Another person with a the Google redirect malware.

Ok, I ran the Avast Boot-time Scan and it found about 7 files. Then, I did a Malaware scan. It found nothing. I logged onto the internet, searched for something and was re-directed.

I have attached the Malaware report and the OTL report.

Many, many, many thanks in advance,
Brent

Oops. I forgot to include the:

%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

I ran the OTL scan again (including the stuff above) and here are the logs.

Here we go this should clear it

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = B9 7E 9B 04 F1 54 5B 42 8D E1 45 58 DF 49 9C F9 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = B9 7E 9B 04 F1 54 5B 42 8D E1 45 58 DF 49 9C F9 [binary data] IE - HKU\S-1-5-21-2682475495-1044099580-1074880462-1005\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = B9 7E 9B 04 F1 54 5B 42 8D E1 45 58 DF 49 9C F9 [binary data] [2011/07/25 20:37:50 | 000,000,092 | ---- | M] () -- C:\Windows\System32\1520631473

:Files
ipconfig /flushdns /c
:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
“XMLHTTP_UUID_Default”=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
“XMLHTTP_UUID_Default”=-
[HKU\S-1-5-21\SOFTWARE\Microsoft\Internet Explorer\Main]
“XMLHTTP_UUID_Default”=-

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

First and foremost, thanks for your help! OK, I did what you said and all was going well until I ran the Quick Scan. I got a blue screen and then I had to restart the computer (I chose the normal option). I did the quick scan the second time. I have attached the log as it exceeded the maximum allowed length. I went ahead and did a search and was once again redirected. :frowning:

Also, now it is redirecting me even when I am not using the Google search engine. For example, I was checking out my yahoo email account. I clicked on a link and it sent me to some strange site.

OK lets now investigate the drivers

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

The computer froze up and I couldn’t acess the internet. Also, a little box that read PEV.exe has stopped working popped up. The computer restarted itself and it is now Preparing Log Report. I have to leave but I will post the ComboFix log when I return.

OK when it runs ensure that Avast does not sandbox anything

Now I can’t open any programs at all. It keeps saying:Illegal operation attempted on a registry key that has been marked for deletion. It says that for every single program. :frowning: I’m typing this from my phone…I’ll try to get to another computer to paste the log. Sigh.

So I restarted the computer and everything is fine (as far as opening the programs). Haha. Ok, here is the log report.

One more post before I go out for the night (I promise to check back later or tomorrow morning). I don’t seem to be getting redirected. :smiley:

The infection was within firefox, and I always have problems with that area - too much gobbledegook in there to make a realistic assessment

Let me know if the redirects really have gone and there are no other problems outstanding

Well, so far the redirects haven’t popped up. I’ll be sure to post back if they reappear. Once again, many, many thanks!

Let me know when you are happy and I will remove my tools

Well, I had been using the internet all morning and performed at least 30 or 40 searches when I clicked on a link and got redirected. I’ve since made about 10 more and nothing. Not sure what to do…

OK time to check the MBR

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Should I close all programs and disable my anti-virus before running it?

Not needed.

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-30 18:52:42

18:52:42.157 OS Version: Windows 6.0.6002 Service Pack 2
18:52:42.157 Number of processors: 2 586 0xF0A
18:52:42.157 ComputerName: BRENTPC UserName: Barbara
18:52:48.693 Initialize success
18:52:49.785 AVAST engine defs: 11073001
18:52:52.500 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
18:52:52.500 Disk 0 Vendor: TOSHIBA_ DL02 Size: 152627MB BusType: 3
18:52:52.500 Disk 1 \Device\Harddisk1\DR1 → \Device\0000005d
18:52:52.500 Disk 1 Vendor: ( Size: 152627MB BusType: 0
18:52:52.500 Disk 2 \Device\Harddisk2\DR2 → \Device\0000005e
18:52:52.515 Disk 2 Vendor: ( Size: 152627MB BusType: 0
18:52:52.531 Disk 0 MBR read successfully
18:52:52.531 Disk 0 MBR scan
18:52:52.546 Disk 0 Windows VISTA default MBR code
18:52:52.546 Disk 0 scanning sectors +312579760
18:52:52.624 Disk 0 scanning C:\Windows\system32\drivers
18:53:12.031 Service scanning
18:53:17.271 Modules scanning
18:53:48.424 Disk 0 trace - called modules:
18:53:48.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
18:53:48.455 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8651dac8]
18:53:48.471 3 CLASSPNP.SYS[88da08b3] → nt!IofCallDriver → [0x85a0b768]
18:53:48.471 5 acpi.sys[8069f6bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x85a15030]
18:53:49.719 AVAST engine scan C:\Windows
18:53:55.663 AVAST engine scan C:\Windows\system32
18:56:20.696 AVAST engine scan C:\Windows\system32\drivers
18:56:31.397 AVAST engine scan C:\Users\Barbara
19:04:21.638 Disk 0 MBR has been saved successfully to “C:\Users\Barbara\Desktop\MBR.dat”
19:04:21.716 The log file has been saved successfully to “C:\Users\Barbara\Desktop\aswMBR.txt”
19:04:48.137 AVAST engine scan C:\ProgramData
19:07:48.723 Scan finished successfully
19:09:05.428 Disk 0 MBR has been saved successfully to “C:\Users\Barbara\Desktop\MBR.dat”
19:09:05.444 The log file has been saved successfully to “C:\Users\Barbara\Desktop\aswMBR.txt”

Is this redirect continuous, or restricted to just one site ?