When I use Firefox and then google as a search engine, I have been getting redirects. I had run MBAM which found a problem, and then installed Avast, which in it’s boot scan found and fixed problems, but the redirect remains. Neither MBAM nor Avast find anything now. I had not taken any notes on just what they found originally, but from my memory it had to do with Java, and one piece of advice I read said it needed updated, so I uninstalled, and then installed the latest version. This issue does not seem to happen when I use IE/google. I have run the OTL and aswMBR scans, but don’t know what to make of it.

Eric

if you have run OTL then you need to attach the log here so essexboy can analyse

Follow the guide here and attach all logs
http://forum.avast.com/index.php?topic=53253.0

My OTL log exceeds the 10,000 character limit, is there a more important part I should post?
here is the aswMBR:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-06 10:06:49

10:06:49.843 OS Version: Windows 5.1.2600 Service Pack 3
10:06:49.843 Number of processors: 2 586 0x401
10:06:49.843 ComputerName: RECEPTION UserName: User
10:06:51.031 Initialize success
10:06:51.515 AVAST engine defs: 11120602
10:07:26.203 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-17
10:07:26.203 Disk 0 Vendor: ST380817AS 3.42 Size: 76319MB BusType: 3
10:07:28.218 Disk 0 MBR read successfully
10:07:28.218 Disk 0 MBR scan
10:07:28.218 Disk 0 Windows XP default MBR code
10:07:28.218 Disk 0 scanning sectors +156280320
10:07:28.281 Disk 0 scanning C:\WINDOWS\system32\drivers
10:07:45.187 Service scanning
10:07:46.312 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys LOCKED 32
10:07:46.390 Service FXDRV D:\Fxdrv.sys LOCKED 21
10:07:47.484 Modules scanning
10:07:52.937 Disk 0 trace - called modules:
10:07:52.953 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8a5e5209]<<
10:07:52.953 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a9b2ab8]
10:07:52.953 3 CLASSPNP.SYS[f7647fd7] → nt!IofCallDriver → \Device\00000081[0x8a9cb750]
10:07:52.953 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-17[0x8a9b6d98]
10:07:53.234 AVAST engine scan C:\WINDOWS
10:08:21.578 AVAST engine scan C:\WINDOWS\system32
10:10:32.031 AVAST engine scan C:\WINDOWS\system32\drivers
10:10:48.968 AVAST engine scan C:\Documents and Settings\User
10:22:15.140 AVAST engine scan C:\Documents and Settings\All Users
10:23:40.656 Scan finished successfully
13:49:22.031 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\User\Desktop\MBR.dat”
13:49:22.046 The log file has been saved successfully to “C:\Documents and Settings\User\Desktop\aswMBR.txt”

My OTL log exceeds the 10,000 character limit, is there a more important part I should post?

if no good, upload to mediafire.com and post the download link here

Monitoring - but off to bed now ;D

Ok, hopefully I have it right this time

if you also have the log when Malwarebytes found and removed something ?

From the OTL log it seems you have avast and Trend Micro antivirus installed, is this correct ?
I also see some files from McAfee ?

installing multiple AV programs can/will create all kind of windows error and false positive detections

Never install two antivirus
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

So you need to uninstall one AV
It is also recomended to run a removal tool so all leftovers are gone

run and reboot - Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/

Essexboy will be back tomorrow and check your logs
he is usually in here around 08:00pm - 11:59pm UK time

Hi nothing readily apparent there - so lets get a specialist in on the job

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Ok, Goored text attached.

Pondus, there is a Trend Micro client/server security program on the machine, however it does not show running like Avast does (I did not install it, so I canmnot speak to just what it is for) however, if I start it, it seems to be something akin to MBAM in that it has scan options for various things. It was on this machine when the infection occured, which is another reason I don’t think it’s an active AV program.

Attached are the Malwarebytes logs.

I think it is the business version of Trend Micro, and as i can see from the OTL log it is running active…however i am not an expert on this

Trend is listed under Processes / safelist and under W32 where it say auto running
McAfee is listed under drivers…so may have been installed before ?

so is this a company machine or a private ?

to disable is not enough, so you should run the removal tool for McAfee and the other AV you do not need ?

Did the company you work for require you to install Trend Micro so that you can remotely connect to your company’s servers? If so, do not remove that software or you might find yourself out of a job

McAfee was installed before, and yes it is a company machine, but it doesn’t directly access our servers. It was used to set up the router for a small branch network where another machine can access the servers. If I need to, I can certainly remove Avast, and clean out the remains from McAfee. I do understand the multiple AV issue. I still have this redirect that nothing seems to find, and I was mistaken that it only affected Firefox, as IE has started doing it as well.

Eric

Hmm lets get the big boy on the job to check out the locked file reported by aswMBR

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I do not have McAfee installed, just scattered remnants which the above-mentioned remover didn’t remove. I could not find a way to shutdown the TrendMicro, tried to see if it would see the issue (I hadn’t known it was on the machine til this process started) but it did not. So I ran Combofix, still have the redirect, so I am not sure if TM hindered the operation of your tool. If it did, I will find out how to kill off that process if needed. Attached are logs.

Again nothing untoward there - lets see if the new kid is around

Do the following:
Start → Run
type diskmgmt.msc
Click “OK”

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

trying again screenshot

Question time ;D

Where do you get redirected to ?
Is it a specific site ?

I see a few that repeat. Tazinga is the most common, but also: eZanga, monstermarketplace.com, amusementgeneral.com, and there may be others.

Eric