laptop virus

tower

hi, hope someone can help. i think i have a virus on my laptop, when i do a search and click on s result i keep getting redirected to various un-related sites. i have done a scan using mcafee and also superantispyware which picked up some viruses which i removed, i also did a system restore. none of which seem to work.
What shall i do now?

thanks

Knarf44

Have you read the stick at the top of the forum called Malware Removal? If not, have a read and download the software "Malwarebytes", update it and run a scan. Then follow the rest of the instructions and report back.

aliEnRIK

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds

reboot
Download HIJACK THIS (Make sure you click 'DOWNLOAD THIS VERSION')
http://www.filehippo.com/download_hijackthis/2894/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)

aliEnRIK

What happened to the malwarebytes log?

tower

hi, just re scanning now, will post shortly

aliEnRIK

tower wrote: »

hi, just re scanning now, will post shortly

I was after the original log too

once its finished post both logs (original can be found in LOGS in malwarebytes)

tower

log after removal.Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4486
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
27/08/2010 11:28:19
mbam-log-2010-08-27 (11-28-19).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 288136
Time elapsed: 1 hour(s), 57 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

aliEnRIK

Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download

nottseagull

Ah, now I see the problem; you have a smiley stuck inside it!

jbreckmckye

Haven't looked at the HJT logs in any detail, but my first guess is that some application / crapware has foisted some proxy server on you that keeps redirecting you to Viagra sites etc. etc.

Just check something for me quickly - open IE. Check Tools / Internet Options / connections / LAN settings. Now see if a proxy server has been specified.

aliEnRIK

Open notepad and copy/paste the text in RED below

File::
c:\windows\Ndozuzacufo.bin
c:\windows\Tcedixuqo.dat
c:\program files\wt3d.ini


Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
(If SNAPSHOT is stupidly large, leave that part out)

Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.