Solved Redirect on Firefox

[RLK107]

Whatever I have redirects, pirates my 'Home' setup in Firefox to http://www.searchregard.net/, and adds signature-like hot link to all my online submissions (see below).

I've attached HJT log and have run CCleaner twice..

Link below has been generated by virus. Part of the problem.






-----

 

[Broni]

Please, complete all steps from here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[RLK107]

Thanks, Broni. I discovered "the error in my ways" earlier and am about to submit a post with the required output printouts.
Ignore the link at the bottonm It is being placed there by the virus I'm trying to eliminate.

 

[Broni]

OK........

 

[RLK107]

Re-try file attach

Diagnostic log files attached.
Ignore link below. Part of virus problem.


-----

 

[Broni]

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[RLK107]

GMR, ComboFix & HJT run logs

Have attached the three requested logs.
(Noticed that there is no virus-generated sig file hotlink on this post. Things are looking better. )

 

[Broni]

It looks much better

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\ALCMTR.EXE


Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{D7BE8ED1-B138-48FD-BB22-9779A39130B1}"=-
[-HKEY_CLASSES_ROOT\clsid\{d7be8ed1-b138-48fd-bb22-9779a39130b1}]
[-HKEY_CLASSES_ROOT\SearchBHO.CSearchBHO.1]
[-HKEY_CLASSES_ROOT\TypeLib\{A1A1E70D-58C5-4349-83B6-BE9682B9874D}]
[-HKEY_CLASSES_ROOT\SearchBHO.CSearchBHO]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7BE8ED1-B138-48FD-BB22-9779A39130B1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000


RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[RLK107]

Ran into problem running ComboFix.
Have attached my CFScript file and screen print of error printout.

(Screen print is .jpg, I've renamed file to .txt.)

Bogus sig-file link is back. Ignore.

 

[Broni]

I'm not sure what you did, but you did something wrong.
Please, re-read my previous instructions and try again.

 

[RLK107]

Broni, I retraced my steps and then, on a whim, checked file sizes between the first and second txt files. Discovered that first file began with the term "Code:" and ended with the dashes under "RegLockDel::".

On the second file I inadvertently copied the file with the first line as "File::" and the last line as "RegLockDel::".

(This last attempt ended with ComboFix crashing and requesting that a new ComboFix be generated.)

I need to know what the beginning and ending parameters of that .txt file should be.

 

[Broni]

Copy everything what is inside the box, starting with "File::" and ending with "RegLockDel::"

 

[RLK107]

On the initial run, I copied text file from the email, not from the thread.
Email did not show the box around the test.
ComboFix and HJT logs attached.

 

[Broni]

How is redirection issue?

 

[RLK107]

Morning, Broni,
Unfortunately, it's still there.
Hoping not to have to do a system rebuild.

BTW, thank you for all your help. It's appreciated.

****



-----

 

[Broni]

Please download Profiles by noahdfear.

* Save it to your desktop.
* Double-click profiles.exe and post its log when you reply.

==========================================================================

Delete your GMER file.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

 

[RLK107]

Have attached files from above runs.






-----

 

[Broni]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  nv4_mini.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[RLK107]

Look file attached






-----

 

[Broni]

Which browser is getting redirected?

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[RLK107]

The redirect occurs with both Firefox (v6.3) and IE (v8.0.6001.18702).
I have not observed an redirects while using Chrome (v5.0317.2).

Here's the OTL.txt file (as an attach, 200k limit to cut/pastes (per your instructions)
(although explorer indicates 102k)
(What's with the 'veerboo.com' listed under Internet Explorer on the list?
I've seen this come up at one point during a redirect, but it's not consistent.)

Have also attached the Extras file.

 

[RLK107]

Question.
I Googled "verboo virus" and noticed this page: http://badwarebusters.org/main/itemview/15386

(I also have the 'Savetubevideo' mentioned on that page on my system.)

Would these items apply to my problem?

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  PRC - [2010/04/08 16:31:48 | 002,072,576 | ---- | M] (SaveTubeVideo Company) -- C:\Program Files\SaveTubeVideo.com\SaveTubeVideo\downloader.exe
  IE - HKLM\..\URLSearchHook: {D7BE8ED1-B138-48FD-BB22-9779A39130B1} - Reg Error: Key error. File not found
  FF - prefs.js..keyword.URL: "http://www.veerboo.com/results.php?q="
  [2010/04/11 17:58:34 | 000,000,000 | ---D | C] -- C:\Program Files\SaveTubeVideo.com
  
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files\SaveTubeVideo.com\SaveTubeVideo\downloader.exe
  
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[RLK107]

Have attached log.
Firefox still redirects.

 

[Broni]

...and IE?