Hi,
I'm running WIN XP, SP 2. Recently got this re-direct virus affecting both Firefox and IE.

I've run complete scan/repair processes with:

AVG
Super AV
Malware Bytes

Sometimes it finds infected items and fixes them but this thing keeps coming back. I really don't want to do a new OS install as my drivers are very tricky to load on this machine.

I've also tried numerous other fixes including this one (http://www.techspot.com/vb/topic127425.html) but I'm not sure I'm doing right as I don't know if all these log files they refer to are general or relative to the computers of the person in the thread..

I did run some of these and got the following logs in the attached files.

I'm going nuts with this! Is there any real solution to this or should I just bite the bullet and re-install Windows?

Attached Files

	cf.txt (22.3 KB, 3 views)
	CFLog2.txt (22.7 KB, 2 views)
	CFScript.txt (129 Bytes, 2 views)
	ViewpointKiller.log (6.2 KB, 2 views)

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

To protect your privacy, remote images are blocked in this message. Display images

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


I don't know what this is but thanks!

How is redirection issue?

Basically, either in firefox or IE. I google anything. When I click on the link it takes me to an alternate page. Also seems to happen with any other search engine such as Yahoo etc.

BTW - I am using XP

Thanks

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

Download Kenco.exe to your desktop

• Close all windows and run the program.
• It wont take long to run.
• Kenco will reboot the system if it finds anything.
• Post the log it gives you ( it will be saved in the same place as Kenco.exe).

Kenco by jpshortstuff (31.12.09.1)
Log created at 21:12 on 09/02/2010 (JF)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
RegCure Program Check.job -> [18:07 08/02/2010] 384 bytes
RegCure Startup.job -> [18:07 08/02/2010] 372 bytes
RegCure.job -> [18:07 08/02/2010] 366 bytes

-=E.O.F=-

just confirmed....redirect is still occuring

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

I downloaded and ran Rootrepeal. At the end of the process my system automatically restarted. I saw no report and the only thing I was left with was a .dat file on my desktop....Attached.

Thoughts?

Attached Files

settings.zip (122 Bytes, 1 views)

Please, re-run it.

i did actually run it three times with the same result. I'll try again. I'll sit and watch it this time.

Thanks

OK, leave it for now...

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Sorry...OTL and Extras Logs were too long to paste and thus not permitted here....I attached them....

Attached Files

	OTL.zip (13.8 KB, 4 views)
	Extras.zip (7.2 KB, 2 views)

Please, uninstall RegCure. No registry tools are ever recommended.

=========================================================================

I recommend, you remove NVIDIA ActiveArmor hardware firewall built into nVidia nForce motherboard chipsets.
It's known for causing a lot of problems.

Open Notepad.
Copy, and paste text below:

Save it as nvidia.bat

Run it, by doubleclicking on nvidia.bat

Restart computer.

==========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  :OTL
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No CLSID value found.
  [2010/02/06 22:57:52 | 000,001,344 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
  [2010/02/05 22:12:49 | 000,016,384 | -H-- | M] () -- C:\SZKGFS.dat
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I performed the procedure you noted above and received the following log. Not sure what this means however?
----

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}\ not found.
C:\WINDOWS\system32\drivers\kgpcpy.cfg moved successfully.
C:\SZKGFS.dat moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: JF
->Temp folder emptied: 1910838 bytes
->Temporary Internet Files folder emptied: 9724995 bytes
->Java cache emptied: 70324051 bytes
->FireFox cache emptied: 64320491 bytes
->Apple Safari cache emptied: 5635135 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 119582098 bytes

Total Files Cleaned = 261.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.28.0 log created on 02112010_105328

Files\Folders moved on Reboot...
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\JF\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcos0x7y.default\XUL.mfl moved successfully.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

I was prompted on re-boot to run OTL so I did the quick scan again. Posted here. Probably not necessary?

It's attached here.

Attached Files

OTL2.zip (12.3 KB, 1 views)

How is redirection issue?

Well, the re-direction is still happening. Man, this is a bad infection. I'm beginning to wonder if it's worth persuing or given the time I'm spending it's worth biting the bullet and doing a re-install of windows....Would have already if the drivers on this Avid system were not so fussy.

What do you think?

I continue to (most of the time but not always) get redirected from the link I have searched to something completely irrelevant.

Also odd is that when I click "back" on the browser it usually, but not always, takes me to the originally intended page.

Your thoughts?

did you see the logs that I uploaded? Do they mean anything to you?