Not really sure what to suggest on how to fix it, I'll let one of our security experts advise you on that, but for now, try this; [How-To] Stop Automatic Redirects To Other Websites with Firefox 3 it will at least stop the redirects (hopefully)
Or this addon: https://addons.mozilla.org/en-us/fir...irect-remover/ (buggy with Firefox 4.0 if your using that version)
O10 - Unknown file in Winsock LSP: c:\windows\system32\msible.dll
Troj/Agent-QHC Trojan (Trojan.gen, Trojan.Win32.Agent.hfpw) - Sophos security analysis
Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop. Right click to run as Administrator. Your Computer will reboot itself.
Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3
Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
- Double click combofix.exe and follow the prompts.
- When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
After rebooting ensure your Security applications have been re-enabled.
In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix
The latest AVG update recognised it. Seeing if that does the trick first.
*Edit*
And so far it's picked up PSW.Agent.ALCB, Dropper.Genertic3.AGKF, and PSW.Agent.ALCD.dropper - which is a positive result for the AVG team, when yesterday it found nothing at all!
Last edited by Sunyavadin; 18 Mar 2011 at 11:41.
The moment I attempted your fix - I got as far as resetting my ips and the "DRIVER IRQL NOT LESS THAN OR EQUAL" infinite bluescreen loop returned with a vengeance.
I'm starting to suspect the trojan has replaced or modified my network drivers, and this is how it's able to bypass needing to modify everything else like my hosts file and also what's causing my bluescreens when I boot to regular windows or safe mode with networking enabled.
The Winsock has been corrupted by the infected .dll file ...
Repair and Reset Windows Vista TCP/IP Winsock Catalog Corruption » My Digital Life
Gah. Once again no infection is detected - but it's STILL redirecting.
Also - it gets worse as the constant bluescreens that started after resetting winsock have now got me stuck in safe mode 100% of the time.
*Edit* Got back into normal mode for about 3 minutes. Long enough to learn that the trojan seems to have gotten wise to my antivirus and disabled it completely. Didn't find out any more since immediately afterward, another bluescreen hit and I'm back in safe mode.
After several attempts I've given up on Combofix. Each time I run it I get another IRQL NOT LESS THAN OR EQUAL bluescreen.
Bleepingcomputer threads on this topic suggested I attempt sticking a flash drive with farbar recovery scanner on it in, so while I wait for more suggestions I'll give that a try.
Sorry about the OpenDNS. I use them, and have no problem with them. It is very likely that this issue you're currently having is causing the slow response.
What do the following registry locations show (exact spellings, please):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
My firewall (@OnlineArmor GUI "C:\Program Files (x86)\Online Armor\oaui.exe"), google updater (Google update "C:\Users\Washu\AppData\Local\Google\Update\GoogleUpdate.exe" /c) (Which always restores the entry every time I update chrome or Google Earth no matter how often I delete it), and my audio manager (which I need to make my onboard sound work) (VIAAUD C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe.)
So in summary:
One application I installed myself just today while trying to fix my problems, after being led to believe a zonealarm file was causing my crashes.
One application that reinstalls itself every time I install any google software.
One application that came with my motherboard and I need to have sound.
*Edit* And yes, I'll try benchmarking the DNS servers again once my system can manage more than a couple of minutes uptime.
PSW.Agent.ALCB <-- this is a password stealer ... I advise you to change all your passwords using a known "clean" computer.
Download RKill to a flash drive, then use it on the infected computer. http://download.bleepingcomputer.com...beta/rkill.exe
This log file is located at C:\rkill.log.
Please post the log
Quote