HELP! IE and FF redirecting to dust-cat site then stop working.

I’m hoping someone can help me out here. I have the same problem as rossb did a couple of days ago: http://forum.avast.com/index.php?topic=91895.0
IE and FF redirecting to fake looking advertising sites, one called dust-cat, then avast popping up and saying that a malicious threat was detected, after that my browsers stop working.

The computer it is happening on info:

Windows Vista Home Premium
Dell, Studio 1537
Intel(R) Core™2 Duo CPU P8600 @ 2.40GHz 2.40GHz
Memory (RAM) 4.00 GB
32-bit Operating System

Using Avast! free antivirus, malwarebytes, secunia PSI and none of them are finding any issues after full system scans.

Please help!!!

Can I get any help?
should I follow the same instructions that essexboy gave rossb in the link above?

nope! all instructions are unique for different systems…

follow the guide below and attach all the logs…link below:
http://forum.avast.com/index.php?topic=53253.0

essexboy notified…

Thanks! Here are the logs, I’ll wait for further instructions.

i couldn’t get the aswMBR.exe to scan properly. see attached log

since i’m having internet connection issues and firewall issues I also ran the farbar service scanner and attached log here.

Lastly, I ran the RogueKiller since I was having issues with the aswMBR scanner. Logs are attached here.

Aswmbr couldnt load its driver…do u have another program such as comodo,threatfire etc in addition to avast!..that could be blocking it…if have such programs turn them off and try again…

There is a possible Maxss infection there

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810 O3 - HKU\S-1-5-21-2773036655-1795469504-3343648015-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-2773036655-1795469504-3343648015-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O4 - HKU\S-1-5-21-2773036655-1795469504-3343648015-1000..\Run: [fBdepykqaJJTx.exe] C:\ProgramData\fBdepykqaJJTx.exe File not found [2011/10/19 14:57:05 | 000,000,240 | -H-- | C] () -- C:\ProgramData\~6DSS92c31Apgjk [2011/10/19 14:57:05 | 000,000,128 | -H-- | C] () -- C:\ProgramData\~6DSS92c31Apgjkr [2011/10/19 14:56:58 | 000,000,448 | -H-- | C] () -- C:\ProgramData\6DSS92c31Apgjk [2011/05/31 21:29:11 | 000,008,686 | -HS- | C] () -- C:\Users\Christopher\AppData\Local\060a0lgv5xri3o0 [2011/05/31 21:29:11 | 000,008,686 | -HS- | C] () -- C:\ProgramData\060a0lgv5xri3o0 [2010/11/12 15:15:50 | 000,254,976 | ---- | M] () MD5=976A1B76A7D2A6CB184D63CB0500E8DC -- C:\Users\Christopher\AppData\Local\Temp\RarSFX0\procs\explorer.exe [2010/11/12 15:15:50 | 000,254,976 | ---- | M] () MD5=976A1B76A7D2A6CB184D63CB0500E8DC -- C:\Users\Christopher\AppData\Local\Temp\RarSFX4\procs\explorer.exe [2010/11/12 15:15:50 | 000,254,976 | ---- | M] () MD5=976A1B76A7D2A6CB184D63CB0500E8DC -- C:\Users\Christopher\AppData\Local\Temp\RarSFX5\procs\explorer.exe [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Christopher\AppData\Local\Temp\RarSFX0\h\explorer.exe [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Christopher\AppData\Local\Temp\RarSFX4\h\explorer.exe [2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Christopher\AppData\Local\Temp\RarSFX5\h\explorer.exe [2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Christopher\AppData\Local\Temp\RarSFX0\userinit.exe [2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Christopher\AppData\Local\Temp\RarSFX4\userinit.exe [2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Christopher\AppData\Local\Temp\RarSFX5\userinit.exe [2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Christopher\AppData\Local\Temp\RarSFX0\winlogon.exe [2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Christopher\AppData\Local\Temp\RarSFX4\winlogon.exe [2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Christopher\AppData\Local\Temp\RarSFX5\winlogon.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Do the following:

[*]Click on the Start button and then choose Control Panel.
[*]Click on the System and Security link.

Note: If you’re viewing the Large icons or Small icons view of Control Panel, you won’t see this link so just click on the Administrative Tools icon and skip to Step 4.
[*]In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
[*]In the Administrative Tools window, double-click on the Computer Management icon.
[*]When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

Note: If you don’t see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

thank you! please let me know what to do from here :slight_smile:

Sorry! essex i didnt check his aswmbr log so i had no idea…

Alas that is the recovery partition

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks! I’ve attached the log here.
My computer is running a lot better. No redirection issues lately or any false antivirus warnings.

When will I know it’s fixed?

Lets sweep for orphans now and take another quick look with OTL

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

THEN

Run OTL and select all users and then run a quick scan

There will be one log please attach that

No malicious threats were detected by Malware bytes. here is the log:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.25.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Christopher :: CHRISTOPHER-PC [administrator]

1/25/2012 6:26:36 PM
mbam-log-2012-01-25 (18-26-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 171301
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

And the OTL log is attached.

How are we looking??!! almost there? :smiley:

I just had the issue once again while trying to access youtube.com. I’ve attached a screenshot of what it looks like, hope this helps.

Yep that was webshield stopping you from going to a bad page so it is good ;D

What problems do you have now

is the virus or rootkit gone? how can we tell if it’s gone for good?

How do I stop avast from blocking me from visiting normal and safe sites? It blocked me from wikipedia and youtube last night.

thanks!

Does this only happen in Firefox ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810

:Files
ipconfig /flushdns /c

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Attached here is the log from the OTL quick scan.

The avast blocker is popping up some in internet explorer and in almost everything on firefox. basically it’s blocking me from clicking on anything i’ve searched in google.

how’s it all looking? are we almost there?

The proxy servers have returned

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:18810 [2012/01/26 18:57:41 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

thanks! here are the logs.