[Resolved K] Redirect to 64.15.72.104

[kevinf80]

How is your system responding, are the redirects gone...

[tek531]

I will try it

[kevinf80]

Okey Dokey....

[tek531]

Kevin, seems to be working....since it is random I will try it for a day and confirm back,,,, ok?
This will deserve a donation for sure....thanks a lot....Tek

[kevinf80]

Ok, give your system a whirl, when you`re satisfied (either way) post back and we`ll do what is required.

Its nearly midnight local time for me so i`m off for a sleep....

[tek531]

Kevin, all is working.  Afterwards I installed Online Armor, and it intercepts a program on startup ..named usbuhci.sys.
Some malware camouflage themselves as usbuhci.sys, particularly if they are located in c:\windows or c:\windows\system32 folder.
This was located in the c:\windows\system32\drivers folder.  the file size is 30K (30,720 bytes).  Known sizes are 20,480, 20,605 and 19,328..i got this information from http://www.file.net/process/usbuhci.sys.html.

Do you have any suggestions on trusting or not via online armor...?   tek531

[kevinf80]

That file appears legit running from that folder, if you are not confident upload it to virustotal for analysis..

http://www.virustotal.com

[tek531]

Checks Okay
Let's close this one out....thank you!

[kevinf80]

Its good to hear that your system is responding well, we still need to complete an Online AV scan to be sure all remnants are gone.... it will take a couple of hours but is well worth doing.

Run ESET Online Scan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
• Check
  
• Ensure remove found threats is checked
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push
  

You can refer to this animation by neomage if needed.
Frequently asked questions available Here  Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Kevin

[tek531]

esetscan results
C:\$RECYCLE.BIN\S-1-5-21-3034884801-47229064-2838165550-1000\$R3BIC5T.exe   

a variant of Win32/InstallCore.D application   cleaned by deleting -

quarantined
C:\Users\TEKERBY\AppData\Local\Temp\ICReinstall

\cnet_SecurityTaskManager_Setup_exe.exe   a variant of Win32/InstallCore.D

application   cleaned by deleting - quarantined
C:\Users\TEKERBY\Documents\Downloads\File Shredder

\cnet2_file_shredder_setup_exe.exe   a variant of Win32/InstallCore.D

application   cleaned by deleting - quarantined
C:\Users\TEKERBY\Documents\Downloads\Free youtube downloader exe

\FreeYouTubeDownloaderInstaller.exe   a variant of Win32/Somoto.A

application   deleted - quarantined
C:\Users\TEKERBY\Documents\Downloads\media player codec

\media.player.codec.pack.v3.8.0.setup.exe   Win32/Adware.Toolbar.Dealio

application   deleted - quarantined
C:\Users\TEKERBY\Documents\Downloads\perfect optimizer\PerfectOptimizer.exe   

a variant of Win32/Adware.PerfectOptimizer application   deleted -

quarantined
C:\Users\TEKERBY\Documents\Downloads\securitytaskmgr

\cnet_SecurityTaskManager_Setup_exe.exe   a variant of Win32/InstallCore.D

application   cleaned by deleting (after the next restart) - quarantined
C:\Users\TEKERBY\Documents\not responding\PerfectOptimizer.exe   a variant of

Win32/Adware.Perfect

[kevinf80]

mmm, that was a bit of an eye opener, run the following:

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Kevin

[tek531]

ok

[kevinf80]

Make sure word wrap is not selected in Notepad, When you open notepad select > Format > make sure "Word Wrap" is not ticked....

[tek531]

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.05.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
TEKERBY :: TEKERBY-PC [administrator]

4/5/2012 5:15:17 PM
mbam-log-2012-04-05 (17-15-17).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 390487
Time elapsed: 1 hour(s), 41 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[kevinf80]

If no issues or concerns do the following:

Step 1

Remove Combofix now that we're done with it

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Step 2

• Download OTC by OldTimer and save it to your desktop. Alternative mirror
  
• Double click icon to start the program.
  If you are using Vista or Windows 7, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.
• This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted.

Step 3

Remove ESET online scanner:

• Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  
• Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.
  

Step 4

Download TFC  to your desktop, from either of the following links
 Link 1
 Link 2

• Save any open work. TFC will close all open application windows.
• Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
• If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

Step 5

Go here http://www.filehippo.com/updatechecker/ use the FileHippo Update Checker, update all applications as suggested by FUC....

Let me know if those steps complete OK, also if any remaining isues or concerns..

Kevin