Google Search Hijacking Clickcheck.ru Infection

G5G

It's not as simple as that for me. I have a bunch of paid software on here I'd have to find the casings to get license keys for, I'd have to go through folder by folder and find all the software and files that are mission critical for me which I'm almost guaranteed to miss some. I've got stuff on here I don't even remember is important until I need it...

If there is ANY way to fix this that is going to be hands down the best route for me to take.

---

KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 03:25:17
Records in database: 2135816

---

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
\
E:\

Scan statistics:
Files scanned: 197795
Threat name: 25
Infected objects: 59
Suspicious objects: 33
Duration of the scan: 05:28:25


File name / Threat name / Threats count
C:\Documents and Settings\Adam\Application Data\Thunderbird\Profiles\2lqbqata.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\Adam\Application Data\Thunderbird\Profiles\2lqbqata.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Paylap.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080000.VBN Infected: Packed.Win32.Katusha.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080001.VBN Infected: Packed.Win32.Katusha.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080002.VBN Infected: Backdoor.Win32.Bifrose.usj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080003.VBN Infected: Backdoor.Win32.Bifrose.usj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080008.VBN Infected: Trojan.Win32.Monder.acks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080009.VBN Infected: Trojan.Win32.Monder.abjq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0108000A.VBN Infected: Trojan.Win32.Monder.abjq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0108000B.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0108000C.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0108000D.VBN Infected: Trojan.Win32.Monder.absy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0108000E.VBN Infected: Trojan.Win32.Monder.absy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0108000F.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080010.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080011.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080012.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01080013.VBN Infected: Packed.Win32.Mondera.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN Infected: Trojan.Win32.Monder.abjq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09BC0000.VBN Infected: Trojan.Win32.DNSChanger.jf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09BC0001.VBN Infected: Trojan.Win32.DNSChanger.jf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240002.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240003.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A240004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ks 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: HackTool.Perl.BBSXP.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Trojan-Clicker.HTML.IFrame.ag 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Backdoor.PHP.C99Shell.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Backdoor.Linux.Small.i 2
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Suspicious: Trojan-Spy.HTML.Fraud.gen 17
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Exploit.Win32.PDF-URI.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Trojan-Spy.HTML.Fraud.l 3
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Exploit.Win32.PDF-URI.k 2
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000.VBN Infected: Trojan.Win32.Pakes.bpa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00001.VBN Infected: HackTool.Perl.BBSXP.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00001.VBN Infected: Trojan-Clicker.HTML.IFrame.ag 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00001.VBN Infected: Backdoor.PHP.C99Shell.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00001.VBN Infected: Backdoor.Linux.Small.i 2
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00001.VBN Suspicious: Trojan-Spy.HTML.Fraud.gen 13
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12B00000.VBN Infected: Exploit.JS.Pdfka.bp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12B00001.VBN Infected: Exploit.JS.Pdfka.bs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12B00002.VBN Infected: Exploit.JS.Pdfka.bs 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\WINDOWS\system32\adptifvas.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\apcupssb.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\asycfiltv.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\ati2cqags.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\atioglxxv.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\authzb.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\avtapiv.dll Infected: Trojan-Downloader.Win32.Small.vob 1

The selected area was scanned.

aliEnRIK

Open notepad and copy/paste the text in RED below

File::
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\adptifvas.dll
C:\WINDOWS\system32\apcupssb.dll
C:\WINDOWS\system32\asycfiltv.dll
C:\WINDOWS\system32\ati2cqags.dll
C:\WINDOWS\system32\atioglxxv.dll
C:\WINDOWS\system32\authzb.dll
C:\WINDOWS\system32\avtapiv.dll

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

aliEnRIK

Run LSPFIX

Download HostsXpert
http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program

Download SPYBOT (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure TEA TIMER is UNTICKED on installation)
http://www.filehippo.com/download_spybot_search_destroy/
UPDATE and IMMUNISE (Make sure it reads ZERO unprotected) and SCAN

G5G

game5media.com/combofix4.txt

It stalled during the first run so I had to run it again.

Going to run LSPFIX now. LSPFIX said no problems found.

Ran hostexpert - restored the hosts file.

G5G

Spybot still shows 267534 unprotected.

How do I fix that?

aliEnRIK

Click the green PLUS immunise button