Search Redirection - MB or AVG will not update

[kentuckycuz]

Sorry, I confused. What does "wipe the MBR" mean? Was that the link you sent me about clearing the MBR? I thought you meant that that was done when reformatting?

[D-FRED-BROWN]

Yeah that was for reformatting. If you plan to reformat (at any time), you need to be prepared to do that command as well

In short, don't do it now. Only do it if you choose to start all over

[kentuckycuz]

Okay, gotcha. So, you think it's okay for me to be creating these rescue cds on the same computer that's infected?

[D-FRED-BROWN]

Yeah, you should be alright. Just remember that if you ever reinstall Windows, that you run the clear MBR command just to be safe

[kentuckycuz]

Just an FYI: I'm running AVIRA again. It's only halfway finished but it's already showing 3 warnings and it was only 1 when I ran it before. When it finishes, I'll do the MBR thing again and then post.

[D-FRED-BROWN]

Okay, sounds good

[kentuckycuz]

Reading through the log after the Avira run, it says that it renamed one file which is what I checked for it to do when it encountered an infected file. Does that mean anything?

[D-FRED-BROWN]

Could you run it again and have it delete or quarantine them? We really need it to remove anything it finds at this point

[kentuckycuz]

I found it in the log and this is what it says:

ALERT: [html/Infected.WebPage.Gen] /media/Devices/sda3/Users/Derek/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/V9P5TXFF/load[1].htm <<< Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen not removable file renamed.

[D-FRED-BROWN]

Okay, thats fine. Go ahead and finish the scan then run MBRCheck

[kentuckycuz]

Okay, I'll check the "Remove infected files" box instead. I just checked the "fix or rename" box b/c that's what the instructions said to do. It didn't say why to do that though.

[D-FRED-BROWN]

Well we usually have people do that because sometimes we use Rescue CD's to get a computer booting again. You can imagine deleting an infected critical system file wouldn't do much good

In this case, your computer is in working shape, so pretty much anything Avira will find is going to be nasty.

Could you post the log first before you do anything else?

[kentuckycuz]

The log from MBR? I haven't run it b/c I'm still in Avira but I'll do that.

[D-FRED-BROWN]

No, I meant the Avira log

[kentuckycuz]

That's the problem. It won't let me. I've looked all over but there is NO save button. It won't let me copy and paste. I can highlight it but then it won't let me copy it. My screen doesn't look like the instruction screen though. Subtle differences but there is no save button.

Here's the MBR log:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Home Premium Edition

Windows Information: (build 7600), 64-bit

Base Board Manufacturer: Dell Inc.

BIOS Manufacturer: Dell Inc.

System Manufacturer: Dell Inc.

System Product Name: Inspiron 1545

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 163):

0x02A0D000 \SystemRoot\system32\ntoskrnl.exe

0x02FE9000 \SystemRoot\system32\hal.dll

0x00BD5000 \SystemRoot\system32\kdcom.dll

0x00CD9000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00D1D000 \SystemRoot\system32\PSHED.dll

0x00D31000 \SystemRoot\system32\CLFS.SYS

0x00C00000 \SystemRoot\system32\CI.dll

0x00E0D000 \SystemRoot\system32\drivers\Wdf01000.sys

0x00EB1000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x00EC0000 \SystemRoot\system32\DRIVERS\ACPI.sys

0x00F17000 \SystemRoot\system32\DRIVERS\WMILIB.SYS

0x00F20000 \SystemRoot\system32\DRIVERS\msisadrv.sys

0x00F2A000 \SystemRoot\system32\DRIVERS\pci.sys

0x00F5D000 \SystemRoot\system32\DRIVERS\vdrvroot.sys

0x00F6A000 \SystemRoot\System32\drivers\partmgr.sys

0x00F7F000 \SystemRoot\system32\DRIVERS\compbatt.sys

0x00F88000 \SystemRoot\system32\DRIVERS\BATTC.SYS

0x00F94000 \SystemRoot\system32\DRIVERS\volmgr.sys

0x00D8F000 \SystemRoot\System32\drivers\volmgrx.sys

0x00FA9000 \SystemRoot\System32\drivers\mountmgr.sys

0x01047000 \SystemRoot\system32\DRIVERS\iaStor.sys

0x01163000 \SystemRoot\system32\drivers\amdxata.sys

0x0116E000 \SystemRoot\system32\drivers\fltmgr.sys

0x011BA000 \SystemRoot\system32\drivers\fileinfo.sys

0x011CE000 \SystemRoot\System32\Drivers\PxHlpa64.sys

0x01218000 \SystemRoot\System32\Drivers\Ntfs.sys

0x0148D000 \SystemRoot\System32\Drivers\msrpc.sys

0x014EB000 \SystemRoot\System32\Drivers\ksecdd.sys

0x01505000 \SystemRoot\System32\Drivers\cng.sys

0x01578000 \SystemRoot\System32\drivers\pcw.sys

0x01589000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x016E0000 \SystemRoot\system32\drivers\ndis.sys

0x01600000 \SystemRoot\system32\drivers\NETIO.SYS

0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x0168B000 \SystemRoot\system32\DRIVERS\volsnap.sys

0x016D7000 \SystemRoot\System32\Drivers\spldr.sys

0x01593000 \SystemRoot\System32\drivers\rdyboost.sys

0x017D2000 \SystemRoot\System32\Drivers\mup.sys

0x017E4000 \SystemRoot\System32\drivers\hwpolicy.sys

0x01400000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x0143A000 \SystemRoot\system32\DRIVERS\disk.sys

0x01450000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x02BBA000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x02BE4000 \SystemRoot\System32\Drivers\Null.SYS

0x02BED000 \SystemRoot\System32\Drivers\Beep.SYS

0x02A00000 \SystemRoot\System32\drivers\vga.sys

0x02A0E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x02A33000 \SystemRoot\System32\drivers\watchdog.sys

0x02A43000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x02A4C000 \SystemRoot\system32\drivers\rdpencdd.sys

0x02A55000 \SystemRoot\system32\drivers\rdprefmp.sys

0x02A5E000 \SystemRoot\System32\Drivers\Msfs.SYS

0x02A69000 \SystemRoot\System32\Drivers\Npfs.SYS

0x03802000 \SystemRoot\System32\drivers\tcpip.sys

0x03A43000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x03A8D000 \SystemRoot\system32\DRIVERS\tdx.sys

0x03AAB000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x03AB8000 \SystemRoot\System32\DRIVERS\netbt.sys

0x03AFD000 \SystemRoot\system32\drivers\afd.sys

0x03B86000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x03B8F000 \SystemRoot\system32\DRIVERS\pacer.sys

0x03BB5000 \SystemRoot\system32\DRIVERS\vwififlt.sys

0x03BCB000 \SystemRoot\system32\DRIVERS\netbios.sys

0x03BDA000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x03A00000 \SystemRoot\system32\DRIVERS\termdd.sys

0x03C52000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x03CA3000 \SystemRoot\system32\drivers\nsiproxy.sys

0x03CAF000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x03CBA000 \SystemRoot\System32\drivers\discache.sys

0x03CC9000 \SystemRoot\System32\Drivers\dfsc.sys

0x03CE7000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x03CF8000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x04694000 \SystemRoot\system32\DRIVERS\igdkmd64.sys

0x03E40000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x03F34000 \SystemRoot\System32\drivers\dxgmms1.sys

0x03F7A000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x03F87000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x03FDD000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x03E00000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x04040000 \SystemRoot\system32\DRIVERS\bcmwl664.sys

0x042E8000 \SystemRoot\system32\DRIVERS\vwifibus.sys

0x042F5000 \SystemRoot\system32\DRIVERS\yk62x64.sys

0x04359000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0x04377000 \SystemRoot\system32\DRIVERS\Apfiltr.sys

0x043C2000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x043D1000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x043E0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0x043ED000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0x043F2000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0x04000000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x04016000 \SystemRoot\system32\DRIVERS\CompositeBus.sys

0x04026000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x04D93000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x03E24000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x04DB7000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x04600000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x0461B000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x0463C000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x0403C000 \SystemRoot\system32\DRIVERS\swenum.sys

0x03D1E000 \SystemRoot\system32\DRIVERS\ks.sys

0x03FEE000 \SystemRoot\system32\DRIVERS\umbus.sys

0x03D61000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x04656000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x05AD8000 \SystemRoot\system32\DRIVERS\stwrt64.sys

0x05B57000 \SystemRoot\system32\DRIVERS\portcls.sys

0x05B94000 \SystemRoot\system32\DRIVERS\drmk.sys

0x05BB6000 \SystemRoot\system32\drivers\ksthunk.sys

0x05BBC000 \SystemRoot\System32\Drivers\RtsUStor.sys

0x05BF6000 \SystemRoot\System32\Drivers\USBD.SYS

0x05A00000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x05A1D000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x05A2B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x05A44000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x05A4D000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x05A5A000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x05A68000 \SystemRoot\System32\Drivers\usbvideo.sys

0x05A96000 \SystemRoot\system32\DRIVERS\CtClsFlt.sys

0x0466B000 \SystemRoot\system32\DRIVERS\cdfs.sys

0x00010000 \SystemRoot\System32\win32k.sys

0x05AC1000 \SystemRoot\System32\drivers\Dxapi.sys

0x03E30000 \SystemRoot\System32\Drivers\crashdmp.sys

0x02A7A000 \SystemRoot\System32\Drivers\dump_iaStor.sys

0x04DE6000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x03DBB000 \SystemRoot\system32\DRIVERS\monitor.sys

0x00560000 \SystemRoot\System32\TSDDD.dll

0x00650000 \SystemRoot\System32\cdd.dll

0x03DC9000 \SystemRoot\system32\drivers\luafv.sys

0x03C00000 \SystemRoot\system32\drivers\WudfPf.sys

0x03C21000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x0240B000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x0245E000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x02471000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x02489000 \SystemRoot\system32\DRIVERS\vwifimp.sys

0x02493000 \SystemRoot\system32\drivers\HTTP.sys

0x0255B000 \SystemRoot\system32\DRIVERS\bowser.sys

0x02579000 \SystemRoot\System32\drivers\mpsdrv.sys

0x02591000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x032B1000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x032FF000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x03322000 \SystemRoot\system32\drivers\peauth.sys

0x033C8000 \SystemRoot\System32\Drivers\secdrv.SYS

0x033D3000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x03200000 \SystemRoot\System32\drivers\tcpipreg.sys

0x03212000 \SystemRoot\System32\DRIVERS\srv2.sys

0x05C3F000 \SystemRoot\System32\DRIVERS\srv.sys

0x05CD4000 \SystemRoot\System32\Drivers\BTHUSB.sys

0x05CEC000 \SystemRoot\System32\Drivers\bthport.sys

0x05D78000 \SystemRoot\system32\DRIVERS\rfcomm.sys

0x05DA4000 \SystemRoot\system32\DRIVERS\BthEnum.sys

0x05DB4000 \SystemRoot\system32\DRIVERS\bthpan.sys

0x05DD4000 \SystemRoot\system32\DRIVERS\bthmodem.sys

0x05DEB000 \SystemRoot\system32\drivers\modem.sys

0x060C7000 \SystemRoot\system32\DRIVERS\btwavdt.sys

0x06142000 \SystemRoot\system32\DRIVERS\hidbth.sys

0x06160000 \SystemRoot\system32\drivers\btwaudio.sys

0x061E6000 \SystemRoot\system32\DRIVERS\btwl2cap.sys

0x061F2000 \SystemRoot\system32\DRIVERS\btwrchid.sys

0x061F6000 \SystemRoot\system32\drivers\BCM42RLY.sys

0x06000000 \SystemRoot\System32\Drivers\fastfat.SYS

0x778D0000 \Windows\System32\ntdll.dll

0x48080000 \Windows\System32\smss.exe

0xFFBF0000 \Windows\System32\apisetschema.dll

0xFFAE0000 \Windows\System32\autochk.exe

Processes (total 78):

0 System Idle Process

4 System

300 C:\Windows\System32\smss.exe

408 csrss.exe

460 C:\Windows\System32\wininit.exe

480 csrss.exe

544 C:\Windows\System32\services.exe

552 C:\Windows\System32\lsass.exe

560 C:\Windows\System32\lsm.exe

572 C:\Windows\System32\winlogon.exe

684 C:\Windows\System32\svchost.exe

768 C:\Windows\System32\svchost.exe

856 C:\Windows\System32\svchost.exe

896 C:\Windows\System32\svchost.exe

924 C:\Windows\System32\svchost.exe

1000 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\stacsv64.exe

328 C:\Windows\System32\audiodg.exe

636 C:\Windows\System32\svchost.exe

1040 C:\Program Files\Dell\DellDock\DockLogin.exe

1160 C:\Windows\System32\svchost.exe

1280 C:\Windows\System32\wlanext.exe

1288 C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE

1312 C:\Windows\System32\conhost.exe

1368 C:\Program Files\Dell\Dell Wireless WLAN Card\BCMWLTRY.EXE

1444 C:\Windows\System32\spoolsv.exe

1476 C:\Windows\System32\svchost.exe

1584 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe

1624 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1728 C:\Program Files (x86)\Bradford Networks\Persistent Agent\bndaemon.exe

1752 C:\Program Files (x86)\Bonjour\mDNSResponder.exe

1776 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

1816 C:\Windows\System32\svchost.exe

1968 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

1032 C:\Windows\System32\svchost.exe

1536 C:\Windows\System32\svchost.exe

2052 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe

2340 WmiPrvSE.exe

2564 C:\Windows\System32\dwm.exe

2656 C:\Windows\explorer.exe

2692 C:\Windows\System32\svchost.exe

2760 C:\Windows\System32\taskhost.exe

2184 PrintIsolationHost.exe

2524 C:\Program Files\DellTPad\Apoint.exe

2608 C:\Program Files\IDT\WDM\sttray64.exe

2504 C:\Windows\System32\igfxtray.exe

2500 C:\Windows\System32\hkcmd.exe

3004 C:\Windows\System32\igfxpers.exe

3068 C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE

2480 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

2460 C:\Windows\System32\igfxsrvc.exe

3232 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

3264 C:\Program Files\Dell\DellDock\DellDock.exe

3412 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe

3592 C:\Program Files\DellTPad\ApMsgFwd.exe

3664 C:\Program Files\DellTPad\hidfind.exe

3672 C:\Program Files\DellTPad\ApntEx.exe

3688 C:\Windows\System32\conhost.exe

3724 C:\Windows\System32\SearchIndexer.exe

3952 C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe

3996 WmiPrvSE.exe

3096 C:\Program Files\Windows Media Player\wmpnetwk.exe

3200 C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

3160 C:\Program Files\Internet Explorer\iexplore.exe

3464 C:\Program Files\Internet Explorer\iexplore.exe

3292 C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe

3940 C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe

3632 C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

3888 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

3900 C:\Program Files (x86)\Bradford Networks\Persistent Agent\bncsaui.exe

3616 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

3572 C:\Windows\System32\svchost.exe

4484 C:\Program Files (x86)\Dell Support Center\gs_agent\dsc.exe

4640 C:\Program Files (x86)\iTunes\iTunesHelper.exe

4980 C:\Program Files\iPod\bin\iPodService.exe

4712 dllhost.exe

4516 dllhost.exe

3564 C:\Users\Derek\Desktop\MBRCheck.exe

4832 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`2c100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-75A23T0, Rev: 01.01A01

Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 MBR Code Faked!

SHA1: 38BE7869FCCF026F920DA4A541B12E68993C36ED

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

[kentuckycuz]

another thing, should I click Y or N at the end of the MBR scan?

[D-FRED-BROWN]

Ugh, that still didn't do the trick

another thing, should I click Y or N at the end of the MBR scan?

Go ahead and click N, and exit it.

Let's try this:

Download and install Firefox from here: http://www.mozilla.com/en-US/firefox/new/

Do some Google searches and let me know if you're getting redirected.

------

Do you have other computers on the network? If so, are they getting redirects as well?

[kentuckycuz]

Yes, two other computers on the network and they're just fine, no redirections or problems of any kind. I'll install firefox and let you know.

Oh, and I never did go back and run Avira with the "delete infected files" checked. Want me to do that too? and then run MBR again?

[D-FRED-BROWN]

Oh, and I never did go back and run Avira with the "delete infected files" checked. Want me to do that too? and then run MBR again?

Sure, go ahead and do that

[kentuckycuz]

Firefox redirected too I'll run AVira and delete infected files now and then post MBR Log.

[D-FRED-BROWN]

I expected that to happen.

Go ahead and run the Avira scan and post the new MBRCheck log.

Do you have a Windows 7 Recovery CD created? Please let me know

[kentuckycuz]

I swear, I couldn't make this stuff up if I wanted to. This Avira program is soooo sensitive. It won't let me check the "delete infected files" option b/c it locks up ... just like it locks up if I click on "update". I even tried leaving it in German and doing it but that didn't work either!

I have the Windows Reinstallation DVD that came with it (actually, it came with my laptop b/c my son's didn't come with one but I'm assuming that'll be fine b/c it's the same system) and I've created a Windows 7 Repair Disc (using his computer) which I think I've discovered is the same thing as if I hit F8 (I guess the cd creation option is if the computer won't pull up the System Recovery Options .. but this one will so I don't think I need the cd).

What next?

[D-FRED-BROWN]

Good that you have a CD.

Forget about Avira, let's try the following :

Insert your Windows 7 Recovery/Repair CD or DVD in the drive.

Then, follow the instructions found at this link: http://www.sevenforums.com/tutorials/20864-mbr-restore-windows-7-master-boot-record.html

Let me know how it goes.

[kentuckycuz]

I'm scared Feels like I'm doing brain surgery using pictures out of a textbook! lol .. okay, just to confirm ... so I'm using the repair disc and JUST following the directions on that link? Nothing else?

[D-FRED-BROWN]

so I'm using the repair disc and JUST following the directions on that link? Nothing else?

Yep. If you run into any questions stop what you're doing, and get on a different computer and ask me