Web redirector/AVG update blocked

Hi guys, was recommended to post here by guys on the AVG free forum. I had already undertaken their reommended removal instructions to no avail, which involved updating everything and then -

Running AVG scan.
Run Malware Bytes Scan.
Run Spybot S&D scan.

Repeated above in safe mode.

Have now performed the initial steps outlined by you guys. Please see the attached logs.

Symtoms -

When using internet explorer and Firefox search engine results are redirected maybe 1 time out of every 5 to spam/scareware type sites. This happens on multiple search engines (have tried google and yahoo).

When I try to update my AVG free 8.5 software using the interface the update hangs forever, with no error message.

I am occassionally seeing "Connection interupted" type messages in browsers.

Other steps performed -

Have verified it's not my ADSL router, by switching it out with another.

Have also verified that other machines on my network don't have the same problem.

Any help would be great as I've been struggling with this one for a few days now!

 

Hi, many thanks for helping out - I know you guys are swamped at the moment.

Deleted the file you requested. New logs attached.

 

Ok, here's the actions I took -

* Ran avenger as per your instructions, but there was a couple of issues in the resulting log, see attachment "avenger.txt".
* So then I modified the quote you gave to try and address these issues and ran avenger again. See "new quote.txt" for the new commands I gave to avenger.
* "avenger2.txt" attachment contains the results of this second run.
* I then ran CCleaner as per your instructions. However, I wasn't sure exactly what you meant by temp files so I selected both Internet Explorer -> Temporary Internet Files and System -> Temporary Files. Hope that's ok.
* I also had a look in Local Settings\temp myself and deleted a few other left overs ending in .tmp.
* I then manually updated AVG and ran a full scan. Nothing found.
* Updated Malware Bytes and ran a full scan. Nothing found.
(I did these two steps because I haven't for a few days and was hoping the updated versions would solve the problem)
* Final step was to run the GetLogs.bat, the results of which are attached.

The problem remains the same as before.

Only other thing I noticed is that as I was typing this up I still had the Local Settings\temp folder open and a couple of new files had appeared which aren't in the logs. Might just be innocent firefox related stuff but thought I'd mention it in case it's useful -

~DF1160.tmp (16KB)
etilqs_hoBmRpA1ldgFQXsTYkXd (0KB and greyed out/hidden)

Many thanks for your continued help

 

Ok, I apologise for the bump but the two files mentioned in my last post disappeared as soon as I closed firefox. When I open firefox again the files reappear.

Similarly, if I open internet explorer I get about 8 .tmp files that appear that also disappear as soon as IE is closed.

My guess is that this is normal browser behaviour, but just providing the info in case it's relevant.

Cheers.

 

Attached GooredLog from running option 1 only.

 

No effect from running the second option...

Thanks for your continued efforts, any other advice would be greatly welcomed before I reinstall windows.

 

I know you're all busy etc., but its fairly clear to me that I have something that is pretty new and undetected by most, if not all, anti-virus software etc.

I would expect pros in this industry to be jumping all over something like this, but no, it's fairly quiet and more pcs are probably getting compromised every minute...

It might be more effective imo if your advice threads basically just said - REFORMAT NOW, otherwise you're just encouraging infected systems to remain for days or weeks online while your volunteers try and solve the problem. Is that really the most effective way of dealing with this shit??

 

Good to see you back, Tim!

Three logs attached - "rootkit repealer" was obtained from running the Scan from the "Report" tab. When the process had finished there was an error window open with the text in the "error log.txt" showing. Note that I had firefox running during the scan - the first time when I did a file scan only I didn't and that is also attached as "files.txt". However I also had an identical error window and error text that time as well.

My E: drive is a USB external hard-drive, and I suspect that the problems with the files on there are false positives - I have had some corrupt mp3s on there for a while.

 

Apologies for bumping but there's been a bit of a development. Not sure how but AVG seems to have updated itself recently (rather than hanging like it usually does). The virus DB is now version 270.12.76.2183 and it is reporting detection of a Win32/Patched virus when I do almost anything internet related. Makes sense as the infected file appears to be system32/ws2_32.dll which is some kind of socket library.

This might also explain why it is able to redirect searches from multiple search engines etc.

I quick online scan of the file at www.virustotal.com also gets the following hits -

BitDefender 7.2 2009.06.17 Trojan.Patched.EM
GData 19 2009.06.17 Trojan.Patched.EM
McAfee-GW-Edition 6.7.6 2009.06.17 Virus.Win32.FileInfector.gen!90 (suspicious)
Sophos 4.42.0 2009.06.17 Mal/WSHack-A

Now since this is a system file and there may still be other rootkit stuff at play I've not taken any action, but hopefully this might help in some way for figuring out the next steps.

Cheers!

 

Looking good for now - ran the sfc /scannow twice as you suggested and am now no longer seeing the redirect issues. AVG is also updating fine and not reporting the stuff it was before.

Many thanks for your help, Tim