Licensed Internet Security: MWB Pro, TDSSK and full scans not work

Long time member and lurker. I have been getting re-directions after clicking on normal links like ESPN etc and can see cpr servefeed info’as the culprit window pop up.

It also happened while I was typing this post.

Ran Malwarebytes PRO: did not detect it. Ran full scan of Internet Security, paid and licensed: none. TDSS which usually gets it: none.

Any help is greatly appreciated. Thanks.

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

malwarebytes FULL SCAN ON 1/26: ORIGINAL POST DATE OF THREAD:
Database version: 912012701

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/26/2012 7:32:44 PM
mbam-log-2012-01-26 (19-32-44).txt

Scan type: Full scan (C:|D:|E:|)
Objects scanned: 259650
Time elapsed: 52 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


QUICK SCAN 01/28
Database version: 912012701

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/26/2012 7:32:44 PM
mbam-log-2012-01-26 (19-32-44).txt

Scan type: Full scan (C:|D:|E:|)
Objects scanned: 259650
Time elapsed: 52 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have attached both logs for OTL as instructed…


ANSWMBR logs…


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-01-28 15:30:08

15:30:08.171 OS Version: Windows 5.1.2600 Service Pack 3
15:30:08.171 Number of processors: 2 586 0x170A
15:30:08.171 ComputerName: DGRGKWJ1 UserName: lov
15:30:09.656 Initialize success
15:30:10.484 AVAST engine defs: 12012800
15:30:52.156 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
15:30:52.171 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
15:30:52.203 Disk 0 MBR read successfully
15:30:52.218 Disk 0 MBR scan
15:30:52.218 Disk 0 unknown MBR code
15:30:52.218 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
15:30:52.234 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 228434 MB offset 81920
15:30:52.265 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 9993 MB offset 467925255
15:30:52.265 Disk 0 scanning sectors +488392065
15:30:52.328 Disk 0 scanning C:\WINDOWS\system32\drivers
15:31:03.703 Service scanning
15:31:04.750 Modules scanning
15:31:13.312 Disk 0 trace - called modules:
15:31:13.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
15:31:13.343 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ae46ab8]
15:31:13.359 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8ae55028]
15:31:14.593 AVAST engine scan C:\WINDOWS
15:31:20.546 AVAST engine scan C:\WINDOWS\system32
15:33:20.281 AVAST engine scan C:\WINDOWS\system32\drivers
15:33:36.718 AVAST engine scan C:\Documents and Settings\lov
15:45:20.843 AVAST engine scan C:\Documents and Settings\All Users
15:47:31.828 Scan finished successfully
15:51:49.531 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\lov\Desktop\MBR.dat”
15:51:49.531 The log file has been saved successfully to “C:\Documents and Settings\lov\Desktop\aswMBR.txt”

ANSWMBR logs above and didn’t click on FIXMBR after the scan. Hope that helps. Should I run RogueKiller after? The instructions were not explicit as I didn’t understand the logs and thanks for any assistance…

No RogueKiller is only if you have lost your start menu and icons

After this run could you check for re-directs please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 FF - prefs.js..extensions.enabledItems: {5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.3.0 [2011/11/30 19:08:56 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Documents and Settings\lov\Application Data\Mozilla\Firefox\Profiles\0naa42n2.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F} O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll () O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll () O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-3269556360-2020722630-4232001366-1005\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\EasyRedirect.dll (EasyTech) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\EasyRedirect.dll (EasyTech) O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\System32\EasyRedirect.dll (EasyTech) [2012/01/20 10:38:32 | 000,002,544 | ---- | M] () -- C:\WINDOWS\System32\EasyRedirect.ini [2012/01/20 10:38:32 | 000,001,248 | ---- | M] () -- C:\WINDOWS\System32\EasyRedirectOff.ini

:Files
ipconfig /flushdns /c
C:\WINDOWS\System32\EasyRedirect.dll
C:\Program Files\StartNow Toolbar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Essexboy, the log as instructed. The cpv servefeed info pop up is still there.

Hi you have given me the original OTL log

Could I have the latest one please

I’m confused, that was the latest one. To avoid confusion, I did the process again for you and this was the latest. Thanks.

OTL logfile created on: 1/30/2012 2:57:15 PM - Run 1
Going by the run number it is still the original one Could you delete the logs from your desktop and re-run please