[hndc]

This one is giving me a heap of trouble, and you guys seem to have some experience fighting these things.

I have a wireless network (through a combination modem/router from the cable company) with 3 computers connected (2 running vista 64, 1 running xp 32), and all are getting the standard google redirect symptoms. All searches point to a link that starts with results5.google.ca, and opens up advertising in a new tab. Oddly, refreshing the page brings up the proper google page, with normal links. I'm pretty sure the bug is hiding on my netbook (running xp). I've followed both the general malware guide and the google redirect guide, and the other two computers come up clean on TDSS killer, MBAM and Microsoft Security scans.

The netbook comes up clean on GMER, but MBAM and MSSE hang when quick searching. I can only use it in safe mode now, because on a normal boot, dozens of system processes open up for a particular .dll file. It's in the OTL log, here.

(For some reason I can't post the log. Will try to reply to this with it.)

Every time I try to post my log, the forum says "you must enter a post" and won't let me post. I've tried a new topic, I've tried editing this one, and I've tried replying. Is this a length issue?

Edited by hndc, 06 August 2010 - 09:54 AM.

[Advertisements]

It sounds like your modem/router has been infected. You are probably right that the XP netbook is also infected but it is common these days for a bug to also infect the router if it doesn't have a password or if it uses the default password. I would turn off the one you think might be infected then reset the router. (There is usually a reset button which you need to hold down for 10-30 seconds depending on model. You will need to logon to the router (best to plug directly into it), change the password and redo your wireless encryption.)

There is a limit on the size of a post and I don't think the forum software is very good about telling you that a post is over limit so you might try breaking the OTL log up into smaller pieces and see if you are able to post that way. Some malware has also figured out a way to keep you from posting. You might try attaching the post and see if that works. If you click on my name there is a link to my email. If all else fails try sending it as email text or attachments.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.


Download but do not yet run ComboFix until you have read all of the instructions.
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:


Ron

[RKinner]

It sounds like your modem/router has been infected. You are probably right that the XP netbook is also infected but it is common these days for a bug to also infect the router if it doesn't have a password or if it uses the default password. I would turn off the one you think might be infected then reset the router. (There is usually a reset button which you need to hold down for 10-30 seconds depending on model. You will need to logon to the router (best to plug directly into it), change the password and redo your wireless encryption.)

There is a limit on the size of a post and I don't think the forum software is very good about telling you that a post is over limit so you might try breaking the OTL log up into smaller pieces and see if you are able to post that way. Some malware has also figured out a way to keep you from posting. You might try attaching the post and see if that works. If you click on my name there is a link to my email. If all else fails try sending it as email text or attachments.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.


Download but do not yet run ComboFix until you have read all of the instructions.
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:


Ron