Strange DNS Redirects, and Avast can't update

I used Avast and Spybot to remove several viruses and spyware infections on a client machine. I can run them both now and not detect anything. The problem is that Avast won’t update. It keeps trying to pull it’s updates from 127.0.0.1:80, and obviously fails to contact the server. I have no proxies specified anywhere, my DNS entries are my local router and OpenDNS server (208.67.222.222), my Hosts file only has the Spybot entries, but nothing specific to Avast.com or *.Avast.com. When I try to ping avast.com it replies from 127.0.0.1 also. I’ve flushed the DNS resolver cache several times. I can get to avast.com through the browser, but can’t get there if I ping it.

Also in IE, if I manually type in a web address, it automatically sends it to a google search instead of going to the web page. Firefox doesn’t do this. I’ve tried deleting all the temp files in IE, and resetting it to it’s ‘factory’ settings, but it hasn’t changed anything.

If I use IE or Firefox, clicking on any link gets me redirected to several random websites that are obvious spyware generated. I’ve cleaned everything out with HijackThis (v2.02) and don’t see anything in there that shouldn’t be. I’ve also run the Trend Micro Sysclean stand alone antivirus, and it’s found nothing either spyware or virus related.

For the life of me, I can’t figure out what is doing the browser redirects, or pointing avast.com to 127.0.0.1.

Any help or suggestions will be greatly appreciated.

Here are the HijackThis logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ISUSPM] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip..{6C3CF7C6-0DD8-4571-9915-27CCD046F001}: NameServer = 192.168.1.1,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip..{6C3CF7C6-0DD8-4571-9915-27CCD046F001}: NameServer = 192.168.1.1,208.67.222.222
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe


End of file - 5330 bytes

have you checked the hosts file?

Id run Malware Bytes AntiMalware and Rogue Remover
then
Superantispyware
post the logs
and a new HJT
and a snip from your hosts file showing any redirects

There are tons of redirects in the hosts file, all put there by Spybot, which is normal. I’ve even deleted all of them, and only left the standard 127.0.0.1 localhost entry and nothing else, still does the same thing.

Do I need to uninstall Avast to run Malware Bytes? Or is it a standalone like the Trend Sysclean?

Damn not host file
you do not have to disable avast to run the two malwarebytes programs
rogue remover free and antimalware free
do disable t-timer
did you run a spybot scan?

I have a client with the exact same problem. He had WinAntivirus 2009 (malware) on his system. I have cleaned the infection using a combination of Avast and manually deleting files and registry entries. I am stuck, however, with the odd browser redirection issue. I had to manually change the network settings to use the correct DNS. Now, when I do an NSLOOKUP on avast.com, symantec.com, etc. I get the correct value returned. However, if I ping the site or try to open it in a browser I get either 127.0.0.1 (ping) or a fake website (browser). I have checked all of the hosts files and can’t find ANY reason why this should be happening. I have spent several hours on this problem without a solution. Any help would be appreciated.

I had the same issue on an XP machine. Resolved it using the directions found here: http://www.spywarewarrior.com/viewtopic.php?p=186454.

HTH
Cheers
Al