A few infections I can't seem to get rid of

[juiblex]

Hello, I seem to be having some issues lately, there appears to be a few differing infections, I'll try to describe as much as I can. First, there seems to be a problem whenever I try to click a link in Google: the link usully redirects me to some ad or 3rd party site. I use Opera but also have IE as a backup(in case sometingfs wrong with Opera), I tried using Google on both browsers and the same thing happens so it must be a deeper infection. I went to different support sites, but there doesn't appear to be any general help for this.
The other issue is that when I browse the internet, sometimes 2 or 3 tabs pop up with incomprehensible urls(for example; http://njä\02x¹QÃt¸ô? or http://U-`X¬`\14F&\186Ì or http://\01òO¢/ºzDt=zLâØy£D\17¤ôúpî·éÅ\19\0F\14h/¸y\1FRoo<*\18uå·\7F}/) I'm lost at to what's behind this problem.
And finally, the last issue was that recently I may have downloaded a bad .exe program, this may have caused my csrss.exe file to become corrupted, my nod32 antivirus scanned it and quarantined it from the c:\windows\config dir, but there's also another csrss.exe in my c:\windows\system32 dir. I ran a system scanner which said that the csrss.exe in the system32 folder is not the microsoft file, but I don't want to delete it because it might affect the system. At about the same time that the csrss.exe file became infected, a stange pop up started coming up saying http ://212.117.174.14/PC_protectvam.exe, nod32 always terminated it, and after I followed the steps in your guide before writing this post(using the various scanners), the http ://212.117.174.14/PC_protectvam.exe popup stopped.

I'm very lost as to how to remove these infections(if that's what they are) and hope that someone here can help me.

My browser is Opera(IE as a backup), using Windows XP Pro(Ver 2002) SP2, Intel Pentium 4, 2.4 GHz 3.37GB Ram

Here are my logs in order of sas>mbam>hjt

[Moderated Message: Links De-linked for safety]


[attachment deleted by admin]

[Karnac]

Go here for self help

http://www.computerhope.com/forum/index.php/topic,81761.0.html

Paste your HJT log into the window of the process tool and follow the instructions at the end to remove the problems....

Run Mawarebytes after you fix the entries....let us know how things go....

[juiblex]

Hello, sorry for the late reply, I've been away.
I followed your advice and fixed/removed some things with the hjt website tool, unfortunately the symptoms still happen.
I ran a scan of spybot and it found the following problems:
Win32.Agent.pz
Win32.TDSS.ntf(a few files in the system32 directory beginning with "geyekr" were found for this)
Win32.ZBot(sdra64.exe)

I deleted them with spybot and then ran it again after a restart before they were in memory.

After that, it helped only a little bit, I still sometimes get redirected from google, and now more than ever whenever I switch from page to page or click on links, I get a pop-up saying "illegal url" with these characters "http://n`âO;¹Võ*îÆ?5%E0j\11F%A4p]z%!d\1D%D2%E9B%DD" every single time.

I'm at a loss of what to do at this point...

[SuperDave]

Hello juiblex and welcome to Computer Hope. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your replies.  Your HJT log is showing that you're running two Anti-Virus' programs on your computer. This can cause lots of problems. You will have to eliminate/uninstall one. Your HJT log is almost one month old. Could you please post a fresh log once you have done the above?

[juiblex]

Hello, yes I uninstalled one of the antivirus programs and here is the log.
I still have the problem of clicking links from google and them being redirected to empty or advertisement sites. Also, sometimes when I copy/paste a link from google in the address bar, it also redirects, and even if I type it it redirects, I'd have to find some other way to go there other than the address bar.
Also I sometimes see the process sdra64.exe in my task manager and kill it whenever I can, is this harmful?

[Saving space, attachment deleted by admin]

[SuperDave]

Hello juiblex. Could you please do this.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link # 1
Link # 2

**Note:  It is important that it is saved directly to your Desktop


DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
npggsvc

File::
C:\WINDOWS\system32\sdra64.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze