drweb.exe amongst other names

[gdeb]

• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now

.

Still won't let me update Avast. Still getting web page redirects. Most recent redirect was to: hxxp://www.happili.com/vht/innerxy.php?q=Cnn&xy=riva-631

[SuperDave]

Is this because it is Windows 7?

Could be. I don't have Win7

Does not allow me to "check" running processes - it is grayed out. Running scan now will post update shortly.
 

This is the first time I've used this canned speech. It's possibly because of Win7

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
******************************************
Ok. Let's try this one.

Please download Rooter and Save it to your desktop.

• Double click it to start the tool.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

[gdeb]

O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost

Important: Close all open windows except for HijackThis and then click Fix checked.

Done

[gdeb]

• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7600)
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.7600.16385
.
C:\  [Fixed-NTFS] .. ( Total:451 Go - Free:403 Go )
D:\  [CD_Rom]
.
Scan : 15:52.48
Path : C:\Users\Gerrit deBorst\Desktop\Rooter.exe
User : Gerrit deBorst ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ???z??? (264)
______ ???z??? (400)
______ ???z??? (464)
______ ???z??? (480)
______ ???z??? (512)
______ ???z??? (536)
______ ???z??? (544)
______ ???z??? (628)
______ ???z??? (700)
______ ???z??? (788)
______ ???z??? (852)
______ ???z??? (916)
______ ???z??? (964)
______ ???z??? (1000)
______ ???z??? (312)
______ C:\Program Files\Dell\DellDock\DockLogin.exe (1052)
______ ???z??? (1128)
______ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (1212)
______ ???z??? (1312)
______ ???z??? (1336)
______ ???z??? (1588)
______ ???z??? (1620)
______ ???z??? (1632)
______ C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (1764)
______ ???z??? (1864)
______ C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1908)
______ C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE (1964)
______ ???z??? (2000)
______ C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe (2032)
______ ???z??? (2852)
______ ???z??? (2652)
______ C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe (2904)
______ ???z??? (3044)
______ C:\ProgramData\Macrovision\FLEXnet Connect\11\ISUSPM.exe (2960)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (2676)
______ C:\Program Files\Alwil Software\Avast5\AvastUI.exe (2604)
______ ???z??? (2252)
______ ???z??? (1300)
______ C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe (3560)
______ ???z??? (3732)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe (3764)
Locked audiodg.exe (3840)
______ ???z??? (4080)
______ ???z??? (1652)
______ ???z??? (3196)
______ C:\Users\Gerrit deBorst\Desktop\Rooter.exe (2320)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:41126400 | Length:15728640000)
\Device\Harddisk0\Partition3 (Start_Offset:15769766400 | Length:484337047040)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:52.55
.
C:\Rooter$\Rooter_1.txt - (28/12/2010 | 15:52.55)

[gdeb]

First off I appreciate you taking the time to help me with this - and I can see from the forum you are working on multiple issues at one. I realize that you don't want me to attempt anything to solve the problem, but time is of the essence as my father is returning to Florida and I need to get this done before he leaves.

That being the case I have researched the issue and narrowed it down to a bootkit infection specifically rootkit.win32.tdss. I have dowloaded and run Kaspersky TDSSKILLER. This program found the the bootkit infection and removed it.

A review of internet explorer appears that the redirect is gone. I loaded about 20 pages without getting redirected.

Additionaly I have researched the AVAST problem with AVAST and found that by changing the connection in the AVAST settings page for Proxy Server to direct connect this resolves my problem.


If there is any cleanup you think I should do please let me know.

If my actions have caused further problem for you - please accept my apologies and close this thread.

[SuperDave]

I'm glad that you were able to get it cleaned. I would like you to run one last scan, if you please.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[gdeb]

save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

C:\Users\Gerrit deBorst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\30d181d3-6c62447e   multiple threats   deleted - quarantined

C:\Users\Gerrit deBorst\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\5def9a73-63f50e0c   multiple threats   deleted - quarantined

[SuperDave]

Ok. That's looks good. Let's cleanup.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
*************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
***************************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[gdeb]

Ok. That's looks good. Let's cleanup.

Thanks for all your help!!