Tidserv virus - redirecting webpages

Excellent!
I'm very glad to see GMER log and I'm sorry for all your 12+ hours trouble

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  
  Code:

  :filefind
  msahci.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Using OTM...

• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes

:Services

:Reg

:Files
C:\Windows\System32\drivers\msahci.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\msahci.sys /replace
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Check for redirection and post fresh SystemLook log (same script as in my reply #81)

I'm glad to hear it
Actually, I'm relieved
I assume, you too....hehehe

Let me go through our topic to see what final steps we need to perform.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

======================================================================

Please run a BitDefender Online Scan

• Disable your antivirus program.
• Click Start Scanner button.
• Click Start scan button
• Allow browser plug-in to be installed when prompted.
• Click I Agree to agree to the EULA.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on View log.
• Notepad will open with scan results.
• Save the report to your desktop and post its content in your next reply.

Post fresh HijackThis log as well.

BTW, I'll be slow, because my Stanley Cup game is coming

No problem
Have a good night sleep tonight...LOL

Very good, very good

Don't bother with Norton and those files.
We can easily remove them, but I suspect, they may be false positive.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:

C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\subformset1dataa12731.exe
C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe
C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe
C:\program files\common files\adobe\color\settings\extrasettings\generaleurope3229.exe

IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
If the result says 0/42, you don't have to post logs.

Thank you

Try here: http://virusscan.jotti.org/en-gb

I know, I know, but we have to make sure no leftovers are lurking behind the scenes.

Judging from your latest scan, we better remove those files.

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes

:Services

:Reg

:Files
C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\subformset1dataa12731.exe
C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe
C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe
C:\program files\common files\adobe\color\settings\extrasettings\generaleurope3229.exe
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Very good

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

Please, give me fresh HJT log.