Hi,
Avast is blocking a URL and I am frequently getting redirected to unwanted web pages. I read a bit about this problem and am attaching my OTS scan file for reference. Can anyone help?
Thank you!
Hi,
Avast is blocking a URL and I am frequently getting redirected to unwanted web pages. I read a bit about this problem and am attaching my OTS scan file for reference. Can anyone help?
Thank you!
hi nathan@
before we proceed, you must uninstall one of two antivirus, avast or mcafee
then
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the RUN FIX button
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "" -> []
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> 7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 2 C:\*.tmp files -> C:\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 82 C:\Documents and Settings\Nathan\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Nathan\Local Settings\Temp\*.tmp
NY -> 7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 4 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> 4 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> 2 C:\*.tmp files -> C:\*.tmp
[Files/Folders - Unicode - All]
NY -> C:\Documents and Settings\All Users\Desktop\BalancerDuo?????.lnk -> C:\Documents and Settings\All Users\Desktop\BalancerDuoプログラマ.lnk
NY -> C:\Documents and Settings\All Users\Desktop\BalancerDuo?????.lnk -> C:\Documents and Settings\All Users\Desktop\BalancerDuoプログラマ.lnk
[Alternate Data Streams]
NY -> @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]
The fix should only take a very short time. After reboot,please post the following report/log into your next reply
2.Download ComboFix from here and save it to your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
-Temporarily disable your AntiVirus/Antispyware program.
-Run ComboFix
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Post log reports ( ComboFix.txt) back to topic.
I have exact same issue with redirect to the same URL.
Should I post OTS.txt here or start a new topic?
Please help!
There’s no reason to run OTS,aswMBR may kill it.
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply
Hi - interim update here. I uninstalled McAfee first and re-booted. Then I ran OTS with the suggested fix and it seemed to clean out a lot of temp directories and recently modified files. I have not been able to locate the log file - it was displayed temporarily but I didn’t catch the file name assuming it would be on my desktop.
I then grabbed Combofix and have been trying to run it but it says McAfee is still running and warns me that it may not be safe for me to proceed. I ran OTS again to get a detailed list of processes and found that “mfevtps.exe” from McAfee is running and the Windows Task Manager is not able to shut it down. McAfee dies not appear in my list of installed programs on the “Add/remove programs” list.
What do you think? Should I run Combofix and ignore the warnings? Should I skip to aswMBR?
Thank you for your ideas and guidance!
Since total is offline,yes go ahead and run aswMBR,don’t forget to post the log.
first try uninstall mcafee with mcafee removal tool, and proceede wih combofix
http://service.mcafee.com/FAQDocument.aspx?id=TS100507
Okay fellow virus fighters - I had already run aswMBR before the last post from total so I have 2 log files to show. One log is from aswMBR and the other is from Combofix.
A quick test in Firefox shows that I am still being redirected to undesired pages when I click on links in Google searches. Do the log files shed any light on the remaining issues here?
Thanks,
Nathan
download tdsskiller and save it to your desktop
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
When you download the program do the following:
-Deactivate/turn off your protective software.
-Close running programs.
Run program. Press the button Start scan.
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
If malicious objects be found, make sure that you choose “Cure”
and click Continue, and then click Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
2.download MBRCheck.exe and save it on your desktop
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as “MBRCheck_[Date]_[Time].txt”.
Press the “Enter” key to close the MBRCheck window and post the contents of the log file.
Okay here’s the latest update:
-I tried to run tdsskiller but nothing happened - it didn’t even show up in the Processes list of Windows Task Manager.
-I renamed tdsskiller.exe to winlogon.exe and ran it again (with all protection disabled again of course). Not much happened but I did see that winlogon appeared in the processes list so I let it run for an hour or so. During that time it never went above 1% of CPU usage and was mostly at 0%. The memory usage eventually climbed to about 4MB. At no time did I ever see a menu screen or other obvious sign that it was doing any work. No “Start Scan” button ever appeared, and there was no option to create or view a log file.
-My hunch is that the infection on my computer is blocking programs signed by Kaspersky Labs. Is there a version of tdsskiller that looks anonymous?
-I then ran MBRcheck and it seemed to find a fake MBR code. The log file is attached.
Any thoughts?
restart computer
then menu will appear where you should choose Microsoft Windows Recovery Console
http://zaslike.com/files/nl3zelqrk4kmhvs4xfwr_thumb.png
Start will start the Recovery Console and you will be asked which installation you want to log. Type in 1 and confirm with Enter.
http://www.zaslike.com/files/gknay33r760zxzlanri_thumb.png
Similarly, you can be asked for password - type in it or just press Enter if you do not have.
Type in fixmbr and confirm with Enter
http://www.zaslike.com/files/kbwss8fg740vrqwoqcb5_thumb.png
If there is any kind of inquiry,press Y and press Enter
In your next reply, please post new fresh MBRcheck log
Hi,
The MBR code seems to be fixed now - please see the log file attached. Should I try tdsskiller again?
Thanks!
yes, run tdsskiller again
Hi,
I ran tdsskiller again and this time it ran perfectly. It reported that it scanned 229 objects with no infection found. The log file is attached.
A quick test of google search results shows that for now at least I can navigate to result pages without being redirected. Also I have not had the “URL blocked” warning in the last 5 minutes. At this point I am planning to continue with general use of the computer for further testing and I will advise if I see any other problems.
Is there anything else I should be doing?
Thanks again!
seems ok
you have outdate java 1.6.0_22 and adobe/acrobat 7.0
-start /run/ in run field copy this appwiz.cpl and click enter
-uninstal java and acrobat reader, and download/install latest version
http://www.java.com/en/download/
http://get.adobe.com/reader/
also we will check computer with malwarebytes
please download malwarebytes from here http://www.malwarebytes.org/
-install program and run full scan
-In your next reply, please post malwarebytes log
Hi,
Malwarebytes found a few suspicious items and reports that they were removed successfully. The log is attached.
Any ideas on what to do next?
Thanks!
still getting redirected ? i think no
malwarebytes found malware in c:\system volume information, nothing bad
start/run /%systemroot%\system32\restore\rstrui.exe hit enter
-now you see system restore screen
-klick on system restore settings
-check turn off system restore
http://zaslike.com/files/kwdde80dlmdw9zk2hz.png
-hit ok
http://www.zaslike.com/files/hkwr7u1bh4wh4la24y04.png
-ok
now restart and again open system restore
-now you uncheck turn off system restore
http://www.zaslike.com/files/6p60v7b5xtnfg0pijwm3.png
combofix /uninstall
you must uninstall combofix
start/run/ in run field copy this combofix /uninstall and hit enter
start OTS and click clean up
Hi,
I’ve used my browser enough in the last day to feel confident that it is working fine. Also Avast is no longer sending out message saying that it is blocking a URL.
I just finished the clean-up steps you recommended so I think all is well now. Thank you very much for your timely and detailed help!
Nathan