Google redirects - MBAM report included detects nothing

[Frustrated1893]

I'm constantly on the internet and have been for years never had a problem until recently. First I had the Microsoft Security Virus which completely locked up my computer. That was resolved with your software.

Now I have an issue with google redirects. It doesn't seem to happen all the time but once it starts is seems like everything gets redirects to some random ads or sites. I updated software which I've been doing regularly now ran a full scan the other day and a quick scan today. NOTHING DETECTED! See reports below.

I've been reading alot of the forum submissions and it sounds like there are a number of next steps but there are many warnings. I have no idea what I'm looking for or at and need some help PLEASE!

Also when I start up my computer I seem to be receiving this message in my desktop notepad - opens 2 copies every time I turn on the computer.

[.ShellClassInfo]

LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4885

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

10/19/2010 4:30:25 PM

mbam-log-2010-10-19 (16-30-25).txt

Scan type: Quick scan

Objects scanned: 154750

Time elapsed: 11 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

__________________________________________

HERE is the most recent log that detected anything

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4817

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

10/14/2010 5:57:08 AM

mbam-log-2010-10-14 (05-57-08).txt

Scan type: Full scan (C:\|)

Objects scanned: 273720

Time elapsed: 1 hour(s), 30 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\dldodrs32.dll (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{007adc0c-020b-45be-936d-9779ecce4b91} (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{007adc0c-020b-45be-936d-9779ecce4b91} (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{007adc0c-020b-45be-936d-9779ecce4b91} (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Karen Galena\Application Data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\dldodrs32.dll (Trojan.Tracur) -> Delete on reboot.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP781\A0112847.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\Documents and Settings\Karen Galena\Application Data\asdsada.bat (Malware.Trace) -> Quarantined and deleted successfully.

_____________________________________________________________________

Here is the log from the scan that removed the Microsoft Security Virus

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4791

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

10/10/2010 12:54:19 PM

mbam-log-2010-10-10 (12-54-19).txt

Scan type: Quick scan

Objects scanned: 151164

Time elapsed: 13 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 38

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\bthserv32.dll (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\c85eb5fa982 (Trojan.Tracur) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a10c4948-b8b3-bcec-7870-ef688f177b89} (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a10c4948-b8b3-bcec-7870-ef688f177b89} (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a10c4948-b8b3-bcec-7870-ef688f177b89} (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Worm.Prolaco) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\bthserv32.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\bthserv32.dll -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\bthserv32.dll (Trojan.Tracur) -> Delete on reboot.

C:\WINDOWS\system32\AE.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cryptdlg32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\F7.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\11.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\118.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\12.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\125.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\137.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\145.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\14E.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\160.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\194.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\19E.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\1F2.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\BB.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\CddbFileTaggerRoxio32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dldocaps32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dldoinsb32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\B7.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\BA.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\27B.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\2B9.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\2D9.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\2E3.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\3CC.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\3D0.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\3DD.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\441.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\4CB.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\55.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\56A.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\5E9.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\69.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\6C.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\A6.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\Documents and Settings\Karen Galena\Local Settings\Temp\19.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\Documents and Settings\Karen Galena\Application Data\SysWin\lsass.exe (Worm.Prolaco) -> Delete on reboot.

________________________________________________________

[MrCharlie]

Welcome to the forum.

Please do this:

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

------------------------------

Next:

Please download and run ComboFix:

A few notes first:

• ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7 (32-bit only).
  
• ComboFix must be run from an Administrative account.
  
• Vista and W7 users - Right click, choose "Run as Administrator"
  
• It must be downloaded to and run from your desktop.
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  ComboFix Guide <---please read!
  

---------------------------

Next............

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE<-------
  They may interfere with the running of ComboFix.
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks

and Please disable Autorun ASAP!.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

[Frustrated1893]

Thanks so much for all your help and suggestions!!

I downloaded TDSSKiller and ran. Nothing reported. See attachment.

I downloaded and ran ComboFix - have no idea what the report says or next steps. See attachment.

One other question - I also have an F (hard drive) which I store lots of stuff on. Should I perform same steps on the F drive? i.e. save the TDSSKiller and ComboFix directly to the F drive.

Karen

TDSSKiller.2.4.4.0_20.10.2010_09.06.48_log.txt

ComboFix.txt

[MrCharlie]

OK, it will take me a little time to look over your ComboFix log.

You could run TDSSKiller and MBAM on that drive for now.

I'll get back to you ASAP, MrC

[MrCharlie]

Please do this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\documents and settings\Karen Galena\Application Data\hgkkcdjduw.tmp

c:\windows\system32\19D.tmp

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

------------------------

Then please update and run a quick scan with MBAM, post back the log, MrC

[Frustrated1893]

It appears we might be making some progress. In between everything I was searching on Google and didn't get any redirects yet.....but that's happened before and it seems to start up again from ......... somewhere.

copied the CFScript.txt and dragged to ComboFix.exe

Attached is the report.

Thanks again for your help!

Karen

ComboFix.txt

[MrCharlie]

That log looks OK.

You missed the part about.............

update and run a quick scan with MBAM and post back the log, MrC

[Frustrated1893]

OK Mr. C,

It appears all is clear. Hopefully I won't experience any additional problems.

I've attached the last two reports from the scans MBAM and TDSSKiller. Unless you have any additional feedback for me then we'll assume every thing is fixed.

Appreciate your help! Thanks.

Karen

mbam_log_2010_10_20__18_02_10_.txt

TDSSKiller.2.4.4.0_20.10.2010_18.03.46_log.txt

[MrCharlie]

Looks Good!

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

----------------------

Let just check your systems security:

Please do this:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

MrC

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.