Can you get to normal mode now ?
I was able to run Combofix in windows without safe mode, here is the log.
Also, both times I ran it it said it was running in reduced function mode, not sure if that matters.
What that is, is that when combofix reaches 7 days old it will not try to do any rootkit removal without being updated. WHat are the current problems please
I reconnected to the internet and tried google searches, it’s still redirecting me no matter what website I try to go to through google search, and to various different websites. I haven’t seen Avast pop up that it blocked MAL URL yet though, so that’s an improvement.
Would it be helpful if you knew the websites I’m being redirected to?
Yes please - Also I have found some new malware types so could you run a fresh OTS scan for me please - selecting all users
I’ll get you the new OTS log and websites it’s redirecting to today.
Well there are now two icons named Desktop.ini on my desktop, I didn’t create them. Here’s the new OTS log file and the websites I’m seeing as a redirect. My DSL connection was extremely sluggish, a lthough not sure if that is related.
www.cashflownotes.us then redirects to
www.find-fast-answers.com
www.cashflownotes.us can also redirect to
1.amp.network.net
This is whenever I click on a link inside a google search. I did several tests and these are the only ones I’m seeing, although not to say there aren’t others that haven’t popped up yet.
They are system files - we will hide them when complete
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\Samantha\AppData\Roaming\Mozilla\FireFox\Profiles\x6x4tqwk.default\prefs.js
YN -> extensions.enabledItems -> {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
YN -> extensions.enabledItems -> {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
YN -> extensions.enabledItems -> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
YN -> keyword.URL -> "http://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={8da6af80-cb4b-11dd-8b94-002354609bf6}&q="
< FireFox Extensions [Program Folders] > ->
YY -> Java Console -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
YY -> Java Console -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
NY -> Java Console -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
Ok, did the run fix and here’s the log.
Are you still getting redirects ? Does it occur in both firefox and IE
Yep, still getting them. I testing several searches with google and bing inside of both MSIE and Firefox. Here are some of the redirects.
MSIE
www.nacolighting.com
www.elam.us → www.get-search-results.com
Inside firefox
www.a-tech-inc.com → www.find-fast-answers.com
http://www.stopzilla.com/products/stopzilla/antivirus.do?aid=10580&cid=malware
http://underground.us/ → http://www.shopica.com/search.php?q=gas+prices&txn=1273486713-424d.3bfc.4e3b14b9.1cc
Hmm this is definitely a weird one - my replies may be a bit erratic as my motherboard went south yesterday and I have “borrowed” the boys laptop. So it has none of my prepared responses on it, so I aplogise for any spelling errors ;D
OK lets do a deep analysis scan - the main element I am interested in from this is the analysis zip file. You will not be able to upload it here, so could you upload to mediafire and post the sharing link
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan Click the cog in the upper right
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPfront.gif
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpsettings.gif
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Automatic Scan report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPAnalysis.gif
On completion click the link to locate the zip file to upload and attach to your next post
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPZiplocation.gif
Bummer about the motherboard, looks like time to backup your prepared responses, etc. on to a USB stick ;D
Nope 'tis just a matter of slapping in the old drive as a slave to the new system and go from there… But a USB backup does sound a good idea ;D
Hey, sorry it’s been a few days, but I’m dealing with a poison ivy rash and some other things at the moment so I haven’t been able to get to getting the new program downloaded and doing what you said.
I do appreciate your help and I will be working on it later today hopefully! I really hope to get this thing fixed soon! egh!
Get yourself better first ;D
OK! I’m feeling a lot better and am going to attempt to get the above done today. I really am hoping to get this fixed by Monday because I need working for college, the PC I’m on isn’t exactly optimal for that.
There is a new variant MBR that has just appeared - mayhap you have that one