Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie8 and firefox redirecting


  • This topic is locked This topic is locked
21 replies to this topic

#1 xsile

xsile

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 18 December 2009 - 03:23 PM

Hi all,

I am having the redirecting issue also. Meaning that sometimes when I click a link after doing a search I get redirected to some random site instead of the link I initially clicked on. I have used Superantispyware, Webroot Spysweeper and anti-virus, spybot S&D, Malwarebytes, and finally removed webroot from my system and installed avast pro. Avast found some malware and move it to the chest. That seems to have made my system run faster and more stable than before however the redirecting issue is still present. I also can not boot the computer into safe-mode, when ever I try, I get to the mups.sys portion an the system just restarts itself. I have read though the forums about this issue and tried to follow some of the steps that where suggested to other folks as it pertains to my system. I downloaded OTL to desktop as well as GMER.exe and ATF-Cleaner. I was able to run OTL and ATF but GMER locks my system up to the point that only GMER will run and complete but no controls are able to be used including the ability to save the GMER log file at the end of the scan.

Edited by xsile, 18 December 2009 - 04:15 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:43 AM

Posted 18 December 2009 - 10:50 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 23 December 2009 - 05:15 PM

Hi thank you for moving this to the right forum. I have run a slue of scans with avast and malwarebytes, combo-fix, gmer, etc ...etc.. I still have this issue. Any help would be very appreciated.
I forgot to mention some stats in original post.

win xp pro sp3
Ie8 version 8.0.6001.18702
Firefox Version 3.5.6
A/V Avast! Version 4.8-1368 full retail
Superantispywarepro version 4.32.1000 full retail
spybot version 4.6.2.46

I have added on the desktop recently
defogger
hijackthis
atf-cleaner
gmer
otl

Edited by xsile, 23 December 2009 - 05:27 PM.


#4 pdtnelson

pdtnelson

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tacoma, WA
  • Local time:05:43 AM

Posted 23 December 2009 - 05:38 PM

You mentioned that you had run a MBAM scan, could you post the log of that please?

#5 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 December 2009 - 01:27 PM

Actually I am having a hard time finding my log file from malwarebytes, so i am trying to generate another one. I do have my otl scan log though and I am in the process of rescanning with malwarebytes. My full scan is going on its second day. I have 5 terabytes of storage and it seems to be taking some time to scan, took 4 days the first time. I will post as soon as it completes this time.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 25 December 2009 - 03:00 PM

I'll help you once you post the Malwarebytes log.

Cheers.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 December 2009 - 03:09 PM

Hi,

I found the log file from the first scan, I also have the log from the most recent scan. The one below is the first scan followed by the most recent scan from today. Even though Mbam says there is not infections I still get redirected when using both IE8 and Frirfox.

Thank you in advance for all the help.

Malwarebytes' Anti-Malware 1.42
Database version: 3335
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2009 7:10:09 PM
mbam-log-2009-12-09 (19-10-09).txt

Scan type: Quick Scan
Objects scanned: 110493
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\d3dx10d.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

This is the most recent scan log.

Malwarebytes' Anti-Malware 1.42
Database version: 3425
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/25/2009 11:40:51 AM
mbam-log-2009-12-25 (11-40-51).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 456735
Time elapsed: 1 hour(s), 31 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 25 December 2009 - 03:26 PM

Run a GMER scan please.

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 December 2009 - 06:08 PM

Hi,

I have been trying to run GMER however it keeps locking my system up. I have done as instructed and I get to my G drive and the system locks forcing a hard reset. One thing has changed though since running malwarebytes and that is I can now boot to safe mode, so I did so and tried to run GMER again. Once in safe mode the system did that exact same thing complete lock up forcing a hard reset.

thank you.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 25 December 2009 - 07:34 PM

When running GMER just check your C:\ drive or which ever drive your Windows is installed on, and leave the other drivers/partitions unchecked.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 December 2009 - 08:00 PM

Hi,

I'm sorry I messed up on the first scan because i didnt read the instructions properly. I rescaned with all the items unchecked as per instruction. This time gmer completed however when I try to copy and paste to notepad the system hangs. It also hangs when i try to use the save button in GMER. I am scanning the system again this time in safe-mode and hopefully it will let me save the .log or a .txt file so i can post it.

#12 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 December 2009 - 10:00 PM

Hi Extremeboy,

I got GMER to complete in safe mode. Here is the log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-25 18:48:26
Windows 5.1.2600 Service Pack 3
Running: vh5zwu87.exe; Driver: C:\DOCUME~1\Dave\LOCALS~1\Temp\fxtdapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- EOF - GMER 1.0.15 ----

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 25 December 2009 - 10:52 PM

Without much logs, I would run this rootkit scan too in Normal Mode.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Then run GooredFix..

Download and Run GooredFix

Please download GooredFix and save it to your Desktop if you lost your copy.
Alternative Download Mirror #1

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Ensure all Firefox windows are closed at this time.
  • Please double-click GooredFix.exe on your Desktop to run it. If you are using Vista, please right-click and select run as administartor
  • When prompted to run the scan, click Yes.
  • The removal process will begin, please be paitent until it finishes.
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop called GooredFix.txt

Let me know how it goes and post the logs upon completion.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 December 2009 - 02:11 PM

Hi,

I did as the instructions said, shut all running programs down,disconnected my cat 5 so that machine was stand alone. ran rootrepeal an the following occured.

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000094
Exception Address: 0x004eca19

I than ran goored and this is the log it created.

GooredFix by jpshortstuff (06.12.09.1)
Log created at 11:06 on 26/12/2009 (Dave)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:41 19/12/2009]

C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\zciqh6g1.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [00:51 19/12/2009]
{73a6fe31-595d-460b-a920-fcc0f8843232} [18:27 21/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [18:32 27/01/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [05:08 13/03/2009]

-=E.O.F=-

Should I try rootrepeal again in safe-mode?

Edited by xsile, 26 December 2009 - 02:14 PM.


#15 xsile

xsile
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 December 2009 - 08:58 PM

I tried to perform the rootrepeal scan in safe mode and it crashed again with the same exception, I sent a email to the author with the rootrepeal crach log at RootRepealNOSPAM@gmail.com.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users