Here is some background...

A few days ago I noticed that Firefox began to redirect. After a little testing I noticed that EVERY browser redirects. The redirects seems to happen when I am searching google or bing. The redirects also sometimes happen when I am browsing normally.

I have tried the following AVs
- MalwareBytes
- AVG
- Spybot S&D
- Avast
- Norton

I have also run
- CCleaner
- Reg Mechanic

All have been run in both safe mode, and in normal mode. The virus scanners found nothing, and the problem continued.

I have uninstalled all but one (Malwarebytes) to prevent conflicts.

More steps I have taken
- Uninstall firefox (and deleted pertaining folders)
- Flushed dns
- Ensured host files were clean (they were)

I have also run HJT and Combofix. The logs are as follows.

HJT
http://syndtext.com/view/rijn6j/

ComboFix
http://syndtext.com/view/xwklwk/

Thanks for any help on this issue! I am pulling my hair out!!

New Information:
After running TDSSKiller, it would seem I have that infection. Any help removing it would be swell! The infected file name is atapi

Recommended Answers

All 3 Replies

Hi and welcome to daniweb,
First of all I feel obliged to ask who told you to run Combofix? This is not a normal, everyday program that should be run. It is for very specific infections and should be run only when directed to do so by a helper. If you were working on your own then nobody directed you to do so. However, if you were told to do so by a helper at another forum then you should continue at that forum and not post at multiple forums for the same problem. Doing this can cause major problems with the computer since each forum has no idea another forum is working with you and may give you conflicting instructions or repetitive instructions which shouldn't be done multiple times.
Please read this information concerning the Usage of Combofix

I have tried the following AVs

Please NOTE what is said about using Combofix on a Windows 7 computer:

ComboFix will work on Windows 7, it is not officially supported yet so if it is run you will receive a warning message that it is a beta version meant for compatibility testing

Running multiple antivirus programs on a computer at the same time is most definitely not recommended and will not give you clear results. Plus, the following programs are not anti-virus programs:
Spybot S&D and MalwareBytes. They both CAN be on a computer at the same time but they are not anti-virus programs.
You neglected to mention another anti-virus program which clearly shows in your logs and that is Microsoft Security Essentials so if that was installed and running at the time of the scans with AVG, Norton, and Avast then it is likely that none of those scans would have given correct results or scans and MSE would not be working properly either.

Because of the other scans done the fact that TDSSKiller found what you said was an infected file may not be considered valid either. The file, atapi, IS a legitimate file found on all computers. It is is the interface between your computer and attached CD-ROM drives and tape backup drives. TDSSKiller is also a program run for very specific problems, I am not certain that this was one of those times. Generally it "might be" indicated when you receive the error like “Generic Host Process for Win32 Services has encountered a problem and needs to close" but not necessarily for browser search redirects.

What items did you remove with CCleaner and Registry Cleaner? There is virtually no reason to clean the registry. When run properly MBA-M and others will find and remove infected registry entries, but using a registry cleaner is, as a well respected computer tech friend of mine states often:

Using an automated cleaner to try to fix a registry problem is akin to using a shotgun to remove an appendix. The best way to deal with (possibly) registry-related issues is is to throughly research the problem and then use regedit to make any necessary changes and/or deletions (having first set a restore point or created a backup).

I would like to see the log from MBA-M. I would also like to see an Uninstall list generated by using HiJackThis.
To do this do the following:
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply.

Also, please post your logs directly into your posts, don't host them someplace else.

I would like to see the log from MBA-M. I would also like to see an Uninstall list generated by using HiJackThis.
To do this do the following:
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply.

Also, please post your logs directly into your posts, don't host them someplace else.

It actually doesn't seem to be redirecting anymore. But here are the logs anyway:

MBA-M:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3957

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/5/2010 3:20:38 PM
mbam-log-2010-04-05 (15-20-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 216101
Time elapsed: 45 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Uninstall:

8BallClub Billiards
Acrobat.com
Acrobat.com
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Production Premium
Adobe Creative Suite 4 Production Premium
Adobe CSI CS4
Adobe Default Language CS4
Adobe Dynamiclink Support
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 9.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Battlefield 2
Battlefield: Bad Company 2
CCleaner
CDDRV_Installer
Connect
Counter-Strike: Source
erLT
FileZilla Client 3.3.2.1
GTK+ Runtime 2.14.7 rev a (remove only)
Half-Life 2: Deathmatch
Half-Life Deathmatch: Source
HijackThis 2.0.2
Java(TM) 6 Update 16
Just Cause 2 Demo
KhalInstallWrapper
Killing Floor
kuler
Left 4 Dead 2
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft Antimalware
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
Notepad++
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Opera 10.51
Orbit Downloader
PDF Settings CS4
Photoshop Camera Raw
Pidgin
Pixel Bender Toolkit
PunkBuster Services
Registry Mechanic 9.0
Spybot - Search & Destroy
Steam
Suite Shared Configuration CS4
VLC media player 1.0.5
WinRAR archiver
Xion v1.0 (build 125)

That MBA-M log is not the original log. It shows that it was just run this afternoon. Your Java is out of date, current version is Version 6 Update 19.
I still advise get rid of that Registry Mechanic for the reasons previously stated and why in the world would you even consider using something like this on a brand new operating system?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.