Posts by PhilliePhan

It's so small that I guess it's easier if I just paste it :

Directory of C:\WINDOWS\system32\drivers

13/04/2008 22:10 96,512 atapi.sys
1 File(s) 96,512 bytes

only that

That's odd - there should be more.

What about C:\I386\atapi.sys - anything there?
How about C:\WINDOWS\ServicePackFiles\i386\atapi.sys - Any luck?

PP :)

Everything looks fine now, AVG is gone. The AVG files are AVG 8 and AVG 9 and they are in the AVG folder. The other one wasn't but it is no longer there.

You should be able to safely delete the AVG folder.
Try that - if there are any "scary" messages, then hold off.

If you no longer have a working AV, see if you are able to install Avira Anti-vir Personal - FREE

-- What browser(s) do you use? IE / Firefox / Opera (sorry - too busy to backtrack ATM - easier to ask)

PP :)

I had to zip it since I got an "invalid file" error when trying to upload it (?)

My fault - this forum doesn't support .log attachments - I should've had you change it to .txt.
No worries.

Could you click START > RUN > type cmd ENTER
At the command prompt type dir /a /s atapi.sys >> C:\Logit.txt ENTER

Then please post the C:\Logit.txt

PP :)

desktop still gone the only files are in program files folder, the weird one is gone after 2nd reboot.

Is explorer.exe running?
Open task manager (ctrl-alt-del) and see if it is running. If it is, RightClick it and restart it - does Desktop come back?

PP:)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net. . . . .

Ooops - In my haste I forgot to use the -t switch for the first mbr scan. That's why both logs look alike.
No worries - we were going to run the -f anyway which renders the whole issue moot....

-- There are still some issues in the combofix log - I'll post the next steps as soon as I have time.

-- Is explorer.exe still borked? If so, we'll deal with that as well.

PP:)

GMER didn't seem to detect anything ..

No log at all from GMER?
Try running it again. Select the Rootkit/Malware Tab and just click the Scan button.

Allow the scan as long as it needs and then click the save button and name the log GMER – 1.log and save it to where you can easily find it and post it for me.

PP:)

Ok, I uninstalled AVG, desktop went away but there are still several file folders and a weird one with $ in front of it. Not sure the best way to safely get rid of these. It says deleting may cause the computer to become unstable and it's unstable enough. ;) Windows updates are set to auto, so however that works, sometimes it updates when it turns on.

-- Are those AVG files in the AVG Folder?

-- Does your desktop come back after a reboot?

PP :)

it doesnt appear to be redirecting anymore...i have clicked on about 30 links and they seem to all work...thanks to you and crunchie times a million!

You're welcome - happy to hear it!

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Doing the above step ought to get your clock back to normal.

Let us know if there are any further issues - otherwise I think you can mark this thread "solved."

Cheers :)
PP

I can't access microsoft.com, hotmail.com, hijack this webpage, and sometimes other seemingly random webpages like bbc news, met office, gametrailers etc. Most other webpages work fine though

I am a bit "over-extended," so hopefully another volunteer can jump in and run with this, but to get started, please do the following:

FIRST:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

THEN:

-- …

Done and done, everything worked perfectly.

Great! We are making some progress - still a bunch to do, though.

Please do this first:
-- Download mbr.exe to your C:\ Drive ---> C:\mbr.exe
-- Navigate to C:\mbr.exe and DoubleClick it to run it. It will run quickly and a log will appear on your C:\Drive ---> C:\mbr.log
--Please Rename that to mbr-1.log

THEN:
Click START > RUN > type or Copy&Paste mbr.exe -f ENTER
(note the space between .exe <space> -f if you type it)
-- Let the tool run and another mbr.log will appear on C:\Drive.

Please post Both logs for me and we'll go from there.

PP:)

I'm having exactly the same problem, but "net stop dnscache" didn't do anything.

I've tried MBA-M as well, but found nothing. I've run hijack and didn't see anything suspicious, but got rid of everything that was not necessary just in case. Also deleted all cookies, updated windows,winSocksfix, checked the hosts file, run spybot etc.

Please start a new thread for your individual problem and one of the volunteers ought to be able to advise you further.

Cheers :)
PP

alright, what did I do wrong? and it's still redirecting

Looks like there was an error copying atapi.sys to C:\

Can you navigate to C:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys

Copy and paste it to your C:\ drive --> C:\atapi.sys

Then, try the Avenger step again.

PP :)

Update: As of this morning after cleaning out temp user files all of the security warning pop up windows have stopped. While currently trying to run a scan off the trendmicro website the screen returned to the desktop. The download progress window remained open but progress slowed. The a window labled redirect popped up but the screen was empty. I closed. Progress window ran to 100% and asked if I agreed with the licence agreement but the licence agreement was not visible.

Hi Stonehands,

Hang in there - we're a bit overextended (like all Security Forums these days).

-- Are you able to download to the ill machine? If so, let's try this to start:

Please Download Win32kDiag from a linky below and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.
Be sure to let it run until is says "Finished" before posting the log!

I or another volunteer will check back as time permits.

PP:)

no, can't do anything with it at all, not even in safe mode

don't know if it's significant but Windows downloads and updates with no problem . . .

--How do you do your Windows updates? Do you use a browser or click the tray icon?

-- Let's see if we can remove AVG:
First, try AVG Remover (top of list on this page):
http://www.avg.com/us-en/download-tools

Then, have a go with REVO Uninstaller to clear any hangers-on.

Let us know how you fare :)
PP

There was an error when I hit execute...something about invalid script.... has to start with a command directive....i copied what you typed in red.

We seem to get this a lot.... You need to copy everything in red including the command directive Files to move:

Please have another go at it :)

PP

The staus of the ill machine is that it will no longer fully boot up. It gets as far as the windows loading page and then goes through the cycle again.

OK - Wasn't sure if you worked on it in the meantime.

Once you create Hiren's Boot CD, let me know and we'll have a go at this!

PP:)

you guys are great.
thx a ton

You're welcome!
There's a "donate" linky at the top of the page where you log in.

Frankly, I'm happy if you just "pay it forward" and do a good turn for somebody else sometime down the road....

Cheers :)
PP

it also had steps on what to manually look for, so it looked legit. The web site is http://www.removeonline.com/
norton reports it as safe http://safeweb.norton.com/report/show?url=removeonline.com..

Hey - sorry if my previous post sounded a bit harsh - didn't mean to come across that way.... :)

Look at that site carefully - it is set up solely to sell a product. Very little actual or useful information - just tons of links to download their product. Currently SpyNoMore, but easily changed when the affiliate/owner switches product (heck, upon further review I found another borderline rogue -XSoftSpy).
Nowhere does it say the name of the tool until you go to install it -it just says "removal tool." Nowhere does it say you will need to pay to have the tool remove what it detects. You just find that out after installing and scanning - borderline extortion in my book.
This is classic affiliate behavior to rope in unsuspecting users who are desperate to remove their malware.
They are just trying to capitalize on desperate users who are not aware of the better free options available to them.

Cheers :)
PP

there is a rmoval tool here Remove Shopica

Have you tried this?
Do you know what it is?

The "removal tool" this site is pimping is a borderline rogue called SpyNoMore.
It is trialware that may or may not detect a bunch of things, but then wants you to buy their product before it will "remove" them..... LOL.

There are better free tools - If MBAM doesn't get this, I doubt SpyNoMore will. Especially a modified or infected atapi.sys....

Cheers :)
PP

if clrviddc.dll is legit or not i do not know

Apparently it is an outdated codec - clearvideodecoder.

I guess, if everything is working as it should, we should probably leave it at that . . . .

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know if there are any more issues we need to address.

Cheers :)
PP

Unfortunately, due to my system not letting me run explorer.exe, I cannot unzip JavaRa.zip . . .
I can run .exe files however.

Go ahead and do the combofix step. Let me know if you run into any problems.

PP :)

SmitFraudFix v2.424. . . . . . . .

Well, that didn't help....

It looks like crunchie and I missed something - I thought I mentioned it earlier, but apparently not.

Please do the following:

Click START > RUN > type cmd and hit OK
At the prompt Copy&Paste the complete text in Red below and hit ENTER:

Copy C:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys C:\

You should get a message confirming successful copy.

THEN:
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\atapi.sys | C:\windows\System32\drivers\atapi.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me and let me know if that had any affect on the problem.

Cheers :)
PP

i need help removing this thing.

See if you are able to do this:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename mbam-setup.exe to iexplore.exe and then download it to your Desktop as that.

• DoubleClick iexplore.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

See if that will work - if it fails, we'll go in a different direction.

PP:)

ok, thanks, for now though, what should I do while I can't access AVG? I am running spybot and superanti-spyware nightly, do I need to do anything else? Oh and windows defender is on.

Can you uninstall AVG?
(can't remember.... :))

. . . . explorer.exe shows as running but is not appearing at the bottom of the screen.

Can you clarify what you mean by that?

You have some baddies remaining - Let's do this:

FIRST:
Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

THEN:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Will check back as time permits.

Cheers :)
PP

PP
sorry it took so long but i forgot to save log and had to do over.
it appears to have fixed the problem
is that odd it was there after replacing the hard drive and clean install?

Yeah - that's a bit odd after a fresh install, but not unheard of. People have backed up infected files and reinstalled them. Plus, a few minutes of iffy surfing can do the trick if your security is not up to par...

I find it interesting that combofix removed a few seemingly legit items:
c:\documents and settings\Gateway User\My Documents\backup.reg
c:\documents and settings\Gateway User\My Documents\backupfile.reg
c:\windows\system32\clrviddc.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Web\default.htt

I'm not so sure those are evil. Did you create the registry backups?
I think clrviddc.dll is a video component - maybe it was infected? Do you know if it was part of a legit app that you use?

PP:)

Ok I know it has been a couple weeks. I have been tearing apart my house and storage unit trying to find my Windows CD and I cannot find it anywhere. What should I do?

Can you update me on the status of the ill machine?

-- Please create Hiren's Boot CD 10.0 and we'll see what we can do....

PP:)

So, should I go ahead and order the "OS disks" from Sony? couldn't hurt to have them just in case.

Definitely get your OS disks (I'm assuming Windows disc and sony drivers)! They are good to have on hand and, given all that has been tried thus far, they may be necessary.
I'd still like to scrutinize this thread a bit more when I have the time - awfully busy right now - to see if we missed something.

PP :)

Device \Driver\iaStor \Device\Ide\iaStor0 [82854EAE] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [82854EAE] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [82854EAE] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

You should run combofix to deal with this modified/infected iaStor.sys .

Since I butted in, I'm going to butt back out :) Just wanted to point you guys in the right direction.

Judy will be able to instruct you on the proper usage of combofix.

Cheers :)
PP

I seem to have gotten rid of the Vundo infection, however explorer.exe shows as running but is not appearing at the bottom of the screen.

You HJT is out of date - go ahead and delete it.

-- Can you post your MBAM scanlog?

-- Please download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

I or one of the other volunteers will check back as time permits.
I'll be gone until Tuesday evening EST.

Cheers :)
PP

This is the only thing that appeared
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

OK - Let's try this:

Please run S!R!'s SmitfraudFix Search - Option 1 as per the linky below and post the log for me.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

I have to run, but will be back Tuesday evening EST.

PP :)

jottis said it was empty 0 bytes

viruatotal = 0 bytes size received / Se ha recibido un archivo vacio

Go ahead and follow my post and let's see what happens.

Gotta run - Will check back Tuesday.

PP:)

Am getting too old to learn new tricks :).

Ain't it the truth?? ;)

I, for one, do not give up so easily . . . . .

Hey KH - Do you have the VAIO Recovery Wizard option available to you on your compy?

Click START > Help & Support > Recovery Wizard.

If so, what options do you have (I have no specific VAIO knowledge...)

-- The assistance you mentioned before, was that in a forum, or private. I'd like to see it, if possible.

I will be back Tuesday Evening EST.

Cheers :)
PP

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\gnbpbgl.dll

That's the baddie - I'm going to go ahead and pull it out of there....:)

NW:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log. Let us know if that helps.
I'll be gone until Tuesday Evening EST - Perhaps crunchie will check back sooner.

Cheers :)
PP

Don't know about a recovery partition, should be able to network in safe mode, thanks for the help, I appreciate it very much. I will continue trying to resolve the issue as long as someone is willing to help me try :)

OK - See if you are able to run programs in Safe Mode.
Also, see if you can download in Safe Mode.

Need to rule some more stuff out.

-- What Brand compy is this?

Be back on Tues :)

any other ideas anyone?

Let's try this:

Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the Logit.txt

I'll be back on Tuesday if crunchie doesn't reply earlier.
PP :)

Thanks so much for trying to help! :)

Happy to try.

I am going to be away from compy for a bit - I'm sure crunchie will weigh in again.
I'd like to go back over this thread more closely to see if we are missing anything - this might not be a malware issue, though some was removed during the scans.

-- Are you able to boot to Safe Mode with Networking on the ill compy? (tap F8 at boot - don't use msconfig for safe mode)

-- Do you have a "recovery partition" on ill compy?

I'll be gone for a bit - definitely be back Tuesday (EST)

PP :)

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Well . . . Shoot.

After all that hassle, that log looks OK. . . . At least we can rule some more things out...

-- What happens when you try to run programs and they fail? Any error message(s)?

-- What kind of "Restore" did you do and how did it make things worse? (your first post)

PP :)

You may have to run a deep full anti-virus, anti-malware, anti-rootkit scan from safe mode.
what should I run for this?

I am not sure if the poster read the first 60 posts in the thread . . . .

Could you please place Junction.exe on your Desktop
Then, download RunThis.bat to your Desktop and DoubleClick it (or RightClick & Run as Admin) to run it.
A command box will pop up - no worries. After a few moments a log should pop up - please post that for us.

PP :)

ok, did it again and the same the logit.txt notepad is empty

Ok - My fault (I think).
After you extract from the zip, you need to take Junction.exe out of the Junction folder (contains Junction.exe and eula.txt) and put only junction.exe in the Windows Folder.

Or did you do that?

Sorry :)
PP

I honestly see nothing in your HJT log pointing to the redirect page.

Hey Judy,

You guys need to run a GMER scan (or skip directly to combofix).

I suggest GMER first:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for us.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until Judy or I can have a look.

PP :)

i replaced the hard drive and loaded the original OS, drivers, etc from the original disc's. then installed windows XP upgrade. . . .
i ran microsoft security essentials program and it removed worm conficker so it said......(problem still occurs).

Hi NW,

So this is a clean install? I would think you would've installed the necessary patches to avoid conficker.

Do you have any important data stored on this machine, or can we run tools without worrying about losing data if another re-format is necessary?
It may be a bad install.... What we can do here is try to rule out malware as the culprit.

Let's go ahead and do this:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Cheers :)
PP

ok, I'm sorry but I guess I need directions for "place the file in the C:/Windows directory"

RightClick on Junction.zip and extract Junction.exe to your Windows Folder (C:\Windows).
Or, if easier, extract Junction.exe to the Desktop and then Cut&Paste it into the C:\Windows Folder.

Then, open a command prompt (START > RUN > type cmd and hit ENTER).
At the command prompt, type: junction -s > C:\Logit.txt ENTER
Let it run - should run quickly and a log will be created at C:\Logit.txt

Please post the Logit.txt.

-- Are you unable to download from any site with the ill computer?
The thing is, there is a spate of malware going around that blocks access to security sites and security tools (malwarebytes / norton / etc...) are you able to access www.malwarebytes.org? What about www.symantec.com?
We need to rule that out.

-- Also, I'd like to check if your atapi.sys is infected, though combofix should've detected and replaced it.

PP :)

hi, i go the forum you mentioned, it said i need to clear cookies/cache of firefox, and it's worked, the firefox is back to normal.
and now the firefox is not being redirected anymore..
thanks a lot !

Excellent!

You're Welcome - Glad I could help :)

PP

Is there any truth to the webmaster's claim?

NO.
He/she's blowing smoke up your skirt.

PP :)

Thank you very much for your help with this. Please let me know if you think I need to do anything else.

Happy to help!

MBAM is great at removing active infections, but I'd like to have a closer look just to double-check:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).
- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it.

-- Also, please give me an update on how things are running - hopefully still no problems.

I will check back as time permits.

Cheers :)
PP

Hi, this is my first post so please be patient if it get this wrong!!

I keep getting a pop-up window quoting MD5| and then a string of numbers but with a different url in the top of the window each time. I recently got sent a load of messages which McAfee picked up as having viruses in them, have scanned and quarantined but still get the same annoying window popping up.
A jpeg of one of the windows is attached.

Any help would be really appreciated.

That's interesting - definitely looks like foul play:
http://safeweb.norton.com/report/show?name=sa-vand.dk

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

-- Post the MBAM log for us and one of the volunteers ought to be able to advise you further.

…

it seems this has helped alot of people and there are alot of people out there with this issue.
i am finding that it works but i have to do the same thing everytime i reboot. is there something else that needs to be done to stop this? if there is anymore info i would be greatful.

This is not a "Fix." This is a work-around that bypasses the poisoned DNS cache.
Once you are able to visit security sites and download the appropriate tools, you need to put them to good use :)

I suggest you download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

-- Then, please start a new thread for your specific issue. Post the MBAM log and one of the volunteers will be …

Is it a trojan or ?? and should I remove it?

Probably - Please do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Please post me the MBAM log and we'll go from there.

PP :)

hi hi, after i did the ATF on the firefox, seems something wrong with my firefox, when i open daniweb, all the font will be on the middle, and the appearance looks weird...
although not all web will be like this. only some web, already tried to reinstal firefox, do you know why ? is it blocked some of the plug-in ?

I do not know - This is the first time I've heard of that. I use ATFCleaner a lot and have never had an issue with Firefox.
Have a look at this thread: ATFCleaner and Firefox
Does that help?

Since the redirect is gone. let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Let me know if you are still having problems with Firefox and we'll see what we can do.

PP :)