Keep getting redirects

A couple weeks ago you helped me with the colexity virus. At the time I was also getting some attempted redirects that Avast was catching. It seemed to have gotten better, with just a couple redirects each day. Today it is trying to redirect nearly everything so that I cannot even access pages I am looking for. Please help.

Thanks,

Charlie

Hi, again. ;D

You need to follow this guide again:
http://forum.avast.com/index.php?topic=53253.0

For some start, attach here (adwcleaner) Malwarebytes, OTL and aswMBR logs :wink:

Ok. Thanks. Attached are the logs.

Charlie

last attachment

Step#1

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.


Step#3

Please download MBRCheck.exe to your desktop.

[*] Be sure to disable your security programs
[*] Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*] A small window should open on your desktop
[*] if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
[*] If nothing unusual is found just press Enter
[*] A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Attached logs:

Hi,

Step#1

Re-run TDSSKiller then click on Change parameters.

[*] Put a checkmark beside loaded modules.
[*] A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.

[*] Then click on Change parameters in TDSSKiller.
[*] Check all boxes then click OK.

[*] Click the Start Scan button.

  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

[*] Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”.

[*] Please attache the contents of that file here.


Step#2

c:\documents and settings\Charlie\My Documents\Downloads\ComboFix.exe

ComboFix must be runing from your Desktop.

Cut Combofix.exe from Download folder to your Desktop.

Re-run Combofix and attach here fresh Combofix.txt log

logs

combofix log

How’s your computer running now?

Still getting them. Red Avast box pops up declaring malicious URL blocked.

Can you create screenshot of that warning?
( If you are unsure how t create screenshot, here is good guide )
http://windows.microsoft.com/en-US/windows-xp/help/setup/take-a-screen-shot

Also, do you have aswBoot.txt logs?

C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



%SYSTEMDRIVE%\*.*
C:\*.* /md5 
dir /s /a "C:\temp" /c 


[*]Then click the Run Scan button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad ( OTL.txt )with logreport.
Attach here that logreport.

Ok. Here goes

BTW nice avatar

took screenshot but file is too large to post.

How do I make it smaller?

screenshot.2

when the avast window popped up I tried to click on more details, but nothing happens.

BTW nice avatar
Hehe, tnx :)

Here’s the thing abaut C:\WINDOWS\Temp_avast_\unp*.tmp

This is from your aswBoot.txt

08/12/2012 11:54 Scan of all local drives

File C:\WINDOWS\Temp_avast_\unp227387437.tmp is infected by Win32:Agent-APHV [Trj], Deleted
Number of searched folders: 8536
Number of tested files: 548758
Number of infected files: 1

Can you locate this file? Do you have this file?

C:\WINDOWS\Temp\_avast_\unp227387437.tmp

I think that file is not there, but try to locate. If file is there…send file to

 virus@avast.com

https://support.avast.com/index.php

Right click the file(s) and add it to an archive/compressed file
Enter a password, preferrably: virus

If not, here you can read more about this detection.
Simular:
http://forum.avast.com/index.php?topic=85750.0

In the e-mail also copy the link to this topic .


Then …

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Commands
[CREATERESTOREPOINT]
[purity]
[emptytemp]
[EMPTYFLASH]
[EMPTYJAVA]
[Reboot]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Re-run OTL, click on QuickScan and attach here fresh OTL.txt log.

Do you still have pop-ups?

otl has been running for about 9 hours. At the bottom of the screen it says don’t interrupt . Nothing seems to be happening though. every once in a while the hard drive light will blink. is this normal?

No, its not normal. Stop OTL.

  • Reboot your computer.

  • Disable Malwarebytes and your antivirus.

  • Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

  • Again check that you’re Malwarebytes and Antivirus was disabled.

  • Repeat OTL Fix

-Attach here OTL reports.

  • Reboot your computer. Turn on protections. Do you still have pop-ups?

Ok. OTL log attached. rebooting and looking to see if redirects continue.

Charlie

First google search and got the same Avast popup box blocking malicious URL. :frowning: