Hello. Let's see where we are:

1. Are you able to update CA AntiVirus?
2. Is Google still redirecting?
3. Are certain programs failing to run?
4. Any error messages?
5. Have we successfully removed the fake security alerts?

Step One
Start OTS again.

• Copy/Paste the information in the CodeBox below, into the panel where it says "Paste fix here".
  
  
  CODE
  [Kill All Processes]
  [Unregister Dlls]
  [Registry - Safe List]
  < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  YN -> "rundll32.exe" -> []
  YY -> "WAB" -> C:\Documents and Settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe [C:\Documents and Settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe]
  [Custom Scans]
  YY ->  logevent.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\system32\logevent.dll
  [Custom Items]
  :files
  C:\WINDOWS\System32\oqrk.pso
  :end
  [Empty Temp Folders]
  [Reboot]
  
  
• Ensure you have pasted everything in, then click the Run Fix button.
• The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished.
• Click the Ok button and Notepad will open with a log of actions taken during the fix.
  • Post the contents of the Notepad back here.
  • I will review the information when it comes back in.

Step Two
We recently removed an infection from your system, that will may have stripped a few files of their permissions. We can fix it, but it may take some trial and error for you to find the right files.
When I say 'that will not run,' I mean that they give off the error message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
You mentioned MalwareBytes' giving off the error message. You should be able to find the executables in C:\Program Files\MalwareBytes' Anti-Malware

Please download Inherit, by sUBs.

1. Drag any .exe files, that will not run, on top of Inherit, one by one.
   • Click&Hold the .exe. Move it over top of Inherit. Release mouse.
   • Make sure that they are the .exes, not just shortcuts to the files.
2. Once dragged on top of the .exe file, be patient. You should get an 'OK' message when it's finished.
3. There's no harm in using Inherit on already-okay files, so don't worry if you don't get the right file.

Step Three
Please re-open Malwarebytes' Anti-Malware.

• Click the Update tab, and then click Check for Updates.
• After updating, click the Scanner tab.
• Select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Step Four
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Close ALL OTHER PROGRAMS, and open OTS.

• Check the box that says Scan All Users
• Click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. It's usually located on the Desktop.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button.
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Logs&Info
Remember to post back the following logs:

1. OTS Fix Results
2. MalwareBytes' Anti-Malware log
3. OTS.txt (Attached)

Hi again and thanks for sticking with me on this.

So first in answer to your questions:

1. CA Antivirus is still not updating. It can download the datafile fine, but then fails.
2. Google results seem to be fine now, but it was an intermittant thing so it's difficult to be certain
3. Programs that were failing are now running. (e.g MBAM, as you will see below)
4. No error messages at all, MS Windows seems much happier
5. No problems with fake alerts or anything similar



So.... here's the logs. First the OTS Fix:

----------------------------------------------------------------------------

All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rundll32.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WAB deleted successfully.
C:\Documents and Settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe moved successfully.
[Custom Scans]
DllUnregisterServer procedure not found in C:\WINDOWS\system32\logevent.dll
C:\WINDOWS\system32\logevent.dll moved successfully.
[Custom Items]
========== FILES ==========
C:\WINDOWS\System32\oqrk.pso moved successfully.
[Empty Temp Folders]


User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Josie
->Temp folder emptied: 5832837 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 17410024 bytes
->FireFox cache emptied: 87264164 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 499933 bytes

User: Owner

User: Saffron
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: TheMortimers
->Temp folder emptied: 20359296 bytes
->Temporary Internet Files folder emptied: 70501988 bytes
->Java cache emptied: 13689540 bytes
->FireFox cache emptied: 32062832 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 214735 bytes

Total Files Cleaned = 236.42 mb

< End of fix log >
OTS by OldTimer - Version 3.1.4.0 fix logfile created on 11112009_224715

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

----------------------------------------------------------------------------

Now the Malwarebytes AM log:

----------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/11/2009 22:30:45
mbam-log-2009-11-11 (22-30-45).txt

Scan type: Quick Scan
Objects scanned: 115001
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\TheMortimers\Application Data\Macromedia\Common\490c60381.dll (Hijack.Sound) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Delete on reboot.
C:\WINDOWS\system32\wship6.dll (Trojan.Agent) -> Delete on reboot.

----------------------------------------------------------------------------

Finally, the log for the OTS scan is attached to this post.

Many thanks
Soupy

Hello... What do you mean by "it fails." Any messages? I'm not familiar with CA Antivirus.


Step One
Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step Two
Java is out of date or not installed at all. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application:

• Please visit Java Downloads for All Operating Systems
• Under Windows, click "Windows 7/XP/Vista/2000/2003/2008 Offline"
  • Make sure to download the Offline version.
  • Save it to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java:
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
• Then from your Desktop double-click jre-6u17-windows-i586-s to install the newest version.
  (Vista users, right click and select "Run as an Administrator.")

Step Three
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Logs&Info
Remember to post back the following logs:

1. KavReport.txt

Hi -

Thanks for your continued assistance.

I've run through the steps above and here is the output from Kapersky:

-------- begin included file --------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, November 13, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 13, 2009 16:40:03
Records in database: 3204511
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 149774
Threats found: 6
Infected objects found: 5
Suspicious objects found: 1
Scan duration: 02:23:53


File name / Threat / Threats count
C:\Documents and Settings\TheMortimers\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.Win32.Small.aafc 1
C:\Program Files\Mozilla Firefox\a.exe Infected: Trojan-Spy.Win32.Zbot.hsr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nvata.sys.vir Infected: Rootkit.Win32.TDSS.u 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Hoax.Win32.Renos.vcjk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Suspicious: Packed.Win32.PECompact 1
C:\_OTS\MovedFiles\11112009_224715\C_WINDOWS\system32\oqrk.pso Infected: Trojan-GameThief.Win32.OnLineGames.bmxm 1

Selected area has been scanned.


-------- end included file ---------

My CA Anti-Virus is still not playing ball, but I'm not too worried about that. For now I just want to get the machine clean, then if we can't fix it here then I'll go to the CA Forum and someone there will be able to get it working for me I'm sure. For the record the messages I get are:

Package installation has been deferred: AV Dat Patch Update
and
An error occurred during the update process. Please try again later.

Ta
Soupy

Hello.

This is quite an old bug, but there's no harm in making sure. Check the CA quarantine, anything in there? If you see any "wextract.exe", restore them.



Start OTS again.

• Copy/Paste the information in the CodeBox below, into the panel where it says "Paste fix here".
  
  
  CODE
  [Kill All Processes]
  [Unregister Dlls]
  [Custom Items]
  :files
  C:\Program Files\Mozilla Firefox\a.exe
  C:\WINDOWS\system32\drivers\beep.sys
  C:\Documents and Settings\TheMortimers\Application Data\Macromedia\Common\490c60381.dll
  C:\WINDOWS\system32\wship6.dll
  :end
  [Empty Temp Folders]
  [Reboot]
  
  
• Ensure you have pasted everything in, then click the Run Fix button.
• The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished.
• Click the Ok button and Notepad will open with a log of actions taken during the fix.
  • Post the contents of the Notepad back here.

I will review the information when it comes back in.

Hi again - Here's the latest OTS log, as requested.

----- begin -----

All Processes Killed
[Custom Items]
========== FILES ==========
C:\Program Files\Mozilla Firefox\a.exe moved successfully.
C:\WINDOWS\system32\drivers\beep.sys moved successfully.
File/Folder C:\Documents and Settings\TheMortimers\Application Data\Macromedia\Common\490c60381.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wship6.dll
C:\WINDOWS\system32\wship6.dll moved successfully.
[Empty Temp Folders]


User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Josie
->Temp folder emptied: 6003030 bytes
->Temporary Internet Files folder emptied: 4080236 bytes
->Java cache emptied: 1860243 bytes
->FireFox cache emptied: 84255283 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner

User: Saffron
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: TheMortimers
->Temp folder emptied: 96764199 bytes
->Temporary Internet Files folder emptied: 15639738 bytes
->Java cache emptied: 13817519 bytes
->FireFox cache emptied: 32800799 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 563776 bytes

Total Files Cleaned = 243.97 mb

< End of fix log >
OTS by OldTimer - Version 3.1.4.0 fix logfile created on 11142009_210321

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

----- end -----

Oh and there is nothing listed in the CA quarantine area.

Thanks
Soupy

Hey! That last log looks clean!
Now let's do some cleaning up and learn how to protect ourselves from future infection!

For CA Antivirus, you could try an uninstall\reinstall. However, it may be worth taking it over to the CA Forums first.


ComboFix /Uninstall
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run,
Copy/Paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall





Tools Used
This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

• Open OTS.
• In the top right corner will be a button called "Clean Up!"; click it.
• Click Yes to begin the cleanup process.
• When done, reboot to finish the cleaning procedure.

Windows Updates
You should visit the Windows Update site about once a month. If you're feeling lazy you can turn on Automatic Updates which will do most of the work for you. (ask me how)

Go to update.microsoft.com using Internet Explorer. Click High Priority Updates and then check all of the updates and then click the Download botten. A windows should pop up giving the status of each update. Restart if asked to.




Prevention Tools

1. Spywareblaster
   
   • SpywareBlaster will prevent spyware from being installed.
2. Spywareguard
   
   • SpywareGuard offers realtime protection from spyware installation attempts.
3. MalwareBytes' Anti-Malware | SUPERantispyware
   
   • Both great Anti-Spyware and Anti-Malware programs.
4. Firefox | Opera
   
   • Two great fast, secure, and customizable web-browsers.
5. TFC - Temp File Cleaner
   
   • One-click temp cleaner. Clean out temporary files safely, and effectively.

If you are wondering how you got infected in the first place please visit this cool page called:
How did I get infected in the first place?

Glad I could help, piano9playa5

I really appreciate the time you've spent sorting this all out for me.

All the best,
Soupy

No Problem.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.