is any other tech available to help me find a resolution to this problem?

Essexboy is online soon…he usually arrive around this time
depends how much work he has in the other forum

yay! ;D

OK so it is playing hard to get… Do the redirects occur in IE, Firefox or both ?

[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

thanks essexboy!
otl didnt generate in extras report

oh, and i dont use ie, so i have no idea if it’s redirecting.

Avast is holding it in check - however, your host file has been hijacked again

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O1 - Hosts: 109.163.226.208 www.google-analytics.com. O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net. O1 - Hosts: 109.163.226.208 www.statcounter.com. O1 - Hosts: 67.215.245.19 www.google-analytics.com. O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net. O1 - Hosts: 67.215.245.19 www.statcounter.com.

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Delete combofix from your desktop and download - then run a fresh copy

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OTL will not run
it has an error
cannot create hostfile c:\windows\system32\drivers\etc\Hosts.

OK proceed direct to combofix please

combofix
the computer is running great
the hi-jackings are definitely lesser

OK I will use combofix to remove the Host file as it is a tad stronger

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File:: C:\Windows\SysNative\drivers\etc\hosts C:\Windows\SysNative\epfwtdi.dll

NetSvc::
bhmonitorservice

Driver::
bhmonitorservice

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

combofix - thanks for all your help essex

That looks better could you run an OTL scan for me now please…

The only item I will need in the custom scans box is

Netsvcs

Then press quick scan

Are the redirects still apparent ?

yes the redirects are happening. i will do your last step and let you know, thanks!

Could you try IE to see if that is redirecting as well

here is the otl. i will browse around in IE and see if it happens.
still happening in ff

yes it redirects in IE also. i’ve noticed when i click on links toward the right upper corner of the browser ( not every time).i
avast ran a boot time scan and has also noticed a ton of new things and moved them into the chest.
Do you connect to users computer using the remote desktop tool in avast?
I would really love to get this out my computer for good, but it seems I can never keep you online long enough

The host file is proving particularly stubborn

1. Please download The Avenger by Swandog46 to your Desktop.

[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\Windows\SysNative\drivers\etc\hosts

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerico.gif

[*]Accept the disclaimer

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerdisclaimer.gif

[*] Right click on the window under Input script here:, and select Paste.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerfront.gif

[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute

[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

The avenger never creates a logfile. it does restart my computer, but then nothing happens after that.

And still the redirects ?

Could you go to C:\Windows\system32\drivers\etc folder and locate the Host file
Right click and select edit
Then try to remove the following lines

O1 - Hosts: 109.163.226.208 www.google-analytics.com.
O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
O1 - Hosts: 109.163.226.208 www.statcounter.com.
O1 - Hosts: 67.215.245.19 www.google-analytics.com.
O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
O1 - Hosts: 67.215.245.19 www.statcounter.com.