firefox redirects to clickahead.org

**xkmail** · 2011-10-08, 00:10

have used spybot and malware malbytes says finds nothing, browser stalls and redirects.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by kevin at 15:06:17 on 2011-10-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2487 [GMT -7:00]
.
FW: Trend Micro Firewall Booster *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kevin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{305F256C-2C4F-4639-85EA-B71F646DB870} : DhcpNameServer = 68.238.64.12 68.238.128.12
TCP: Interfaces\{5AD5B291-4363-4950-BF2F-B5A07F4ECC49} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{A242FA79-DFB4-40D6-89C9-6BDB8210B01A} : DhcpNameServer = 68.238.64.12 68.238.128.12
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kevin\application data\mozilla\firefox\profiles\tn89b1he.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\tn89b1he.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2006-5-10 22842]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-6 366152]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2009-12-21 194304]
.
=============== Created Last 30 ================
.
2011-10-07 21:31:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-06 18:19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-06 18:00:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-06 17:53:59 -------- d-sh--w- c:\documents and settings\kevin\IECompatCache
.
==================== Find3M ====================
.
.
============= FINISH: 15:06:52.34 ===============

**ken545** · 2011-10-09, 18:24

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

All logs and reports will open in Notepad, just copy and paste them into this thread in lew of attaching them, its easier for us to analyse.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

OTL by OldTimer

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Post all the logs I need, if you need more than one reply to post them all than thats ok

1. Goodfix log
2. aswMBR log
3. OTL log

**xkmail** · 2011-10-10, 06:38

looks like conficker

GooredFix by jpshortstuff (03.07.10.1)
Log created at 21:20 on 09/10/2011 (kevin)
Firefox version 3.6.13 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:24 30/12/2010]

C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\tn89b1he.default\extensions\
{4D144BC3-23FB-47de-90C5-63CCB0139CCF} [04:22 29/11/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [18:06 06/10/2011]
{fe0258ab-4f74-43a1-8781-bcdf340f9ee9} [21:29 07/10/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:21 21/11/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:15 19/11/2010]

-=E.O.F=-
------------------------------------
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-09 21:22:05
-----------------------------
21:22:05.015 OS Version: Windows 5.1.2600 Service Pack 3
21:22:05.015 Number of processors: 2 586 0xF02
21:22:05.015 ComputerName: ACER UserName:
21:22:05.453 Initialize success
21:26:36.250 AVAST engine defs: 11100901
21:27:04.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
21:27:04.875 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
21:27:06.890 Disk 0 MBR read successfully
21:27:06.890 Disk 0 MBR scan
21:27:06.921 Disk 0 Windows XP default MBR code
21:27:06.921 Disk 0 scanning sectors +586051200
21:27:06.953 Disk 0 scanning C:\WINDOWS\system32\drivers
21:27:14.015 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:27:14.250 Service scanning
21:27:14.609 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
21:27:15.125 Modules scanning
21:27:15.437 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
21:27:36.875 Disk 0 trace - called modules:
21:27:36.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa241ed]<<
21:27:36.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aab7ab8]
21:27:36.890 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005a[0x8aab9968]
21:27:36.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8aa79d98]
21:27:36.890 \Driver\atapi[0x8ab122a8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa241ed
21:27:37.484 AVAST engine scan C:\WINDOWS
21:27:45.093 AVAST engine scan C:\WINDOWS\system32
21:29:03.328 AVAST engine scan C:\WINDOWS\system32\drivers
21:29:12.531 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:29:18.078 AVAST engine scan C:\Documents and Settings\kevin
21:32:15.000 AVAST engine scan C:\Documents and Settings\All Users
21:32:55.109 Scan finished successfully
21:33:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
21:33:41.156 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"

**ken545** · 2011-10-10, 10:10

Good Morning,

Any scans we run, the logs will open in Notepad, just copy and paste the logs or reports into this thread in lew of attaching them, its easier for us to analyse.

Your hard disk controller is infected

Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

Save the log as before and post in your next reply

**xkmail** · 2011-10-10, 23:13

ran avast and aswr
ran at boot time also.

**xkmail** · 2011-10-10, 23:17

GooredFix by jpshortstuff (03.07.10.1)
Log created at 14:16 on 10/10/2011 (kevin)
Firefox version 3.6.13 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:24 30/12/2010]

C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\tn89b1he.default\extensions\
{4D144BC3-23FB-47de-90C5-63CCB0139CCF} [04:22 29/11/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [18:06 06/10/2011]
{fe0258ab-4f74-43a1-8781-bcdf340f9ee9} [21:29 07/10/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:21 21/11/2010]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [05:05 10/10/2011]

---------- Old Logs ----------
GooredFix[04.20.35_10-10-2011].txt

-=E.O.F=-

**ken545** · 2011-10-10, 23:36

All logs and reports will open in Notepad, just copy and paste them into this thread in lew of attaching them, its easier for us to analyse.

The aswMBR log you posted was the same original log that we ran , I needed to see a new one, open aswMBR and just do a scan and post the new log,

**xkmail** · 2011-10-11, 02:10

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-09 21:22:05
-----------------------------
21:22:05.015 OS Version: Windows 5.1.2600 Service Pack 3
21:22:05.015 Number of processors: 2 586 0xF02
21:22:05.015 ComputerName: ACER UserName:
21:22:05.453 Initialize success
21:26:36.250 AVAST engine defs: 11100901
21:27:04.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
21:27:04.875 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
21:27:06.890 Disk 0 MBR read successfully
21:27:06.890 Disk 0 MBR scan
21:27:06.921 Disk 0 Windows XP default MBR code
21:27:06.921 Disk 0 scanning sectors +586051200
21:27:06.953 Disk 0 scanning C:\WINDOWS\system32\drivers
21:27:14.015 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:27:14.250 Service scanning
21:27:14.609 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
21:27:15.125 Modules scanning
21:27:15.437 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
21:27:36.875 Disk 0 trace - called modules:
21:27:36.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa241ed]<<
21:27:36.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aab7ab8]
21:27:36.890 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005a[0x8aab9968]
21:27:36.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8aa79d98]
21:27:36.890 \Driver\atapi[0x8ab122a8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa241ed
21:27:37.484 AVAST engine scan C:\WINDOWS
21:27:45.093 AVAST engine scan C:\WINDOWS\system32
21:29:03.328 AVAST engine scan C:\WINDOWS\system32\drivers
21:29:12.531 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:29:18.078 AVAST engine scan C:\Documents and Settings\kevin
21:32:15.000 AVAST engine scan C:\Documents and Settings\All Users
21:32:55.109 Scan finished successfully
21:33:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
21:33:41.156 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-10 14:06:17
-----------------------------
14:06:17.625 OS Version: Windows 5.1.2600 Service Pack 3
14:06:17.640 Number of processors: 2 586 0xF02
14:06:17.640 ComputerName: ACER UserName:
14:06:18.390 Initialize success
14:06:18.500 AVAST engine defs: 11101001
14:06:22.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
14:06:22.312 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
14:06:24.312 Disk 0 MBR read successfully
14:06:24.312 Disk 0 MBR scan
14:06:24.312 Disk 0 Windows XP default MBR code
14:06:24.328 Disk 0 scanning sectors +586051200
14:06:24.343 Disk 0 scanning C:\WINDOWS\system32\drivers
14:06:30.484 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:06:30.640 Service scanning
14:06:30.984 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
14:06:31.500 Modules scanning
14:06:31.859 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
14:06:33.984 Disk 0 trace - called modules:
14:06:34.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa061ed]<<
14:06:34.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aafbab8]
14:06:34.000 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005e[0x8aa579e8]
14:06:34.000 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8ab08d98]
14:06:34.000 \Driver\atapi[0x8aab22a8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa061ed
14:06:34.343 AVAST engine scan C:\WINDOWS
14:06:42.078 AVAST engine scan C:\WINDOWS\system32
14:07:48.500 AVAST engine scan C:\WINDOWS\system32\drivers
14:07:58.671 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:08:07.812 AVAST engine scan C:\Documents and Settings\kevin
14:10:58.453 Verifying
14:11:08.468 Disk 0 Windows 501 MBR fixed successfully
14:11:04.765 AVAST engine scan C:\Documents and Settings\All Users
14:11:15.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
14:11:15.437 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-10 17:00:49
-----------------------------
17:00:49.343 OS Version: Windows 5.1.2600 Service Pack 3
17:00:49.343 Number of processors: 2 586 0xF02
17:00:49.343 ComputerName: ACER UserName:
17:00:50.156 Initialize success
17:00:50.328 AVAST engine defs: 11101002
17:00:52.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
17:00:52.359 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
17:00:54.375 Disk 0 MBR read successfully
17:00:54.375 Disk 0 MBR scan
17:00:54.375 Disk 0 Windows XP default MBR code
17:00:54.375 Disk 0 scanning sectors +586051200
17:00:54.390 Disk 0 scanning C:\WINDOWS\system32\drivers
17:01:00.453 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
17:01:00.593 Service scanning
17:01:00.937 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
17:01:01.453 Modules scanning
17:01:01.828 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
17:01:03.843 Disk 0 trace - called modules:
17:01:03.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa6b1ed]<<
17:01:03.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aaafab8]
17:01:03.843 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005e[0x8aab2f18]
17:01:03.843 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8ab09d98]
17:01:03.843 \Driver\atapi[0x8aa54f38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa6b1ed
17:01:04.203 AVAST engine scan C:\WINDOWS
17:01:11.593 AVAST engine scan C:\WINDOWS\system32
17:02:06.625 AVAST engine scan C:\WINDOWS\system32\drivers
17:02:15.625 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
17:02:22.890 AVAST engine scan C:\Documents and Settings\kevin
17:04:54.843 AVAST engine scan C:\Documents and Settings\All Users
17:05:28.390 Scan finished successfully
17:08:57.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
17:08:57.125 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"

**ken545** · 2011-10-11, 02:16

Did you run the fix like I posted ?

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

**xkmail** · 2011-10-11, 02:31

Couldn't find log on tdskilelr but said it found one and hit cure then rebooted.

Thread: firefox redirects to clickahead.org

Thread Tools

Display

firefox redirects to clickahead.org

log files

fixed bu keeps coming back

gooredfix

answr txt fresh scan

Posting Permissions