Inactive Need help with a persistent Google redirect!

[crfloyd]

Redirect is still present. When i refreshed this forum, it actually opened a new tab again with the random page. Here is the log from SystemLook:



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:31 on 27/05/2010 by Floyds (Administrator - Elevation successful)

========== dir ==========

C:\32788R22FWJFW - Parameters: "/s"

---Files---
None found.

C:\32788R22FWJFW\EN-US d----- [03:29 28/05/2010]
cmd.cfxxe.mui --a--- 126976 bytes [03:29 28/05/2010] [02:09 14/07/2009]

c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521} - Parameters: "/s"

---Files---
None found.

c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86 d----- [23:41 18/05/2010]
DIFxAPI.dll --a--- 319456 bytes [11:21 02/11/2006] [11:21 02/11/2006]
DifXInstall32.exe --a--- 75112 bytes [18:56 04/02/2009] [18:56 04/02/2009]
DIFxInstallLog.txt --a--- 1942 bytes [23:41 18/05/2010] [23:41 18/05/2010]
GEARAspiWDM.inf --a--- 2763 bytes [18:48 18/05/2009] [18:48 18/05/2009]
gearaspiwdmx86.cat --a--- 7994 bytes [14:32 03/06/2009] [14:32 03/06/2009]

c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86 d----- [23:41 18/05/2010]
GEARAspi.dll --a--- 107368 bytes [17:12 17/04/2008] [17:12 17/04/2008]
GEARAspiWDM.sys --a--- 26600 bytes [18:17 18/05/2009] [18:17 18/05/2009]

========== filefind ==========

Searching for "wuauclt.exe"
C:\Windows\ERDNT\cache\wuauclt.exe --a--- 47104 bytes [18:39 16/05/2010] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2
C:\Windows\System32\wuauclt.exe --a--- 47104 bytes [00:14 14/07/2009] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2
C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe --a--- 47104 bytes [00:14 14/07/2009] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2

Searching for "ctfmon.exe"
C:\Windows\ERDNT\cache\ctfmon.exe --a--- 8704 bytes [18:39 16/05/2010] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D
C:\Windows\System32\ctfmon.exe --a--- 8704 bytes [23:26 13/07/2009] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D
C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe --a--- 8704 bytes [23:26 13/07/2009] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D

-=End Of File=-

 

[Broni]

BTW, did you clean Java cache, as asked in one of my previous replies?

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

=====================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[crfloyd]

I did clear the Java cache but I had to do it from within the Java settings as I am using Windows 7 and do not have the directory structure that you listed. Here is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I am letting the Kaspersky update run while I am in bed and will post the results of the scan in the morning. Thank you so much for they help you are giving!

 

[Broni]

You're very welcome
See you tomorrow

 

[crfloyd]

Ok, long day but I'm finally ready to tackle this again. Here is the result of the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, May 28, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, May 28, 2010 05:21:47
Records in database: 4192492
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 451960
Threats found: 6
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 06:15:44


File name / Threat / Threats count
C:\Users\Floyds\AppData\Local\Microsoft\Windows Live Mail\Bellsouth ( cf0\Deleted Items\319871D0-000003F7.eml Infected: Trojan.Win32.Sasfis.akzx 1
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIXWY5C1\s00a106201317r0409Rca5b1ae8Xd11e17a7Y9ac269bcZ0100f080[1].pdf Infected: Exploit.JS.Pdfka.ceb 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2938ae1-3a735a7d Infected: Exploit.Java.Agent.f 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2938ae1-3a735a7d Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2938ae1-3a735a7d Infected: Trojan-Downloader.Java.OpenStream.al 1
F:\Users\Corey\Downloads\Music\no me hace falta.wma Infected: Trojan-Downloader.WMA.Wimad.y 1

Selected area has been scanned.




Oh, and I am still being redirected in Firefox.

 

[Broni]

Apparently, you didn't clear Java cache, because Kaspersky found some infection there.
We'll clear the cache, using a tool listed below.

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIXWY5C1\s00a106201317r0409Rca5b1ae8Xd11e17a7Y9ac269bcZ01 00f080[1].pdf 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployme nt\cache\6.0\
F:\Users\Corey\Downloads\Music\no me hace falta.wma
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[crfloyd]

After rebooting, I am getting the hardware disconnect sound every few seconds. Its the sound that you get when you disconnect a usb driver or camera...etc. Nothing new is running. Here is the log.


All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIXWY5C1\s00a106201317r0409Rca5b1ae8Xd11e17a7Y9ac269bcZ01 00f080[1].pdf not found.
Folder C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployme nt\cache\6.0 not found.
F:\Users\Corey\Downloads\Music\no me hace falta.wma moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Floyds
->Temp folder emptied: 112379300 bytes
->Temporary Internet Files folder emptied: 1263484 bytes
->Java cache emptied: 188943 bytes
->FireFox cache emptied: 37931017 bytes
->Flash cache emptied: 1024 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 113239892 bytes

Total Files Cleaned = 253.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05282010_222826

 

[crfloyd]

Disregard the sound, I figured it out. It was an SD card that was not pushed in all the way.

 

[Broni]

Still redirected in Firefox?
Is IE OK?

 

[crfloyd]

Ok, I opened about 30 links in Google using IE and had 0 redirects. Plus, it seems to be opening them about a second faster. In Firefox, I had a random tab open and it redirects every link :/

 

[Broni]

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

[crfloyd]

GooredFix by jpshortstuff (08.01.10.1)
Log created at 22:47 on 28/05/2010 (Floyds)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [13:43 28/10/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [13:46 01/11/2009]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [23:20 18/05/2010]

C:\Users\Floyds\Application Data\Mozilla\Firefox\Profiles\59ulhkem.default\extensions\
foxmarks@kei.com [03:03 31/01/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [15:51 18/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

 

[Broni]

Download FoxScan from HERE, or HERE
Double click on FoxScan.exe to start the scan.
DOS-like window will pop-up.
Press 2 for English. Press Enter.
Be patient. It'll take few minutes.
When the tool is done, it'll display:

Search completed.
Press any key to coninue...

Press any key.
Notepad window titled Rapport-FS.txt will open.
Save the file to known location, and attach it to your next reply.

 

[crfloyd]

FoxScan report

 

[Broni]

Create new FF profile, as described here: http://kb.mozillazine.org/Profile_Manager (scroll half way down) and see, if redirection is there.

 

[crfloyd]

Yay! It seems to be fixed! Thanks a million for your help! Is there a way to get back my old bookmarks and passwords or do I just need to re-add all of that?

 

[Broni]

I'm glad to hear good news

As for bookmarks, login to your old profile, click on Bookmarks>Organise Bookmarks
New window will open.
Go Import and Backup>Export HTML
Now login to your new profile, go very same way, except at the end, click on Import HTML

As for passwords, see here: http://www.watchingthenet.com/how-to-backup-your-saved-passwords-in-firefox.html
You'll have to install the above add-on in your old AND new profile.

When done with everything....


Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[crfloyd]

Ok, I did all of the steps and downloaded the Web of Trust, and once it was installed a new tab opened and a random redirect site opened. Then i got an error box saying "unable to open adobe reader" and a small (about 2X2'') firefox window opened that was blank. Now my google is being redirected again.....

Am I better off just uninstalling Firefox?

 

[Broni]

Uninstall Firefox totally, using these steps: http://kb.mozillazine.org/Uninstalling_Firefox
Make sure, you follow all steps.

Install fresh copy.

 

[crfloyd]

Ok, I uninstalled Firefox and I set IE as my primary since I really don't mind using the new IE. Luckily, I had Xmarks on Firefox so I was able to install that on IE and import my favorites from the server. I am not seeing any Google redirects yet, however, twice now I have seen a seperate tab open at random with another website so I know something fishy is still going on.

 

[crfloyd]

Ok it seems that now, after setting IE up the way I want it, I am getting Google redirects....

 

[Broni]

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

 

[crfloyd]

Ok, sorry for the delayed response but here is the log. I have two harddrives in my computer. One has XP on it and one has Windows 7. I never use the XP harddrive and I always boot into Win7. I might be mistaken but it appears that the Reatogo-x booted to the other drive from the boot disk and only scanned my XP drive. If so, that is not the drive that I'm experiencing the problem with.

 

[Broni]

Hmmm...you just brought up very new info, I wasn't aware of.
What is the drive letter, Win 7 is installed on?

 

[crfloyd]

I apologize for not telling you sooner about the other drive. I didn't consider it to be relevent. When I'm booted into win7, the other drive is F: however, if I boot into the xp drive, it calls my win7 drive F: and names itself as C: hope that is clear. Sorry again.