Solved Google and Opera Redirect

[djphilos]

Hello

As said in title, Web searches randomly redirecting to random sites

I have completed the 8-step plan and have attached the relevant files, although I tried to run GMER twice with no luck. First time it just froze and Second time I left room for 10 mins and when I returned the computer had rebooted

Help Pleases

 

[Bobbye]

Try GMER with "Devices" unchecked in the right pane.
If it still doesn't work, try running GMER in Safe Mode.

 

[djphilos]

Thank you Bobbye

am on it

 

[djphilos]

No Joy with that, computer just freezes up when I try to run GMER scan, BUT !!!!!!!!!!

I did notice that one of the scans started with a message saying that it had found a Suspiciously Modified Atapi.sys file

I googled into this and have found quite a few people have resolved this redirect problem by repairing/replacing the c windows system32 drivers atapi.sys file

I do have the recovery console on my pc, but do not have a clue how to use it

Would I be jumping the gun by asking for instructions on how to replace said file?

Hope to hear from you soon

 

[Bobbye]

That atapi find is common with malware. You can run Combofix first and see if that replaces it. Please do not try to replace on your own!

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

one of the scans started with a message saying that it had found a Suspiciously Modified Atapi.sys file

Which scan was that?

 

[djphilos]

I will run Combofix now and post txt file asap

The message was in one of the GMER scans that froze

 

[djphilos]

Voila Combofix log

 

[Bobbye]

Did you try both Safe Mode and leaving 'devices' off to run GMER? If not, please do that'
Then do the following:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\hitmanpro35.sys
c:\windows\system32\drivers\SBREDrv.sys
c:\program files\Hitman Pro 3.5\HitmanPro35.exe

FileLook::
c:\documents and settings\phil\Local Settings\Application Data\twelvplhn

DirLook::
C:\my123

Folder::
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\program files\Hitman Pro 3.5

Registry::
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leav ehte GMER log if you got it, the Combofix report after using the script and the Eset log in your next reply.

You have some file sharing programs on the system. Do not use them while I am helping clean the system. Don't use any other cleaning programs or scans unless I direct you to. Don't use a Registry cleaner or make any changes in the Registry

 

[djphilos]

Ok, so I finally got GMER to run

GMER was the last thing I rab btw

 

[djphilos]

Not meaning to jump the gun here, but, I haven`t had any redirects for a couple of days now!

 

[Bobbye]

No new infections. The entries in the Eset log are quarantined files from Combofix. These will all be removed when Combofix is uninstalled. The last entry, in System Volume, is a restore point. I will have you drop all the old restore points when finished. GMER is clean.

I checked the Directory C:\my123 and found the following files:
This file, c:\my123\mbr.cfxxe has original date of 2009-10-25 05:11.
These files; c:\my123\mbr.txt and c:\my123\CF12722.cfxxe both have date of 4/24/2010

MBR = Master Boot Record but I cannot identify the cfxxe file extension. did you set up a partition on the system here?

One other entry is not identifiable:
2010-04-22 16:12 c:\documents and settings\phil\Local Settings\Application Data\twelvplhn

Can you tell me what either or both of these files and folders are? Are they something you renamed?
=======================
To make sure there aren't any bad entries remaining:
Download HijackThis HERE and save it.

• Double-click on the saved file.
• When it runs it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
• When the installation has finished. HijackThis will automatically launch.
• When the license agreement appears, select I accept and then click on the Do a system scan only button.
• When the scan is complete, click on the Save Log button to create a log of your information.
• Paste the log into your next reply.

 

[djphilos]

I did rename a copy of combofix to my123

As for the twelvplhn I do not know what that is or could be

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\Burn4Free_Toolbar_Uninstaller_8640.exe
c:\documents and settings\phil\Local Settings\Application Data\twelvplhn
c:\windows\system32\drivers\dmload.sys
C:\Program Files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Folder::
c:\program files\Burn4Free
c:\program files\Burn4Free Toolbar
C:\my123

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

 

[djphilos]

Okey Dokey

 

[djphilos]

BTW

No redirects for a very long time now

 

[Bobbye]

Good. Probably got rid of it all! There is one Registry entry I'd like for you to remove:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

You do not need to leave the log.
====================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if I can be of further help.

 

[djphilos]

Sir, you are a Superstar

Thank you so much for your help, time and patience

Peace and Ohm

 

[Bobbye]

You're very welcome. And I accept the wishes for Peace and Ohm. Actually I'm just one of many who enjoys doing this! Stay clean:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .I'm closing the thread as 'Solved'