Problem - Google searches being redirected, 3 days of scanning, can't fix

Hi, I really need some help - I’m trying to get rid of some kind of malware that causes Google searches to randomly redirect. I am running Avast and have run scans with it and also Malwarenytes and also the Kaspersy virus removal tool and OTL. I see a lot of infections that it says it’s removing, but I don’t seem to be making any headway and assume there is a registry fix that needs to be made, but I don’t know what to look for.

I’ve been working on it for three days, but I’m not making progress,any assistance would be appreciated.
Bill

follow this guide and attach the logs requested
http://forum.avast.com/index.php?topic=53253.0

also attach the kaspersky log

a certified malware remover will then help you

Ok, I ran into an additional problem - I ran OTL (before posting here so without any custom scan instructions), after the scan it asked for a restart of the computer. Now I can only get Windows to load in safe mode. I just re-ran Malwarebytes, but wasn’t sure I should do OTL again?

I have attached all the scan logs I got from Malwarebytes just now and the ones from OTL before the blue-screen problem cropped up. If I need to re-run OTL again in safe mode, let me know.
Thanks,
Bill

Essexboy is notified and should be online soon…

OBS…i see some symantec/norton files…do you have more the one AV installed ?

O1 HOSTS File: ([2012/02/28 17:51:19 | 000,000,884 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 87.229.126.50 www.google.com
O1 - Hosts: 87.229.126.51 www.bing.com

DNS-имя: 87.229.126.50
Средний пинг: 117ms

Страна: HUNGARY
Регион: BUDAPEST
Город: BUDAPEST

Fix host file.

And here what is the problem - Alternate Data Streams, wait essexboy.

Our corporate server has Symantec enterprise software, but we no longer run the client version on individual desktops.
I overlooked the Kapersky log…it’s attached.

OTL does not ask to restart the computer after a scan as there is no requirement for that - all it is doing at this stage is analysing

When you try to restart normally do you get a blue screen with some data on it ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Download the attached Fix.txt

Run OTL
Press the run fix button
In the dialogue that comes up navigate to the fix.txt and select it
Press run fix again

[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Yes, I do - a blue screen with data flashes for a second but not quickly enough to read…so I’m stuck in safe mode, which does work.
So i assume I can run this fix in safe mode ok?
Thanks!

Yes run it in safe mode… Also can you look in C:\windows\minidumps and see if there are any minidumps there

Ok, did as instructed - still only comes up in safe mode for now.
Attached is the log file from the OTL scan after the fix.
Also, I looked and there are about 10 minidumps, the latest from August 2011.
Thanks!

Attached are the system event logs, in order, relative to my last attempt to startup Windows normally and then fall back to safe mode. I thought I’d send it in case it shows something that’s causing the problem…
Thanks!

Are you sure that it was OTL that asked for a reboot ? As I have been unable to replicate that

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

It definitely claimed to be OTL asking to reboot the computer. It was right after I ran the fix. I expected to have to manually reboot it based on your instructions, but it popped up and asked for a restart, so…
Here is the Farbar log: (and THANK YOU so much for helping me with this - I am so grateful)

Farbar Service Scanner Version: 01-03-2012
Ran by billmcclain (administrator) on 07-03-2012 at 17:06:52
Running from “C:\Documents and Settings\billmcclain.FLAGLER\Desktop”
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Nerwork


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: “C:\WINDOWS\system32\srsvc.dll”.

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: “\SystemRoot\system32\DRIVERS\sr.sys”.

System Restore Disabled Policy:

Security Center:

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: “C:\WINDOWS\system32\wuauserv.dll”.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: “C:\WINDOWS\system32\qmgr.dll”.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: “C:\WINDOWS\system32\svchost.exe -k netsvcs”.
The ServiceDll of EventSystem: “C:\WINDOWS\system32\es.dll”.

File Check:

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000090000000600000007000000
IpSec Tag value is correct.

**** End of log ****

I ran OTL (before posting here so without any custom scan instructions), after the scan it asked for a restart of the computer. This is the bit I was enquiring after- as a standard scan will never ask for a reboot

Did you run the AVP tool ?

If so and you still have it

Upload the entire zip file to mediafire and post the sharing link please

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Ok, I found the zip file and I’ve uploaded it to mediafire, but it’s taking a long time to verify. It’s also in my Google docs (public link below). I’ll keep waiting for mediafire to verify, if Google docs doesn’t work for you.

https://docs.google.com/open?id=0B4AQpbhW6h5kUEFQM2J6Tm5RdHV2TGRFbVMwa0YzQQ

I’m running the tool again now using your instructions.
Thanks!

Ok, here is the new AVP tool log. I don’t think it likes running in safe mode, but it seemed to work.

Mediafire verified this one ok (it’s a zip file, so I couldn’t attach here).
Thanks!

http://www.mediafire.com/?anqc81w4ioaeneu

I’ve looked everywhere I can think of to try to figure out what’s wrong with my startup process…perhaps the virus changed some key files? Before closing down for the night, however, I decided to work on capturing the screen message that pops up so quickly when I try to start Windows normally. I used my iPhone to take a movie of the moment and look back frame by frame - here is what the message says:

“A problem has been detected and Windows has been shut down to prevent damage to your computer If this is the first time you’ve seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.
Check with your hardware vendor for any bios updates. Disable bios memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options, and then select safe mode.
Technical information:
***STOP: 0x000000”

Any ideas? Thanks very much for all your help,
Bill

Ta got it… Well there is nothing apparent in there that would stop the normal boot, do you have a windows CD as we could try a repair install

Ok, sorry for the delay. I have the Windows CD and have the machine booting from CD now. Shall I just run the repair program? As I remember, that won’t impact my document files and things…

Yes the details on how to do it are here http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/