Please help, Google gets redirected

[BoBBy99]

I hope someone can please help me. I'm being held prisoner by my computer. I can't do searches I have to reboot my computer every 30 to 40 minutes.
Symptoms:
1. Links on Google get redirected.
2. Firefox locks up after 30 to 40 minutes of use.
3. I have to reboot to get firefox to work again, task manager will not end it's process.
System:
1. Windows Vista
2. AVG anti-virus
3. Firefox
4.Zone Alarm
I have done the 8 steps that the other post says to do.
Thanks ahead of time,
Rob

 

[BoBBy99]

Is there anything in addition that I should do? Thanks n/m

....n/m....

 

[kimsland]

Is this resolved now BoBBy99 ?

I was going to suggest to remove (uninstall) your old version of AVG8 (they updated to 9 some time ago)
Then run the AVG Remover: http://www.avg.com/filedir/util/support/avgremover_en.exe

Finally Restart

Then download and run > Combofix (allow all options, during the scan/removal process)

Restart again

Download/Install/Update free Avira Antivirus
Run a full scan

 

[kritius]

64 bit machine, ComboFix will not work

 

[kimsland]

Thanks kritius

 

[BoBBy99]

Yes I still have the problem...

Yes I still have the problem and I found a new one I think...I can not rename or name folders in the folder that I set up for my uitillties.
Thanks,
Bob

 

[BoBBy99]

What next?

Does the fact that I am 64 bit mean that it is going to be harder for me to get rid of my problem?

 

[kimsland]

Its true there are a few tools that can't be run on 64bit, even HJT has issues (but still runs at least)

So how did what I mentioned to do go?
Do you have an Avira log or anything?

 

[BoBBy99]

HJT-When I started it, it said that it neeeded to update, so I let it, now it says that it is an incompatible OS.

I removed AVG and installed Avira antivir, it will not update.

thanks,
Bob

 

[kimsland]

You can download the Avira manual update from here: http://dl.antivir.de/down/vdf/ivdf_fusebundle_nt_en.zip
Then open free Avira Antivirus, select "Update" and point it to the manual update zip file

Note: If the manual update file cannot be downloaded on your infected computer, then use another computer to download it, then transfer the update file via CD or Flash drive, to the infected computer

Run a full updated Avira Antivirus scan and provide the log

 

[BoBBy99]

Log from Avira

I got Avira to update and did a scan...here is the log

Thanks,
Bob

 

[kritius]

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EventViewer Errors/Warnings (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

 

[BoBBy99]

Here is the OTS log. Thanks for any help that you can give me.

one more try at uploading log...Was too large to upload so I will cut and paste...Too big to do that...will try to cut in two...

 

[BoBBy99]

After the scans...

After the scans I am still getting redirected...What is the next step that I can do?
Oh and now sometimes when I get redirected, I can not back up to Google.

Thanks,
Rob

 

[kritius]

Sorry I was unavailable all weekend due to family commitments, I am looking over them now and will get back to you.

 

[kritius]

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-288767038-3198646521-1915670834-1000\] > -> HKEY_USERS\S-1-5-21-288767038-3198646521-1915670834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "AdobeBridge" -> []
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \J ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\shell ->
YN -> \J\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\shell\AutoRun\command ->
YN -> \J\shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a]
YN -> \{6978071c-de04-11dd-8164-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6978071c-de04-11dd-8164-0021706b8877}\shell ->
YN -> \{6978071c-de04-11dd-8164-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6978071c-de04-11dd-8164-0021706b8877}\shell\AutoRun\command ->
YN -> \{6978071c-de04-11dd-8164-0021706b8877}\shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a]
YN -> \{710ec562-dd31-11dd-b27d-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710ec562-dd31-11dd-b27d-0021706b8877}\shell ->
YN -> \{710ec562-dd31-11dd-b27d-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710ec562-dd31-11dd-b27d-0021706b8877}\shell\AutoRun\command ->
YN -> \{710ec562-dd31-11dd-b27d-0021706b8877}\shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a]
YN -> \{710ec56a-dd31-11dd-b27d-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710ec56a-dd31-11dd-b27d-0021706b8877}\shell ->
YN -> \{710ec56a-dd31-11dd-b27d-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710ec56a-dd31-11dd-b27d-0021706b8877}\shell\AutoRun\command ->
YN -> \{710ec56a-dd31-11dd-b27d-0021706b8877}\shell\AutoRun\command\\"" -> J:\LaunchU3.exe [J:\LaunchU3.exe -a]
YN -> \{710ec572-dd31-11dd-b27d-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710ec572-dd31-11dd-b27d-0021706b8877}\shell ->
YN -> \{710ec572-dd31-11dd-b27d-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710ec572-dd31-11dd-b27d-0021706b8877}\shell\AutoRun\command ->
YN -> \{710ec572-dd31-11dd-b27d-0021706b8877}\shell\AutoRun\command\\"" -> K:\LaunchU3.exe [K:\LaunchU3.exe -a]
YN -> \{7eb8f142-ec93-11dd-bd60-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7eb8f142-ec93-11dd-bd60-0021706b8877}\shell ->
YN -> \{7eb8f142-ec93-11dd-bd60-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7eb8f142-ec93-11dd-bd60-0021706b8877}\shell\AutoRun\command ->
YN -> \{7eb8f142-ec93-11dd-bd60-0021706b8877}\shell\AutoRun\command\\"" -> K:\LaunchU3.exe [K:\LaunchU3.exe -a]
YN -> \{dcc3c611-2205-11de-ba6b-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dcc3c611-2205-11de-ba6b-0021706b8877}\shell\AutoRun\command ->
YN -> \{dcc3c611-2205-11de-ba6b-0021706b8877}\shell\AutoRun\command\\"" -> K:\Launch.exe [K:\Launch.exe]
YN -> \{e793b624-e8e9-11dd-825d-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e793b624-e8e9-11dd-825d-0021706b8877}\shell ->
YN -> \{e793b624-e8e9-11dd-825d-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e793b624-e8e9-11dd-825d-0021706b8877}\shell\AutoRun\command ->
YN -> \{e793b624-e8e9-11dd-825d-0021706b8877}\shell\AutoRun\command\\"" -> K:\LaunchU3.exe [K:\LaunchU3.exe -a]
YN -> \{f825696f-fe9e-11dd-8f8f-0021706b8877} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f825696f-fe9e-11dd-8f8f-0021706b8877}\shell ->
YN -> \{f825696f-fe9e-11dd-8f8f-0021706b8877}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f825696f-fe9e-11dd-8f8f-0021706b8877}\shell\AutoRun\command ->
YN -> \{f825696f-fe9e-11dd-8f8f-0021706b8877}\shell\AutoRun\command\\"" -> K:\LaunchU3.exe [K:\LaunchU3.exe -a]
[Files/Folders - Created Within 30 Days]
NY -> uTorrent -> C:\Users\Rob\AppData\Roaming\uTorrent
NY -> ComboFix -> C:\ComboFix
NY -> Qoobox -> C:\Qoobox
[Files/Folders - Modified Within 30 Days]
NY -> ComboFix.exe -> C:\Users\Rob\Desktop\ComboFix.exe
[Files - No Company Name]
NY -> ComboFix.exe -> C:\Users\Rob\Desktop\ComboFix.exe
[Purity]
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Under the Custom Scan box paste this in
  
  %SYSTEMDRIVE%\eventlog.dll /s /md5
  %SYSTEMDRIVE%\logevent.dll /s /md5
  %SYSTEMDRIVE%\atapi.sys /s /md5
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

 

[BoBBy99]

Here is the OTS after the fix log

OTS after the fix log...

 

[BoBBy99]

Here are the OTL logs..

Here is the OTL.txt and Extras logs...
Thanks,
Bob

 

[kritius]

Are you still being re directed?

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - HKCU..\Run: [MediaDevMgrClass] File not found
  O33 - MountPoints2\{6978071c-de04-11dd-8164-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{6978071c-de04-11dd-8164-0021706b8877}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{710ec562-dd31-11dd-b27d-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{710ec562-dd31-11dd-b27d-0021706b8877}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{710ec56a-dd31-11dd-b27d-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{710ec56a-dd31-11dd-b27d-0021706b8877}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{710ec572-dd31-11dd-b27d-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{710ec572-dd31-11dd-b27d-0021706b8877}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 10:45:40 | 01,336,632 | R--- | M] ()
  O33 - MountPoints2\{7eb8f142-ec93-11dd-bd60-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{7eb8f142-ec93-11dd-bd60-0021706b8877}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 10:45:40 | 01,336,632 | R--- | M] ()
  O33 - MountPoints2\{dcc3c611-2205-11de-ba6b-0021706b8877}\Shell\AutoRun\command - "" = K:\Launch.exe -- File not found
  O33 - MountPoints2\{e793b624-e8e9-11dd-825d-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{e793b624-e8e9-11dd-825d-0021706b8877}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 10:45:40 | 01,336,632 | R--- | M] ()
  O33 - MountPoints2\{f825696f-fe9e-11dd-8f8f-0021706b8877}\Shell - "" = AutoRun
  O33 - MountPoints2\{f825696f-fe9e-11dd-8f8f-0021706b8877}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 10:45:40 | 01,336,632 | R--- | M] ()
  O33 - MountPoints2\J\Shell - "" = AutoRun
  O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
  "{7685578C-256D-4957-BEE7-F6D8AC58F48D}" =-
  "TCP Query User{8A9AD4A2-57B9-434D-9312-4422398A7286}C:\uitillties\internet utillies\utorrent\utorrent-1.8.3-beta-14984.upx.exe" =-
  "UDP Query User{47106EFF-81F3-40BB-97FB-5BD6F7E0E317}C:\uitillties\internet utillies\utorrent\utorrent-1.8.3-beta-14984.upx.exe" =-
  "UDP Query User{56277069-360E-4977-881D-2F1861E7BAE8}C:\uitillties\internet utillies\utorrent\utorrent-1.8.3-beta-14984.upx.exe" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[BoBBy99]

New log...

I was still being redirected earlier today but I just went to Google and clicked on about 10 links and did not get redirected

In this Iog I noticed than it was looking at the last 14 days...I have had this problem longer then 14 days.

Thanks,
Bob

 

[kritius]

That log is looking better.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • [*]Spyware, adware, dialers, and other riskware
    [*]Archives
    [*]E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

 

[BoBBy99]

Here is thelog from the scan...

Here is the log from the scan

Thanks,
Bob

 

[kritius]

Good.

How is the computer running now?

Has there been any more re directs?

 

[BoBBy99]

Currently going on...

I seem to not be getting redirected anymore, could it finally be gone? If it is, what got it, I did not see anything in the logs. Could it had just gone into hiding?
Side Note: Could you tell me about the host file when it comes to browsing the internet.

Thanks,
Bob

 

[kritius]

You can add sites to your hosts file like this,

127.0.0.1 hxxp://www.badsitenumber1.com

which would mean that if something tried redirect your browser to that site then it would be redirected back to 127.0.0.1 which is your home computer.

I reset your Hosts file to the default one which seems to have worked. Now you should add a custom one.

MVPS Hosts file