[Bobsqueek]

Hi there

Just tried doing a load of google searches, the first one redirected, but subsequent ones seem to be fine. Websites seem to load no slower, however there was that redirect at the start of the session, so I reckon somethings there, it's just the worst kind of problem; an intermittent one.

Here's the ESET log from the scan I ran last night:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-20 12:46:13
# local_time=2011-06-20 01:46:13 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 1129446 1129446 0 0
# compatibility_mode=1282 16774525 100 100 6157187 67512221 2414 0
# compatibility_mode=5893 16776573 100 94 183585 60986299 0 0
# compatibility_mode=8192 67108863 100 0 177 177 0 0
# scanned=366230
# found=0
# cleaned=0
# scan_time=9533

[Advertisements]

hi

Download the GMER Rootkit Scanner.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[ali.B]

hi

Download the GMER Rootkit Scanner.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[Bobsqueek]

I've downloaded and run a scan, but it's not found anything and the log file is empty. The only options available to tick/untick are "Services, Registry, Files, C:\ and ADS" all the rest are greyed out and unticked.

Any thoughts?

[ali.B]

hi

is this the only computer that uses internet at your place?

[Bobsqueek]

No, I have a little Lenovo netbook, that I connect up to the net from time-to-time for software updates and whatnot. However, it's not hooked up to the net all the time (I'm not running a wireless network)

I've just connected it up and have run Google searches which I know the top result redirects for on the affected PC, and they are fine on the laptop. Although that could be because I've previously made the search on the PC. It never redirects twice in the same session.

Maybe it could be the router?

[ali.B]

hi

it could be the router DNS hijacked, lets do this check first.

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[Bobsqueek]

I think we're getting somewhere, MBR seems to have found something:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Studio XPS 8000
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 150):
0x02E1B000 \SystemRoot\system32\ntoskrnl.exe
0x033F7000 \SystemRoot\system32\hal.dll
0x00B9B000 \SystemRoot\system32\kdcom.dll
0x00CAE000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CF2000 \SystemRoot\system32\PSHED.dll
0x00D06000 \SystemRoot\system32\CLFS.SYS
0x00E8F000 \SystemRoot\system32\CI.dll
0x00F4F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00E00000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E0F000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00E66000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00E6F000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00D64000 \SystemRoot\system32\DRIVERS\pci.sys
0x00E79000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00D97000 \SystemRoot\system32\DRIVERS\CSCrySec.sys
0x00DAE000 \SystemRoot\System32\drivers\partmgr.sys
0x00DC3000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E86000 \SystemRoot\system32\DRIVERS\pciide.sys
0x00C5C000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00C6C000 \SystemRoot\System32\drivers\mountmgr.sys
0x00FF3000 \SystemRoot\system32\DRIVERS\atapi.sys
0x01014000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x0103E000 \SystemRoot\system32\drivers\amdxata.sys
0x01049000 \SystemRoot\system32\drivers\fltmgr.sys
0x01095000 \SystemRoot\system32\drivers\fileinfo.sys
0x010A9000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x010BE000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01218000 \SystemRoot\System32\Drivers\Ntfs.sys
0x010CA000 \SystemRoot\System32\Drivers\msrpc.sys
0x013BA000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01128000 \SystemRoot\System32\Drivers\cng.sys
0x013D4000 \SystemRoot\System32\drivers\pcw.sys
0x013E5000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01476000 \SystemRoot\system32\drivers\ndis.sys
0x01568000 \SystemRoot\system32\drivers\NETIO.SYS
0x015C8000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01400000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x0144C000 \SystemRoot\System32\Drivers\spldr.sys
0x0119B000 \SystemRoot\System32\drivers\rdyboost.sys
0x01454000 \SystemRoot\System32\Drivers\mup.sys
0x01466000 \SystemRoot\system32\DRIVERS\klbg.sys
0x015F3000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01628000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01662000 \SystemRoot\system32\DRIVERS\disk.sys
0x01678000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x016DE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x01708000 \SystemRoot\system32\DRIVERS\klif.sys
0x01765000 \SystemRoot\System32\Drivers\Null.SYS
0x0176E000 \SystemRoot\System32\Drivers\Beep.SYS
0x01775000 \SystemRoot\System32\drivers\vga.sys
0x01783000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x017A8000 \SystemRoot\System32\drivers\watchdog.sys
0x017B8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x017C1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x017CA000 \SystemRoot\system32\drivers\rdprefmp.sys
0x017D3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x017DE000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02A02000 \SystemRoot\System32\drivers\tcpip.sys
0x03EE4000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x03F2E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03F4C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x0468C000 \SystemRoot\system32\DRIVERS\kl1.sys
0x04600000 \SystemRoot\system32\drivers\afd.sys
0x04BB5000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03F59000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03F62000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03F88000 \SystemRoot\system32\DRIVERS\klim6.sys
0x03F92000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03FA1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03FBC000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03E00000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03E51000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03E5D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03E68000 \SystemRoot\System32\drivers\discache.sys
0x03E77000 \SystemRoot\System32\Drivers\dfsc.sys
0x03E95000 \SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys
0x03EA8000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03EB9000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03FD0000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0FC34000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x108C6000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x108C8000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x040B1000 \SystemRoot\System32\drivers\dxgmms1.sys
0x040F7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04108000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0415E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04182000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x04000000 \SystemRoot\system32\DRIVERS\k57nd60a.sys
0x04051000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x0405E000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x0406E000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04084000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x041C0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x041CC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x109BC000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x109D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0FC00000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0FC1A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x03FE6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x041FB000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04C37000 \SystemRoot\system32\DRIVERS\ks.sys
0x04C7A000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04C8C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04CE6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05651000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x05600000 \SystemRoot\system32\drivers\portcls.sys
0x04CFB000 \SystemRoot\system32\drivers\drmk.sys
0x0563D000 \SystemRoot\system32\drivers\ksthunk.sys
0x05643000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04D1D000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x04D29000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x04D32000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x04D45000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x04D53000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x04D6C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x057FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04D75000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x04D83000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x04D9E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04DAB000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x04DB5000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x00000000 \SystemRoot\System32\win32k.sys
0x04DC1000 \SystemRoot\System32\drivers\Dxapi.sys
0x04DCD000 \SystemRoot\system32\DRIVERS\monitor.sys
0x04C00000 \SystemRoot\System32\Drivers\fastfat.SYS
0x00480000 \SystemRoot\System32\TSDDD.dll
0x00630000 \SystemRoot\System32\cdd.dll
0x008D0000 \SystemRoot\System32\ATMFD.DLL
0x04DDB000 \SystemRoot\system32\drivers\luafv.sys
0x01600000 \SystemRoot\system32\drivers\WudfPf.sys
0x016A8000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x016BD000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x05A87000 \SystemRoot\system32\drivers\HTTP.sys
0x05B4F000 \SystemRoot\system32\DRIVERS\bowser.sys
0x05B6D000 \SystemRoot\System32\drivers\mpsdrv.sys
0x05B85000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x05BB2000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x05A00000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x060FD000 \SystemRoot\system32\drivers\peauth.sys
0x061A3000 \SystemRoot\System32\Drivers\secdrv.SYS
0x061AE000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x061DB000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06000000 \SystemRoot\System32\DRIVERS\srv2.sys
0x06067000 \SystemRoot\System32\DRIVERS\srv.sys
0x05A23000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x08B2E000 \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys
0x77B60000 \Windows\System32\ntdll.dll
0x47AC0000 \Windows\System32\smss.exe
0xFFE80000 \Windows\System32\apisetschema.dll

Processes (total 74):
0 System Idle Process
4 System
392 C:\Windows\System32\smss.exe
528 csrss.exe
604 C:\Windows\System32\wininit.exe
628 csrss.exe
680 C:\Windows\System32\services.exe
696 C:\Windows\System32\lsass.exe
704 C:\Windows\System32\lsm.exe
840 C:\Windows\System32\winlogon.exe
880 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\nvvsvc.exe
1000 C:\Windows\System32\svchost.exe
464 C:\Windows\System32\svchost.exe
512 C:\Windows\System32\svchost.exe
1040 C:\Windows\System32\svchost.exe
1144 C:\Windows\System32\audiodg.exe
1280 C:\Windows\System32\svchost.exe
1368 C:\Program Files\Dell\DellDock\DockLogin.exe
1448 C:\Windows\System32\svchost.exe
1516 C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
1548 C:\Windows\System32\nvvsvc.exe
1660 C:\Windows\System32\spoolsv.exe
1696 C:\Windows\System32\svchost.exe
1792 C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
1836 C:\Windows\SysWOW64\svchost.exe
1856 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1896 C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
1936 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1976 C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
2024 C:\Program Files\nHancer\nHancerService.exe
2052 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2124 C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
2160 C:\Windows\System32\svchost.exe
2184 C:\Windows\System32\Wacom_Tablet.exe
2272 C:\Windows\System32\svchost.exe
2296 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2456 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2516 unsecapp.exe
2656 WmiPrvSE.exe
3540 C:\Windows\System32\svchost.exe
3652 WUDFHost.exe
3548 C:\Windows\System32\taskhost.exe
4056 C:\Windows\System32\dwm.exe
3976 C:\Windows\explorer.exe
1888 C:\Windows\System32\WTablet\Wacom_TabletUser.exe
2132 C:\Windows\System32\Wacom_Tablet.exe
724 C:\Windows\System32\svchost.exe
1808 C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
1720 C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
2764 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
4080 C:\Program Files\Windows Sidebar\sidebar.exe
3284 C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
3388 C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
796 C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
732 C:\Program Files (x86)\iTunes\iTunesHelper.exe
1112 C:\Windows\System32\SearchIndexer.exe
2084 C:\Program Files\Windows Media Player\wmpnetwk.exe
4400 C:\Program Files\iPod\bin\iPodService.exe
4752 C:\Windows\System32\svchost.exe
3164 C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
4940 C:\Windows\System32\vds.exe
2112 C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
4872 dllhost.exe
2684 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
5748 C:\Windows\System32\wuauclt.exe
2584 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
3940 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
5640 C:\Windows\System32\SearchProtocolHost.exe
5992 C:\Windows\System32\SearchFilterHost.exe
3292 taskhost.exe
6132 C:\Users\Captain Fantastic\Desktop\MBRCheck.exe
900 C:\Windows\System32\conhost.exe
216 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`8c500000 (NTFS)
\\.\I: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGHD642JJ, Rev: 1AA01117
PhysicalDrive5 Model Number: WD5000AAK External, Rev: 1.06

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
465 GB \\.\PhysicalDrive5 RE: Unknown MBR code
SHA1: D90653CCC05EE39D4D44E1F67C33297D65F3ED4F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

[ali.B]

hi

You are being redirected when using both FireFox and Internet Explorer ?
Is this a dual boot system?

Let me know if you are still being redirected after those two steps.

Step 1

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2011/01/06 23:50:35 | 000,000,120 | ---- | C] () -- C:\Users\Captain Fantastic\AppData\Local\Xputedidakipi.dat
  [2011/01/06 23:50:35 | 000,000,000 | ---- | C] () -- C:\Users\Captain Fantastic\AppData\Local\Pcoqowixani.bin
  
  :Commands
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Step 2

Reset TCPIP/Winsock

• To open a command prompt, click Start > All Programs > Accessories and then right click command prompt and select run as administrator.
• Copy and paste (or type) the following command in the command box box and then press ENTER:
• netsh winsock reset c:\resetlog.txt
• Reboot the computer.
• In next reply please post content of the file c:\resetlog.txt

Things I would like to see in your reply:

• OTL log
• resetlog.txt

[Bobsqueek]

I think we've hit the jackpot on this one. Sites seem to be loading faster, and there's been no redirects as such. I've got a mental note of 3 searches that have redirected consistently. "Firefox" "the Bellagio" and "Wiggle" The Firefox and Wiggle searches don't redirect, as do other random things searched. The Bellagio search however, looks OK in that when I hover the mouse over the top result it displays the right URL, not "www.googleads..." etc etc. Although when I click it, there's a redirect to another website. I checked it out and it seems it's the website for the parent comapany of the hotel, and doesn't seem like a spoof or scam website. So I think the website is down for maintenance and its a genuine redirect to the parent company site, it's just unlucky timing for me.

Anyway, on with the logs:

All processes killed
========== OTL ==========
C:\Users\Captain Fantastic\AppData\Local\Xputedidakipi.dat moved successfully.
C:\Users\Captain Fantastic\AppData\Local\Pcoqowixani.bin moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Captain Fantastic
->Temp folder emptied: 3478977 bytes
->Temporary Internet Files folder emptied: 21806091 bytes
->Java cache emptied: 11516 bytes
->FireFox cache emptied: 548331203 bytes
->Flash cache emptied: 7011 bytes

User: Christine
->Temp folder emptied: 20772329 bytes
->Temporary Internet Files folder emptied: 55132903 bytes
->Java cache emptied: 36482588 bytes
->FireFox cache emptied: 9199441 bytes
->Flash cache emptied: 54636 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Rob
->Temp folder emptied: 65506235 bytes
->Temporary Internet Files folder emptied: 359323718 bytes
->Java cache emptied: 49863578 bytes
->Flash cache emptied: 131825 bytes

User: Whatever
->Temp folder emptied: 106584660 bytes
->Temporary Internet Files folder emptied: 35256648 bytes
->Java cache emptied: 49559130 bytes
->Flash cache emptied: 49199 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 9254582 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 26956981 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,333.00 mb


[EMPTYFLASH]

User: All Users

User: Captain Fantastic
->Flash cache emptied: 0 bytes

User: Christine
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Rob
->Flash cache emptied: 0 bytes

User: Whatever
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 06222011_210611

Files\Folders moved on Reboot...
C:\Users\Captain Fantastic\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

I typed in the command as requested in your post, and added C:\resetlog.txt on the end, but I can't find a resetlog.txt on my C:\ drive. Although when I pressed enter the command ran and was succesful and prompted me to restart, which I did.

[ali.B]

Repeat step 2 with the following command

netsh winsock reset > c:\resetlog.txt

The log should be now located at c:\resetlog.txt

[Bobsqueek]

Here's the reset log. However, the redirect is back again:

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

[ali.B]

hi

could you try resetting your router by pressing the reset button on the back of your router ?

Are you being redirected to specific sites or its always the case of random sites? if their is specific sites please post them here.

[Bobsqueek]

Yeah, the same searches all redirect to the same sites each time. Just did a factory reset on the router, and it's still the same.

Tempted to reformat, however I'm worried I'd inadvertantly backup the virus.

the google result www.mozilla.org redirects to:



and the google result www.bellagio.com redirects to:



There's a third that comes up on other random searches, but I've yet to see it so can't screenshot.

Edited by Bobsqueek, 24 June 2011 - 01:34 PM.

[ali.B]

hi

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[Bobsqueek]

Hello. Log as requested:

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-25 17:17:33
-----------------------------
17:17:33.984 OS Version: Windows x64 6.1.7601 Service Pack 1
17:17:33.984 Number of processors: 8 586 0x1E05
17:17:33.985 ComputerName: HENRY UserName:
17:17:35.146 Initialize success
17:17:40.384 AVAST engine defs: 11062500
17:17:45.783 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:17:45.784 Disk 0 Vendor: SAMSUNG_HD642JJ 1AA01117 Size: 610480MB BusType: 3
17:17:45.800 Disk 0 MBR read successfully
17:17:45.802 Disk 0 MBR scan
17:17:45.803 Disk 0 Windows 7 default MBR code
17:17:45.805 Service scanning
17:17:46.957 Disk 0 trace - called modules:
17:17:46.969 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
17:17:46.971 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006527790]
17:17:46.974 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80062dd520]
17:17:46.976 5 ACPI.sys[fffff88000f937a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80062df060]
17:17:46.979 Scan finished successfully
17:18:01.148 Disk 0 MBR has been saved successfully to "C:\Users\Captain Fantastic\Desktop\MBR.dat"
17:18:01.187 The log file has been saved successfully to "C:\Users\Captain Fantastic\Desktop\aswMBR.txt"

Edited by Bobsqueek, 25 June 2011 - 10:29 AM.