Just got a blue screen after i ran combofix a second time. assumed it was cause avast shields were running
This is really an unknown site.What is the vendor of this website.
Try cleaning your temp files
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
did it work ?
The reason for avast detecting as soon as you open your browser might be for 2 reasons :
- The home page is set to that site or
- If you have speed dials installed which connects as soon as you open the browser.
Let us know.
-correction- when i go on firefox homepage. search for something and click a link. then it pops up and redirects me.
Some thing’s not cooking good. Time for essexboy. I have msg’d him. He will be here soon, make sure you obey him 
ok
i found some questionable files that i think may have something to do with it. but scans say its clean.
speed dials is not installed and the homepage is set to the firefox homepage
Hi there do you also get redirects in IE ?
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
.
THEN
Please read carefully and follow these steps.
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png
[*]If an infected file is detected, the default action will be Cure, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
yes it does redirect in IE. and when im using firefox and not IE. IE will popup at random time on a blank page. i recently found a file in the computers recovery drive called info.exe (original file name starturl.exe, creator xss, made in germany) and in the windows folder a zip folder called ubd.txt containing various malicious infected ips. theres about 20-40 sites in it. and before the ips are listed it shows 20-40 legitimate sites with a weird code at the end ex. wxww.youtube.xom^^10365^^^^1^0^0^0^0^0^0^0^0^0^0^0^none^-1^0^^. each ending is different. my main concern is if the two are related. also i found d:\autorun.inf with this code [AUTORUN]
SHELLEXECUTE=Info.exe folder.htt 480 480. when i click the info.exe i found the it brings up the blank IE page about 30 seconds later. do these have anything to do with my problem possibly. or is it something clean or infected?
If you could run the programmes and then attach the logs I will be able to figure it out ;D
ok. will do in about 2 hours. im mobile right now. i have otl on the computer in previous trys just to let ya know
here is the logs. extra.txt for otl was not found.
seems to have gotten rid of my problem. but after about 5 minutes after reboot. i got a avast message saying "suspicious files found. detected using a heuristic method. may be a sign of malware and please allow to be submitted to the virus lab for analysis. the file name system32\drivers\klmd.sys. what did that come from. it hasnt pop ed up before.
working again. thx
Aye submit to Avast as that is the name of a known bad file - but leave it in quarantine as it may also be legitimate. Although looking at your logs I do not believe you should have that file. On completion of this run can you let me know what problems remain
Main culprit : Rootkit.Win32.TDSS.tdl4(\HardDisk0) : Dead
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found. O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
O3 - HKU.DEFAULT..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU.DEFAULT..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-18..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
Including this?
update.exe was in task manager using a lot of memory. it disappears from task manager then reappears on it in a matter of seconds. and keeps doing it
OK lets get serious with this - does the update file belong to a programme that you know ?
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.