Google being hijacked

[guestolo]

Can you go back to the following link
http://virusscan.jotti.org/en

Scan these 2 files
c:\windows\system32\winlogon.exe
c:\windows\explorer.exe

Let me know if the scanners find them infected, ensure to rescan them
If they do
Can you scan these files
c:\guestolo\explorer.exe
c:\guestolo\winlogon.exe

Let me know if there clean or infected

[barrel05]

c:\windows\system32\winlogon.exe
Still infected

c:\windows\explorer.exe
infected

c:\guestolo\explorer.exe
Clean

c:\guestolo\winlogon.exe
Clean

[guestolo]

It may be a permission problem trying to transfer those files
When you first ran ComboFix, did you allow the install of the Recovery Console?
For a double check right click MyComputer>>Select Properties>>Advanced>>>Settings under 'Startup and Recovery'
Under System Startup click the EDIT button
Don't change nothing in that text file that opens, just copy/paste back here the contents

If it's not installed, do you have the XP Pro CD you can boot with
or we can boot to a Linux distro

[barrel05]

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

[guestolo]

Oh, I see it did get installed
Let's use the recovery console to move those files

But first, can you do the following, it may have been my fault the files didn't get moved
As I had you leave them in the guestolo folder
Open the C:\guestolo folder

Copy and paste explorer.exe and winlogon.exe directly to the C:\ folder
So you now have
C:\explorer.exe
C:\winlogon.exe

Afterwards, restart the computer
With the recovery console installed from ComboFix, you have a couple seconds to choose an Operating system to start
Please use the arrow button on your keyboard and highlight
"Microsoft Windows Recovery Console"

Hit Enter
Let it load
At the prompt to select which Windows installation, since you only have 1, select 1 then hit Enter
Enter your Admin password if prompted, then Enter
if no password just hit enter

At the 'C:\Windows>' prompt type exactly the following
Note the single space after copy and between the first explorer.exe and c:

copy c:\explorer.exe c:\windows\explorer.exe

Hit Enter, at the prompt to overwrite, select Y, then Enter

Next: type the following

copy c:\winlogon.exe c:\windows\system32\winlogon.exe

Hit Enter>>Y at the prompt>Enter

Type exit, let the computer reboot
Note: If you get 'access denied' doing any of the above, come back and let me know, we'll do an additional step

Back in Windows
Can you once again go scan those 2 files

c:\windows\system32\winlogon.exe
c:\windows\explorer.exe

Let me know if they come up clean and how things are running

[barrel05]

c:\windows\system32\winlogon.exe
Clean

c:\windows\explorer.exe
Clean

[guestolo]

That sounds good, but one more scanner please, let's just help ensure your clean
Again, temporarily disable Avast so it won't interfere
[color="#0000FF"]ESET Online Scanner[/color][/url]

Click on the Button "Eset Online Scanner"
A new window will open, Download and save to your desktop
esetsmartinstaller_enu.exe

Double click on 'esetsmartinstaller_enu.exe' to run it
Put a tick in "Yes, I accept the Terms of Use" then click START

Eset will download components
When done click START again

Downloading of Virus signature database will begin
Depending on your connection speed, this can take awhile
When complete the scan will start
This scan can take some time, so be patient

Once the scan is completed, you may close the window
   
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
Copy and paste that log as a reply to this topic

KEEP me informed how things are now running

[barrel05]

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=18869222b3bef344a227d9fad6556b18
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-22 05:26:39
# local_time=2010-11-22 04:26:39 (+1000, Tasmania Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=51995
# found=0
# cleaned=0
# scan_time=2735

Thanx very much every thing seems to be good

[guestolo]

go ahead and manually delete TDSSkiller.exe and it's log
The same goes for MBR.exe, RKUnhookerLE.exe, Systemlook.exe

If you didn't uninstall Eset online scanner, you can do so now thru
Add and Remove Programs

Ensure you still have a copy of ComboFix on desktop
Then proceed to do the following
Go to START>>RUN>>Copy and paste the next command then hit OK

[color="#FF0000"]ComboFix /uninstall[/color]

This will uninstall ComboFix and it's components
I would add SpywareBlaster to your set of protection software
 it does not run in the background but helps to silently protect your system

SpywareBlaster  by JavaCool  
continue with
Free Download on the right>>Continue Download at next page
Basically it

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
IMPORTANT>>"Check for updates every couple of weeks or so"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

Open OTL.exe and click on the CLEANUP button
Allow to reboot the computer when prompted

That should do it  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[barrel05]

Thanx all done

[guestolo]

Your welcome, since your problems appear resolved, I'll lock this topic