Mr.C / Want to see if I have an infection on Desktop now.

[MrCharlie]

OK, did you see my suggestion about connecting the computer up directly to your modem and by-pass the router?

See if you can do this, if so let me know if the re-directs stop.

MrC

[SickAndTired]

I guess I missed that part. Doing this will disrupt the wireless signal to the laptop wont it? I did reset the router completely and it didn't change anything.

[MrCharlie]

Doing this will disrupt the wireless signal to the laptop wont it? I did reset the router completely and it didn't change anything.

I'm out of ideas, MrC (be back in the am)

[SickAndTired]

Okay, thank you.

[SickAndTired]

Don't know why I had double posts, my apologies.

Did you have any other ideas for me? If you still want, I will try bypassing the router.

I just thought since I reset it to factory and started over it wouldn't matter.

It still did the same thing. Was I wrong?

I'm not sure where to go from here either; aside from reinstalling the OS.

[MrCharlie]

If it's not too much trouble, please try it, MrC

[SickAndTired]

Yikes! That was a job !!!

My equipment is on the other side of the room and cords wouldn't reach. Had to move them all to the center of the floor so I could get enough reach for the Ethernet cable, lol.

After all that I am saddened to say it did no good. Still got redirect attempts so switched everything back.

[MrCharlie]

You should already have OTL on the system, we used it before.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

When the window appears, underneath Output at the top change it to Minimal Output.

Check the boxes beside LOP Check and Purity Check.

Under Custom Scan paste this in:

%USERPROFILE%\..|smtmp;true;true;true /FP

%temp%\smtmp\*.* /s >

/md5start

iexplore.*

explorer.*

winlogon.*

dll

zx.dll

hlp.dat

consrv.dll

services.*

/md5stop

netsvcs

drivers32

%SYSTEMDRIVE%\*.*

%systemroot%\Fonts\*.com

%systemroot%\Fonts\*.dll

%systemroot%\Fonts\*.ini

%systemroot%\Fonts\*.ini2

%systemroot%\Fonts\*.exe

%systemroot%\system32\spool\prtprocs\w32x86\*.*

%systemroot%\REPAIR\*.bak1

%systemroot%\REPAIR\*.ini

%systemroot%\system32\*.jpg

%systemroot%\*.jpg

%systemroot%\*.png

%systemroot%\*.scr

%systemroot%\*._sy

%APPDATA%\Adobe\Update\*.*

%ALLUSERSPROFILE%\Favorites\*.*

%APPDATA%\Microsoft\*.*

%PROGRAMFILES%\*.*

%APPDATA%\Update\*.*

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\bak. /s

%systemroot%\system32\bak. /s

%ALLUSERSPROFILE%\Start Menu\*.lnk /x

%systemroot%\system32\config\systemprofile\*.dat /x

%systemroot%\*.config

%systemroot%\system32\*.db

%PROGRAMFILES%\Internet Explorer\*.dat

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x

%USERPROFILE%\Desktop\*.exe

%PROGRAMFILES%\Common Files\*.*

%systemroot%\*.src

%systemroot%\install\*.*

%systemroot%\system32\DLL\*.*

%systemroot%\system32\HelpFiles\*.*

%systemroot%\system32\rundll\*.*

%systemroot%\winn32\*.*

%systemroot%\Java\*.*

%systemroot%\system32\test\*.*

%systemroot%\system32\Rundll32\*.*

%systemroot%\AppPatch\Custom\*.*

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

When the scan completes, post back the log form OTL......MrC

[SickAndTired]

Which button do I scan with? IE: Run Scan, Run Fix etc.?

[MrCharlie]

Run Scan......MrC

[SickAndTired]

Looks pretty long so attaching .txt file. (NOTE: I edited two places which had a screen name with x's)

OTL.Txt

[MrCharlie]

Not much showing, what's this plugin?:

[2012/08/25 08:50:24 | 000,010,316 | ---- | M] () -- C:\Documents and Settings\~Debb~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\searchplugins\duckduckgo.xml

MrC

[SickAndTired]

I have no idea. Nothing that I "wanted" or know anything about. I did a search and find it is some sort of search engine, but one I am not familiar with. I clicked on the search down arrow on my FF search area and it is in that list, at the bottom.

[MrCharlie]

Disable or delete it please and see how it is, MrC

[SickAndTired]

I removed it, and a few other too! Restarted browser but still showing redirect attempts. Did not reboot pc, should I?

[MrCharlie]

Yes try it, how did you get all these plugins and extensions if you reinstalled FF?? MrC

[SickAndTired]

Reboot did not change anything.

how did you get all these plugins and extensions if you reinstalled FF??

I have wondered that myself. I don't recall what I did to the desktop so I went back through what we have worked on and I don't see us doing that. I believe that was when we were working on the laptop. I can try that. How do I make sure I get rid of EVERYTHING though? When we did it all the proper way on his laptop it still left files everywhere and reloaded all plugins etc. It was crazy!

[MrCharlie]

Here...MrC

http://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

[SickAndTired]

Good Afternoon.

I uninstalled FF. Removed all Personal Content. Restarted pc. Redirect attempts continued.

I went into the registry and ALL Mozilla files, extensions, etc were still there! I deleted them all! Rebooted.

All plugins and history etc was gone except for two plugins: 1. Adobe Acrobat 2. QuickTime Plugin. I disabled them, restarted FF. Tried my known redirect attempt link ... Redirect attempts continued.

I found an add on for FF that disables Popups etc called Adblock.

I installed it and quess what .... NO MORE redirect attempts!

Still doesn't tell me what is the root of this problem, however.

What is your opinion?

[MrCharlie]

I was looking at add-ons like that for FF, there's bunch out there.

It blocks ads, so the source must be adware.

You can download and run fresh copies of AdwCleaner and JRT, see if anything is found.

Have you ever cleaned out your cookies, I use Cookienator

http://www.codefromt...ookienator.aspx

-------------------------------

Please download AdwCleaner from here and save it on your Desktop.

Close all open programs and internet browsers.

Right-click on adwcleaner.exe and select Run As Administrator to launch the application. (XP just double click to run)

Click on Delete.

Confirm each time with Ok.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the content of that logfile with your next answer.

You can find the logfile at C:\AdwCleaner[s1].txt as well.

~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

MrC

[SickAndTired]

You can download and run fresh copies of AdwCleaner and JRT, see if anything is found.

I have my prefrences set to delete all cookies, history etc on each exit of FF. Plus, I also have a Google (Gmail) account and as I read this kind of nullifies the cookie privacy thing in Cookienator? Lol.

My Results from both scans:

# AdwCleaner v2.100 - Logfile created 12/10/2012 at 14:11:20

# Updated 09/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : ~Debb~ - XXXXX

# Boot Mode : Normal

# Running from : C:\Documents and Settings\~Debb~\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default

File : C:\Documents and Settings\~Debb~\Application Data\Mozilla\Firefox\Profiles\6iegk1ue.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2641 octets] - [12/11/2012 23:08:13]

AdwCleaner[R2].txt - [2760 octets] - [13/11/2012 11:05:25]

AdwCleaner[s1].txt - [367 octets] - [13/11/2012 10:53:43]

AdwCleaner[s2].txt - [2558 octets] - [13/11/2012 11:06:02]

AdwCleaner[s3].txt - [966 octets] - [10/12/2012 14:11:20]

########## EOF - C:\AdwCleaner[s3].txt - [1025 octets] ##########

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.0.4 (12.09.2012:4)

OS: Microsoft Windows XP x86

Ran by ~Debb~ on Mon 12/10/2012 at 14:19:44.39

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Mon 12/10/2012 at 14:27:48.79

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[MrCharlie]

Looks clean, let me know what you want to do.

We can run a couple of more scans if you'd like.

MrC

[SickAndTired]

I'm not sure what to do either. If these are coming up clean why am I getting redirect attempts? I need to be able to access my bank. Do you feel I am safe to do this now?

If you think I should run more scans I can.

[MrCharlie]

Run this last scan > SUPERAntiSpyware Portable Scanner

Make sure you update it before running it:

http://www.superanti...blescanner.html

MrC

[SickAndTired]

I ran the scan. Below is the log file. I removed it all (even JRT, lol). Restarted computer, temp. disabled AdBlock Plus, restrted browser and still get redirect attempts.

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 12/10/2012 at 07:02 PM

Application Version : 5.6.1014

Core Rules Database Version : 9716

Trace Rules Database Version: 7528

Scan type : Complete Scan

Total Scan Time : 00:57:02

Operating System Information

Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 645

Memory threats detected : 0

Registry items scanned : 41958

Registry threats detected : 0

File items scanned : 50908

File threats detected : 3

Adware.Tracking Cookie

C:\Documents and Settings\~Debb~\Cookies\IQE6WEMT.txt [ /ad.yieldmanager.com ]

Trojan.Agent/Gen-PWS

C:\DOCUMENTS AND SETTINGS\~DEBB~\DESKTOP\JRT.EXE

Adware.CouponBar

C:\WINDOWS\SYSTEM32\CPNPRT2.CID