Late this morning, my browser (IE9) began to be redirected to one of several sites whenever I tried to click on a Google search result. Am running Norton 360, so I tried doing a full system scan first - no threats detected. Did some quick research, and ended up downloading Malwarebytes' Anti-Malware program while running in safe mode with networking. Ran that, and it detected Trojan.Happili in a temp directory (don't recall the path.) The Malwarebytes program said it had resolved the issue, and a subsequent scan was clean. Ran Ccleaner with secure deletion enabled to clean out temp directories. Updated Java, and cleared the cache through the Java console. Tried another Google search - same redirect issue. Found Quads' suggestions in this forum, and downloaded TDSSKiller and aswMBR while in safe mode with networking. Stopping there without further guidance, as I don't know how to interpret the results, and it sounds like messing around in ignorance is a recipe for disaster.
Can you help, Quads? Please let me know if more info is required.
Unfortunately, whatever's wrong with my system seems to be preventing me from accessing anti-malware product sites... running in safe mode with networking was the only way I was able to download the Malwarebytes program. My apologies for jumping the gun with the other two tools - didn't remove anything, just ran them to get the logs to post.
Malwarebytes log is attached as requested. Thanks for any advice you can offer!
Late this morning, my browser (IE9) began to be redirected to one of several sites whenever I tried to click on a Google search result. Am running Norton 360, so I tried doing a full system scan first - no threats detected. Did some quick research, and ended up downloading Malwarebytes' Anti-Malware program while running in safe mode with networking. Ran that, and it detected Trojan.Happili in a temp directory (don't recall the path.) The Malwarebytes program said it had resolved the issue, and a subsequent scan was clean. Ran Ccleaner with secure deletion enabled to clean out temp directories. Updated Java, and cleared the cache through the Java console. Tried another Google search - same redirect issue. Found Quads' suggestions in this forum, and downloaded TDSSKiller and aswMBR while in safe mode with networking. Stopping there without further guidance, as I don't know how to interpret the results, and it sounds like messing around in ignorance is a recipe for disaster.
Can you help, Quads? Please let me know if more info is required.
Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue!Stop and ask!
Please read carefully
We may yet have to do this with a program without Windows loading as something is Blocking Programs from running etc. But we will try and log with this,
a) Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop. In Safe Mode if Need be.
Restart the Computer into Normal Mode
Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.
Click the Scan All Users checkbox.
Change file age to 60 days
under Copy and paste what is below between the lines
Got to make sure the subsystems is untouched with anything linked to that.
Please download hxxp://download.bleepingcomputer.com/farbar/FRST64.exe (change the hxxp to http) and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
FRST.txt attached as requested. Also - following the restart required after running FRST64.exe, and without any action on my part, Norton 360 reported that Trojan.tracur!gen2 had been detected and removed. Am attaching the export of the security history from Norton 360, in case it is useful.
Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix,
Close any open browsers and any other programs you might have running
Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.
Now drag the CFScript.txt into the ComboFix.exe
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)
Disabled security programs and closed open programs, then downloaded ComboFix and the CFScript.txt file to the desktop as directed. When I drag the script onto the ComboFix icon, a small window appears, numerous lines scroll past, and then that window closes. A few seconds later, another slightly bigger blue window opens (header says "Administrator") and then a dialog box appears with the following message:
CFScript Name Error
Were you trying to run CFScript?
The name, CFScript appears to be incorrectly spelt
The program did not ask about a recovery console or a malware scan, and no combofix.txt file was generated after the error message was closed.
Also, Norton 360 is now giving me an error message (code 3040, 40018 - conflict with another security program) when I try to access the security history, and recommends installing v6 as the fix. Not sure what the conflict is - removed mbam as previously directed. Have not been able to find any other way to access the security history, and did not yet install the new version of 360 pending your further instruction.
)
Copy and paste what is below between the lines
