Did scans but still have a browser redirect

Does this only happen with Firefox?

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\program files\Common Files\ovape.lib
c:\program files\Common Files\uzowyhohaz.com
c:\program files\Common Files\lyrijityse.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Just to make sure of something, please download TDSSKiller to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

Now:
* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\M\Local Settings\Application Data\2991909981
C:\Documents and Settings\M\Local Settings\Application Data\87769975
C:\Documents and Settings\M\Local Settings\Application Data\Sn5p4E4Q
C:\Documents and Settings\All Users\Application Data\2991909981
C:\Documents and Settings\All Users\Application Data\87769975
C:\Documents and Settings\All Users\Application Data\Sn5p4E4Q
C:\Documents and Settings\M\Templates\2991909981
C:\Documents and Settings\M\Templates\87769975
C:\Documents and Settings\M\Templates\Sn5p4E4Q
C:\cleanup.bat

Folder::
C:\Documents and Settings\M\Local Settings\Application Data\2991909981
C:\Documents and Settings\M\Local Settings\Application Data\87769975
C:\Documents and Settings\M\Local Settings\Application Data\Sn5p4E4Q
C:\Documents and Settings\All Users\Application Data\2991909981
C:\Documents and Settings\All Users\Application Data\87769975
C:\Documents and Settings\All Users\Application Data\Sn5p4E4Q
C:\Documents and Settings\M\Templates\2991909981
C:\Documents and Settings\M\Templates\87769975
C:\Documents and Settings\M\Templates\Sn5p4E4Q

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please attach the new MGLogs.zip.

 

Please run this: GMER - running with a random name and attach the log from GMER.

Now please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

Code:

:filefind
atapi.sys
netbt.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

 

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

 

A syntax error in the command cause this. Please run the below.

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

Code:

:filefind

imapi.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

 

Let's try doing this>

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\imapi.sys | C:\WINDOWS\system32\dllcache\imapi.sys
C:\WINDOWS\ServicePackFiles\i386\imapi.sys | C:\WINDOWS\system32\drivers\imapi.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now re-run GMER.

Attach both logs.

 

First you need to make a copy of your backup of the imapi.sys which is here:

C:\WINDOWS\ServicePackFiles\i386\imapi.sys

and put the copy so that it is located here c:\imapi.sys

Then we need to make sure this is completed properly before we can proceed so I will be asking for a new MGtools log a little further down to verify you have completed this properly.


Now we also need to create a batch file to run from the Windows Recovery Console ( henceforth just called the RC ) which will make steps easier for you when we do get to using the RC.

• Open notepad
• Copy the contents of the Code Box below into the notepad window.
• Click File -> Save As...
• In the File name: field, type C:\grfix.txt, then click Save.
• Close notepad

Code:

ren c:\windows\system32\drivers\imapi.sys imapi.old
copy c:\imapi.sys C:\WINDOWS\system32\dllcache\imapi.sys
copy c:\imapi.sys c:\windows\system32\drivers\imapi.sys

Now double check the C:\grfix.txt file by double clicking on it and make absolutely sure that it looks exactly like I gave above noting to maintain spacing which is why my instructions stated to copy ( typing could lead to mistakes ). If it looks okay, just let me know that you have this grfix.txt file created properly.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Try shutting down Avast and Comodo Firewall and then run GetLogs.bat. If you still have a problem, try running it in safe boot mode.

 

Now we will boot into the Windows XP Recovery Console. You should print these to have on hand while offline. Also read thru all of them now to be sure you understand before starting them.

• Restart your computer.
• Shortly after restart and way before Windows loads, you will be prompted to choose which Operating System to start. Pay attention it flashes fast and you will only have about 1 or 2 seconds to hit a key!
• Use the up and down arrow key to select Microsoft Windows Recovery Console that was installed with Combofix and hit enter after selecting.
• Later you will be asked to enter which Windows installation to log onto. Type 1 and press 'Enter'.
• At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the space after the word batch):

batch C:\grfix.txt

After the above finished (which will be quick), type in Exit and press enter and your computer shall reboot. Reboot back in to Normal Mode and run Combofix once more.

Also run GMER like previously run.

Now also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the new c:\combofix.txt log
• the new GMER log
• C:\MGlogs.zip

 

You're welcome. Looks good now.

You should jsut uninstall the below outdated version of Sun Java:
J2SE Runtime Environment 5.0 Update 5


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!