Hijacked?

[Tracyvp]

Good morning!  I'm SO thankful I have found this forum.  I'm hoping someone can help me.

I came here initially because despite running Avast all the time, I had acquired the Internet Security 2010 virus.  I downloaded Malwarebyte's Anti-malware and was able to remove it. However, I am still  having problems in that whenever I use a search engine, the links seem to take me somewhere else other than the site I'm looking for. 

As advised in the Malwarebyte instructions, before I started, I uninstalled and reinstalled that program, ran it again and found nothing.  Then I installed and ran OTL and have attached the results here.

Can anyone advise me what to do next?  I'm not terribly adept at any of this but I can follow directions to the letter if they're made clear!

Thanks so much for your help!

~Tracy

[Tracyvp]

Here's the log of the extras.txt file.  They two combined were too big for one post.

~Tracy

[essexboy]

Hi there still a tad to remove

Run OTL.exe

• Download the attached Fix.txt to your desktop
• Drag and drop the file to the Custom Scans/Fixes box at the bottom,
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

THEN

I need to check the validity of a system file

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[Tracyvp]

Here's what came up when the fix was complete.  It's not called OTL but I'm assuming it's correct.  Do I wait to do the next bit or do I do it while you're checking this?

~Tracy

[essexboy]

You forgot to attach it 

Yes run GMER now please

[Tracyvp]

Here's the result of the gmer.txt log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-10 14:25:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TRACYS~1\LOCALS~1\Temp\uxtcrfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs       aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip     aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Udp    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp  aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

[essexboy]

Have the redirects gone now ?

[Tracyvp]

Have the redirects gone now ?

No, still happening.  Also, I must have lost the log from the OTL "Run Fix" that I forgot to attach.  Should I run it again and post the log?

[essexboy]

Yes please - are the redirects in both IE and firefox ?

[Tracyvp]

Yes please - are the redirects in both IE and firefox ?

Yes, the redirects are happening in both IE and Firefox.
OTL log is attached

[essexboy]

OK lets start using the heavy gang

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Tracyvp]

Well now I've got REAL problems because the computer won't even boot up! It shut itself down sometime today whole I was gone and it won't start even in safe mode. Not sure what to do at this point but I'm going out of town for a couple of days so it will just have to wait until I get back I guess.

OK lets start using the heavy gang

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[essexboy]

Hi this is the second time this has happened to me - I think I will curtail combofix for a while

However it can be repaired

OK this file is big about
276.7Mb, print these instruction out so that you know what you are doing. 

File details :
Bytes - 290,234,368
MB - 276.7
MD5 - C1F65EAFC453367E12E242BFCDFB68A2

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable.  Just install the programme, from there on in it is fairly automatic.  Instructions

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads   
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[Tracyvp]

Okay, here's the log from the scan.

~T

Hi this is the second time this has happened to me - I think I will curtail combofix for a while

However it can be repaired

OK this file is big about
276.7Mb, print these instruction out so that you know what you are doing. 

File details :
Bytes - 290,234,368
MB - 276.7
MD5 - C1F65EAFC453367E12E242BFCDFB68A2

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable.  Just install the programme, from there on in it is fairly automatic.  Instructions

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads   
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[essexboy]

Hi a few quick questions did it shut down and fail to start after the combofix run ?
At what stage does the computer shut down when you try to boot ?
Does it reference a file/driver at any stage ?
Did this happen after the last windows update ?

The reason I ask is that I can see no sign of combofix on the last log

I would like you to run OTLPE again please and type the following into the custom scans box

/md5start
atapi.sys
/md5stop

Then as before run the scan and post the log