Browser being opened with a strange webpage from time to time

[klebson]

My brother-in-law got a virus that opens his Firefox with a strange webpage. I tried to eliminate it, but I couldn't.
That day I plugged my usb drive there, and after in my laptop.
So, later, my laptop started to open the same page here.
(His computer also sends a message with a link through his MSN, but I havent't tested if it is also hapening with mine)

I ran Ad-Aware here and it cleaned two worms: Autorun and Kido. But the browser is still opening...

So I have just run Kapersky Virus Removal Tool and it 'told me' to send the report through here. I hope you can help me.

[Aleksandra]

1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVPTool:

Код:

Function RegKeyResetSecurityEx(ARoot, AName : string) : boolean;
var
i : integer; 
KeyList : TStringList;
KeyName : string;                           
begin
RegKeyResetSecurity(ARoot, AName);
KeyList := TStringList.Create;
RegKeyEnumKey(ARoot, AName, KeyList);
for i := 0 to KeyList.Count-1 do
 begin
 KeyName := AName+'\'+KeyList[i];
 RegKeyResetSecurity(ARoot, KeyName);
 RegKeyResetSecurityEx(ARoot, KeyName);
 end;
KeyList.Free;
end;
Function BC_ServiceKill(AServiceName : string; AIsSvcHosted : boolean = true) : byte;
var
 i : integer;
 KeyList : TStringList;
 KeyName : string;                           
begin
 Result := 0;
 if StopService(AServiceName) then Result := Result or 1;
 if DeleteService(AServiceName,  not(AIsSvcHosted)) then Result := Result or 2;
 KeyList := TStringList.Create;
 RegKeyEnumKey('HKLM','SYSTEM', KeyList);
 for i := 0 to KeyList.Count-1 do
  if pos('controlset', LowerCase(KeyList[i])) > 0 then begin
   KeyName := 'SYSTEM\'+KeyList[i]+'\Services\'+AServiceName;                                     
   if RegKeyExistsEx('HKLM', KeyName) then begin
    Result := Result or 4;                  
    RegKeyResetSecurityEx('HKLM', KeyName);
    RegKeyDel('HKLM', KeyName);
    if RegKeyExistsEx('HKLM', KeyName) then               
     Result := Result or 8;                  
   end;
  end;                 
 if AIsSvcHosted then
  BC_DeleteSvcReg(AServiceName)
 else
  BC_DeleteSvc(AServiceName);
 KeyList.Free;
end;
begin
SetAVZGuardStatus(True);
 DelCLSID('414B2D50-414B-414B-414B-414B2D504341');
 QuarantineFile('C:\WINDOWS\Cursors\lsass.exe','');
 QuarantineFile('C:\RECYCLER\S-1-5-21-2627496600-9014151562-239339096-2853\MsMxEng.exe','');
 DeleteFile('C:\RECYCLER\S-1-5-21-2627496600-9014151562-239339096-2853\MsMxEng.exe');
 DeleteFile('C:\WINDOWS\Cursors\lsass.exe');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(11);
BC_ServiceKill('dzlajhcxt');
BC_ServiceKill('kfmskgiz');
BC_ServiceKill('mydno');
BC_ServiceKill('rgavqny');
BC_ServiceKill('rykfr');
BC_ServiceKill('ugwgwjmo');
BC_ServiceKill('vdtqfszgk');
BC_ServiceKill('xnlakg');
BC_ServiceKill('yxjmdaqx');
BC_Activate;
RebootWindows(true);
end.

3. After reboot execute this script in AVPTool:

Код:

begin
 CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.

Upload file quarantine.zip, by link http://virusinfo.info/upload_virus.php?tid=67584

4. Make a new log of AVPTool.