I think I have a redirect issue

[kingsburyGID]

When I use Firefox and then google as a search engine, I have been getting redirects. I had run MBAM which found a problem, and then installed Avast, which in it's boot scan found and fixed problems, but the redirect remains. Neither MBAM nor Avast find anything now. I had not taken any notes on just what they found originally, but from my memory it had to do with Java, and one piece of advice I read said it needed updated, so I uninstalled, and then installed the latest version. This issue does not seem to happen when I use IE/google. I have run the OTL and aswMBR scans, but don't know what to make of it.

Eric

[Pondus]

if you have run OTL then you need to attach the log here so essexboy can analyse

Follow the guide here and attach all logs
http://forum.avast.com/index.php?topic=53253.0

[kingsburyGID]

My OTL log exceeds the 10,000 character limit, is there a more important part I should post?
here is the aswMBR:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-06 10:06:49
-----------------------------
10:06:49.843    OS Version: Windows 5.1.2600 Service Pack 3
10:06:49.843    Number of processors: 2 586 0x401
10:06:49.843    ComputerName: RECEPTION  UserName: User
10:06:51.031    Initialize success
10:06:51.515    AVAST engine defs: 11120602
10:07:26.203    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
10:07:26.203    Disk 0 Vendor: ST380817AS 3.42 Size: 76319MB BusType: 3
10:07:28.218    Disk 0 MBR read successfully
10:07:28.218    Disk 0 MBR scan
10:07:28.218    Disk 0 Windows XP default MBR code
10:07:28.218    Disk 0 scanning sectors +156280320
10:07:28.281    Disk 0 scanning C:\WINDOWS\system32\drivers
10:07:45.187    Service scanning
10:07:46.312    Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
10:07:46.390    Service FXDRV D:\Fxdrv.sys **LOCKED** 21
10:07:47.484    Modules scanning
10:07:52.937    Disk 0 trace - called modules:
10:07:52.953    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8a5e5209]<<
10:07:52.953    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9b2ab8]
10:07:52.953    3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\00000081[0x8a9cb750]
10:07:52.953    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8a9b6d98]
10:07:53.234    AVAST engine scan C:\WINDOWS
10:08:21.578    AVAST engine scan C:\WINDOWS\system32
10:10:32.031    AVAST engine scan C:\WINDOWS\system32\drivers
10:10:48.968    AVAST engine scan C:\Documents and Settings\User
10:22:15.140    AVAST engine scan C:\Documents and Settings\All Users
10:23:40.656    Scan finished successfully
13:49:22.031    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
13:49:22.046    The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

[Pondus]

My OTL log exceeds the 10,000 character limit, is there a more important part I should post?

did you save it as ANSI before you attach.....not copy and paste

if no good, upload to mediafire.com and post the download link here

[essexboy]

Monitoring - but off to bed now 

[kingsburyGID]

Ok, hopefully I have it right this time

[Pondus]

if you also have the log when Malwarebytes found and removed something ?

From the OTL log it seems you have avast and Trend Micro antivirus installed, is this correct ?
I also see some files from McAfee ?

[Pondus]

installing multiple AV programs can/will create all kind of windows error and false positive detections

Never install two antivirus
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638


So you need to uninstall one AV
It is also recomended to run a removal tool so all leftovers are gone

run and reboot - Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/



Essexboy will be back tomorrow and check your logs
he is usually in here around 08:00pm - 11:59pm UK time

[essexboy]

Hi nothing readily apparent there - so lets get a specialist in on the job

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]

[kingsburyGID]

Ok, Goored text attached.

[kingsburyGID]

Pondus, there is a Trend Micro client/server security program on the machine, however it does not show running like Avast does (I did not install it, so I canmnot speak to just what it is for) however, if I start it, it seems to be something akin to MBAM in that it has scan options for various things. It was on this machine when the infection occured, which is another reason I don't think it's an active AV program.

Attached are the Malwarebytes logs.

[Pondus]

I think it is the business version of Trend Micro, and as  i can see from the OTL log it is running active.....however i am not an expert on this

Trend is listed under Processes / safelist and under W32 where it say auto running
McAfee is listed under drivers...so may have been installed before ?

so is this a company machine or a private ?


to disable is not enough, so you should run the removal tool for McAfee and the other AV you do not need ?

[DonZ63]

Did the company you work for require you to install Trend Micro so that you can remotely connect to your company's servers? If so, do not remove that software or you might find yourself out of a job :'(

[kingsburyGID]

McAfee was installed before, and yes it is a company machine, but it doesn't directly access our servers. It was used to set up the router for a small branch network  where another machine can access the servers. If I need to, I can certainly remove Avast, and clean out the remains from McAfee. I do understand the multiple AV issue. I still have this redirect that nothing seems to find, and I was mistaken that it only affected Firefox, as IE has started doing it as well.

Eric

[essexboy]

Hmm lets get the big boy on the job to check out the locked file reported by aswMBR

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now