Hello,
Starting this morning I am getting random redirects of my browser google search. I go to the search bar on the top right of my Internet explorer 8 and type a search and it takes me to links that look like googles but then when I click on the link I am interested in it takes me to a random site. If I choose bing as the search engine after this I seem to have no problems. If I choose google after this it works too only the default search provider (ostensibly google) seems to have the problem. I followed the procedures mentioned in the forum here and here are the logs. Please help.

Attached Files

	mbam-log-2010-04-10 (19-09-07).txt (1.4 KB, 1 views)
	SUPERAntiSpyware Scan Log - 04-10-2010 - 20-29-52.log (39.4 KB, 1 views)
	hijackthis.log (15.7 KB, 2 views)

You have some Norton's leftovers.
Please, run Norton Removal Tool: http://service1.symantec.com/Support...05033108162039

Then....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Hello,
Here are the logs. As I was running the combofix it seems that a program ostensibly "Windows Security Center" automatically started up and said it found some 25 threats in my computer and asked me to register to get the computer immunized the popups indicate that it is from XP smart security and seems to not let me turn on my windows built in firewall. I am not sure if this is legit and remembering the warning not to install anything I did not do anything. Awaiting your response. Thanks

Attached Files

	ComboFix.txt (21.3 KB, 1 views)
	hijackthislog2.txt (14.4 KB, 0 views)

"Windows Security Center" is surely a fake, so make sure not to click on anything like that.

Please download Profiles by noahdfear.

* Save it to your desktop.
* Double-click profiles.exe and post its log when you reply.

=========================================================================

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

Hope I can get this nasty out of the system soon. Later when we are done maybe you can shed some light how I may have caught this. I know the answers depend on several parameters and browsing habits but any suggestions may help me in the future.

PS: I noticed that TDSS seems to have indicated that it will cure something on reboot but I have not rebooted as I think you will want me to do something else than what is suggested.

Attached Files

	TDSSKiller.2.2.8.1_11.04.2010_13.22.51_log.txt (16.7 KB, 6 views)
	profileslog.txt (1.5 KB, 3 views)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Here are the latest combofix and HJT logs. Am I clean now? My browser seems to be behaving ok ( google queries do not get redirected as yet). But I'll let the logs inform you better. Thanks

Attached Files

	ComboFixlog2.txt (18.3 KB, 1 views)
	hijackthislog3.txt (14.2 KB, 1 views)

I'm glad to see, redirection is gone


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Please let me know if my pc is clean. Thanks for all the help.

Attached Files

	ComboFixlog3.txt (19.1 KB, 2 views)
	hijackthislog4.txt (14.1 KB, 0 views)

I surely will let you know, as soon, as it's clean

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
• Archives
• Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

Here are the logs from Kaspersky scan (it took a long while to run hence the delay in the post) and the latest HJT log. Kaspersky finds nothing but redirection is still occuring :-(. Please advise.

Attached Files

	hijackthislog5.txt (14.3 KB, 2 views)
	KasperskyReport.txt (847 Bytes, 3 views)

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Here are the logs. Thanks

Attached Files

	OTL.Txt (87.5 KB, 1 views)
	OTLExtras.Txt (56.2 KB, 1 views)

Before I check your logs, can you please explain better this:
...and, which browser are we talking about here?
Did you try another browser?

I am using Explorer 8 and I have a search bar on the top right thatallows me a choice of search providers Default (google), Bing, Google, Google desktop. When I use the default I get redirected, when I choose bing or the google choice in the drop down I do not get redirected (not yet at least).

I Went to mozilla and updated my firefox to the latest version but I have the same problem. Additionally if I use yahoo search within firefox it also redirects, my avast actually caught a malware when I did this and quarantined it.

Do you need any more info?
Thanks for your help.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

To my untrained eye it seems that the last 2 lines of the log indicate suspicious changes to atapi.sys and redbook.sys files. Here is the log for your expert advice. Thanks

Attached Files

gmer.log (50.4 KB, 3 views)

Your untrained eye seems to be pretty good

It looks like we're dealing here with the newest TDSS rootkit version.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  
  Code:

  :filefind
  redbook.sys
  atapi.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

here it is. Thanks

Attached Files

SystemLook.txt (2.6 KB, 1 views)

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.