NT Redirect after removing trojans

I did a boot scan with the latest version of Registered Pro Avast and said it removed a dozen or more Trojans and Evil things, but now when I boot into Win7, I get an error that there is a problem starting Bab Solution\Shared\NT Redirect. Please advise as to how to remove this from the registry or fix it if you can.
Thanks
Tim

Are you able to log on to your user account? Or not?

Attach a screenshot of avast virus chest. If nothing there, then in text file (boot scan) here: (XP) C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file

OR

(Vista/Win7) C:\ProgramData\Avast Software\Avast\report\aswBoot.txt

Attach aswBoot.txt so we can see what boot scan found and removed.

http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

[EDIT:]

Run AdwCleaner, Malwarebytes, OTL, aswMBR from here: http://forum.avast.com/index.php?topic=53253.0 Attach resulting logs in next reply as well.

I submitted the report to text support, but I expected a place to comment and never saw one. I’ll search for it and post it here. I logged into my account with an old username. I can log in with one on one machine, but not on the other. I get confused because I’ve registered it dozens of times and never remember which one I’m using. Anyway.
I think ADWcleaner was what I installed last and it just wanted to sell me the complete version that would fix what it found.

Odd. Never have seen that happen with AdwCleaner. All versions at the avast! program link are clean and do not contain spyware or adware. Did you get your version of AdwCleaner elsewhere?

The only program we really need atm is OTL. Can you run that? Attach the resulting log in your next reply. Follow instructions on linked page to ensure you have the proper settings in place before you scan. A log will be produced at the end of the scan.

Here’s what will happen: A certified malware expert will come in and assist you in cleansing your system, but he will need your log(s) to be able to see what you have and create a customised fix just for your system alone, and no other.

Monitoring

aswBoot.txt attached. You want me to go ahead and run OTL?

Yes.

Sometimes we encounter problems we cannot solve ourselves. Think this is such a situation. Allow yourself to be guided by essexboy, you are fortunate he has come on board so soon.

Requested attachment

These things are nasty… as you see I run Avast and Malwarebytes, sometimes it removes stuff but I guess these things get more sophisticated all the time as they keep coming back. It seems it all started when we started letting the kid download and play games, lately Minecraft, which cost $26!

Suggest setting up a limited user account with parental controls enabled, if you have not done that already, after this cleansing routine is done. Might save you a lot of grief in the future. You get to control what he/she runs and downloads. Change your admin password as well when done here.

It looks as though the boot scan was interrupted before the cleaning routine was complete. It looks like the usual mix of toolbars bundled with free online games and other programmes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={7003AE38-DB5D-11E2-9C33-00256483952A}
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=dpg&s={searchTerms}&f=4&hl={language}&src=chrm
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={7003AE38-DB5D-11E2-9C33-00256483952A}
IE - HKU\S-1-5-21-3411916625-4226217344-1406499675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www1.delta-search.com/?babsrc=HP_ss&mntrId=E4A800256483952A&affID=119351&tsp=4969
IE - HKU\S-1-5-21-3411916625-4226217344-1406499675-1001\..\SearchScopes\{D27E1E83-296D-4749-BDC0-4E1CA3CE047B}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2998365&CUI=UN11483873543043160&UM=2
IE - HKU\S-1-5-21-3411916625-4226217344-1406499675-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;localhost;10.*;192.168.*;127.0.0.1:895;127.0.0.1:896
IE - HKU\S-1-5-21-3411916625-4226217344-1406499675-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8555
FF - prefs.js..browser.search.defaultthis.engineName: "Trustworthy Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2998365&CUI=UN40259022031253617&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Delta Search"
FF - prefs.js..browser.search.selectedEngine: "Delta Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2998365&SearchSource=2&CUI=UN40259022031253617&UM=2&q="
FF - prefs.js..network.proxy.type: 4
[2013/08/09 13:32:27 | 000,006,507 | ---- | M] () -- C:\Users\JD\AppData\Roaming\Mozilla\Firefox\Profiles\6jb3aylr.default\searchplugins\babylon.xml
[2013/06/17 19:58:08 | 000,000,999 | ---- | M] () -- C:\Users\JD\AppData\Roaming\Mozilla\Firefox\Profiles\6jb3aylr.default\searchplugins\conduit.xml
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2:64bit: - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3411916625-4226217344-1406499675-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKU\S-1-5-21-3411916625-4226217344-1406499675-1001..\Run: [NTRedirect] C:\Windows\SysWOW64\rundll32.exe "C:\Users\JD\AppData\Roaming\BabSolution\Shared\NTRedirect.dll",Run File not found
[2013/08/09 23:41:57 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\searchplugins
[2013/08/09 13:44:29 | 000,000,000 | ---D | C] -- C:\Users\JD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserDefender
[2013/08/09 13:32:37 | 000,000,000 | ---D | C] -- C:\ProgramData\BrowserDefender
[2013/08/09 13:32:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.

It appears to have stopped, NOT RESPONDING> It appeared to do everything and run a bunch of stuff, then with emptytemp and reboot appearing in the windows, windows cursor just spinning.

OK that is MBAM blocking it from running or your temporary files are very full

If it is still doing that then stop it and run the Junk removal tool

Here’s the 2nd log after rebooting manually.

The reboot should no longer have the error message popping up :slight_smile:

It didn’t, and I forgot to right click and run JRT as Admin, but running it anyway. Do I need to post the log? I had a laptop he played on too that Avast also removed some of these, but when they were removed and rebooted, no problems. If I see a hijack come back, I guess I’ll go through all this with it too! Sure is awesome you guys spend your Saturdays here instead of at the game or track. :slight_smile:

JRT Log

I’m not sure how parental controls would help, you’d have to set there and watch which pages he visited, and who knows which ones are safe? I guess all the games are pretty much bad news. Not sure how so many people access the games and survive, unless their cartoon network or something like that. Anyway, it’s great to have support like this and very much appreciated. Hopefully I won’t be back with the other computer, or should I just try running those same program, like Junk Remover first?

As they appear to play games you will be at risk from Java exploits and any bundled stuff that they download

As an alternative you could get them to run the browsers sandboxed using Avast

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

JRT and AdwCleaner are updated regularly so download as and when needed

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

So Java Scripts are not safe either? I can’t even use My Excite start page any longer that I’ve used for 10 years because it says cookies and java scripts are blocked. Is this normal procedure after running these fix it programs?
Thanks for any advice.
Tim