are working.
I've tried about 10-15 websites in IE6 and no redirects so far. I'll let you know if any issues come back. I really appreciate the help.

Was it the viewpoint causing the trouble, or did combofix clean some other malware?

 

[touch]

That´s good news

I think it was combofix there did the job. Yes, please let Me know how things goes.