Browser Auto Redirects

[Tone]

My browser randomly redirects me to a webpage that tells me that I have a virus. I think I have some type of rootkit...about a week ago my AVIRA didn't start like it normally does...Windows told me that my antivirus was turned off when it was actually running. I think that's when the rootkit embedded. Can you help me? The malwarebytes log and hijack this log are attached.

hijackthis1.txt

mbam_log_2010_02_19__19_54_36_.txt

[fenzodahl512]

Please download The Comedian.exe by Rorschach112 to your desktop

• Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  
• Double click the program to run it. It will only take around several minutes to run.
  
• It will do a series of tasks and tell you when each one is finished.
  
• You will be prompted to press any key after each step
  
• When it is done it will close and exit itself automatically.
  
• You can delete The_Comedian.exe once it is finished
  

STOP! if you can't complete this step.. Tell me more about it..

NEXT

Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• At the top, tick on Scan All Users section
  
• At File Age set it to 90 Days
  
• In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  
• In the Files Created Within and Files Modified Within section, set it to File Age
  
• At the bottom, tick on all Safe List and Use Company Name WhiteList option
  
• Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
  
  • Reg - Disabled MS Config Items
    Reg - Drivers32
    Reg - Ext
    Reg - IE Explorer Bar
    Reg - NetSvcs
    Reg - Safeboot Minimal
    Reg - Safeboot Network
    File - Lop Check
    File - Purity Scan
    
    
  • Please copy/paste below script into Custom Scans box
    

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

    
    

  [*]Do NOT change any other settings.

  [*]Now click the Run Scan button on the toolbar.

  [*]Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

NEXT

Please download GMER and unzip it to your Desktop. <<mirror>>

Please rename the random filename or GMER into GAMERS

[*]Open the renamed program and click on the Rootkit tab.

[*]Make sure all the boxes on the right of the screen are checked, EXCEPT for

[Tone]

I was able to get the comedian and OTS to run with no problems. In the midst of the first attempt of GMER...the scan was interrupted. The computer rebooted and I tried to run it again with no luck. It sat all night without making any progress. I've attached the OTS results...what should I do now? Do I have to run OTS again to get GMER to work properly or is there an alternative to GMER?

OTS.Txt

[Tone]

Can anyone help with this?

Thank you.

[fenzodahl512]

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".
  

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[Tone]

Combo Fix ran successfully and shutdown. However, it did not generate a report. It is not stored on the C: Drive. I'm attaching the TDS report.

Thanks.

TDSSKiller.2.2.4_20.02.2010_20.54.25_log.txt

[Tone]

found the combofix log...

ComboFix.txt

[fenzodahl512]

The ComboFix log seems to be cut off.. Please reboot the computer and run ComboFix once again and post the log here

[Tone]

When I attempted to run Combofix again...it gave me an "Access is denied" error. Do I need to uninstall and reinstall in order for it to work properly?

[fenzodahl512]

Just delete ComboFix and download a fresh one.. Also, uninstall ThreatFire and COMODO before downloading ComboFix..

[Tone]

Combofix log attached.

Thanks

log.txt

[fenzodahl512]

Update and run a full scan with Malwarebytes' again >> remove everything that it found >> post the log here

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

How's the computer now?

[Tone]

System seems to be okay...

Logs are attached.

mbam_log_2010_02_23__18_48_10_.txt

log.txt

[fenzodahl512]

Looks good to me.. Lets do some cleanup...

Please download OTC and save it to Desktop.

• Make sure you have internet connection..
  
• Double-click OTC
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes
  

Please read these excellent articles write by my friends:

Preventing Malware and Safe Computing by Rorschach112

What makes your machine slow? by Artellos

Also, please read these excellent articles by miekiemoes :

Help! My computer is slow!

How to prevent Malware

Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp

http://bluefive.pair.com/practice_safe_surfing.htm

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread

Have a safe and happy computing day!

Regards

fenzodahl512

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.