Google Redirection Virus Logs

[OSIG89]

Ran the 8 steps still getting redirected when clicking on Google links. What can I do now to fix this?

 

[OSIG89]

Any help please =/

 

[kimsland]

Malware removal has become extremely busy, must be to do with xmas coming up or something?
You originally created your new topic 3 hours ago only, really that's not long ago at all

The only reason I'm helping is because you at least have Avira, so I respect that

Start HJT Scan Only
Place a tick in the following entry boxes
Before selecting FIX, close all Internet Browsers
Note: The grayed out lines are not issues, but do not need to start with Windows

O1 - Hosts: ::1 localhost

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SoundTray] C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O10 - Unknown file in Winsock LSP: c:\windows\system32\bfllr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bfllr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bfllr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bfllr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bfllr.dll
O13 - Gopher Prefix:

Combofix:

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here

Also restart and then provide a fresh HJT Scan log



2 Log attachments required

 

[OSIG89]

I wasn't able to remove the Unknown file in winsock LSP. HJT said it couldnt repair 010 Winsock LSP entries. It told me: You should use LSPFix for that. Under that it also said this: If the O10 item belongs to Webhancer, New.Net or CommonName, Spybot S&D can remove it automatically.

Here's my new logs after I restarted though.

 

[kimsland]

Well if you don't use Ad-Aware much I'd uninstall it, its just making more and more entries in your logs. Anyway Malwarebytes is better.



Manual steps to repair or to reset Winsock for Windows Vista users

1. Click
   
   , type cmd in the Start Search box, right-click cmd.exe, click "Run as administrator", and then press Continue.
2. Type netsh winsock reset at the command prompt, and then press ENTER.
3. Type netsh int ip reset at the command prompt, and then press ENTER.
4. Type netsh interface ip delete arpcache at the command prompt, and then press ENTER.
5. Type Exit, and then press ENTER.

Restart



Un-install Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK
• Any popup errors about Antivirus just ok or close

Note: 1 space after ComboFix in that uninstall command



Uninstall SUPERAntispyware
Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall



Udate Java and remove older Java versions
Run JavaRa
This will remove all your old Java stuff (that is not required)
It will also help you check for new Java updates Runtime updates
Or just go here and auto check: http://java.com/en/download/installed.jsp?detect=jre&try=1



Download and run TFC http://oldtimer.geekstogo.com/TFC.exe
Your computer may need to Restart



Remove old System Restore Points

• 
  Open System by clicking the Start button
  
  , right-clicking Computer, and then clicking Properties.
• In the left pane, click System protection
  
  . Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
• Under Protection Settings, click the disk, and then click Configure.
• Click Turn off system protection, click OK, and then click OK again.

Then turn it back on again.



Restart, and let me know how its performing

 

[OSIG89]

Still getting redirected and still have those Unknown files in winsock LSP in HJT.

 

[kimsland]

You need to run Eset online scan: http://www.eset.com/onlinescan/
There is a bug in the wild that our normal removal tools are not picking up

 

[OSIG89]

hmm that didn't work either might just have to reinstall os

 

[kimsland]

The Winsock LSP: c:\windows\system32\bfllr.dll, seem to be authentically coming from your ISP
In other words just leave them there

The redirection, we can try one more thing:

You may want to update to a more secure Hosts file
There's lots of important info on that here: http://www.mvps.org/winhelp2002/hosts.htm
As it's difficult to see the actual download, here it is: http://www.mvps.org/winhelp2002/hosts.zip
Important! Windows Vista requires special instructions: http://www.mvps.org/winhelp2002/hostsvista.htm

Simply download the hosts.zip file, extract, then run mvps.bat, then restart

[Important Notice - 2K/XP/Vista Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs
in W2000 and XP. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

Then restart, and test browsing the Internet again


EDIT:

You could also run a GMER Rootkit scan: http://www2.gmer.net/gmer.zip

 

[OSIG89]

Reinstalled OS... OMG it worked ... lol insta win