Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE redirects


  • This topic is locked This topic is locked
16 replies to this topic

#1 jigga365

jigga365

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 14 June 2011 - 11:13 AM

http://www.bleepingcomputer.com/forums/topic403533.html/page__p__2290536__fromsearch__1#entry2290536

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 14 June 2011 - 12:22 PM

Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Further, it necessitates staff spending time with housecleaning to remove or close those duplicate postings...time which could have been provided to others needing assistance. I have removed any duplicates to avoid confusion.


Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extensio, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Step 7 instructs you to scan your computer using Malwarebytes Anti-Malware. Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

Note: If you already ran Malwarebytes, please post the log results regardless if anything was found.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jigga365

jigga365
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 14 June 2011 - 12:50 PM

Sorry but I forgot to post the url for my first post so I posted again. I will do what you asked above and post the results.

Thanks and sorry again for the repost.

Edited by jigga365, 14 June 2011 - 12:51 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 14 June 2011 - 01:12 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jigga365

jigga365
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 14 June 2011 - 05:40 PM

I could not get the tdsskiller to run to save my life. I tried renaming it but it didn't work. I got the malwarebytes to run but of course if found nothing.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6858

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/21/2011 6:20:36 PM
mbam-log-2011-06-21 (18-20-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 309312
Time elapsed: 41 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 14 June 2011 - 05:55 PM

Did you try running TDSSKiller in "safe mode"?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jigga365

jigga365
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 14 June 2011 - 06:01 PM

Yes, with networking though. Should I try without networking?

#8 jigga365

jigga365
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 14 June 2011 - 06:14 PM

I tried safe mode without networking and it still would not open.

#9 trophy1903

trophy1903

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 14 June 2011 - 06:20 PM

Have had some kind of serious virus/malware/asswipe syndrome on this PC for weeks. Have run Malwarebytes, S&D, rkill, and still get "explorer" running in background. Ran Combofix after being told to, system crashed, here I am.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 14 June 2011 - 07:52 PM

Welcome to BC

Ran Combofix after being told to, system crashed, here I am

If none of the tools you have used thus far are finding any malicious files or not successful at removal, this issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Since you already ran Combofix, it should have saved a log to the root directory, usually C:\ComboFix.txt. Please read the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". When you have done that, post the required logs to include your ComboFix log in that forum, NOT here, for assistance by the Malware Response Team Experts.

P.S. In the future, if you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Edited by quietman7, 14 June 2011 - 07:59 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 14 June 2011 - 07:56 PM

jigga365

Before doing anything further, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • At the 'Setup page', click Next, check the box 'I accept the license agreement' and click Next twice more to extract the required files.
  • Setup may recommend to scan the computer in Safe Mode. Click Ok.
  • A window will open with a tab that says Autoscan and one for Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, you will see the Scan Alert screen.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  • Copy and paste the report results of any threats detected. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 jigga365

jigga365
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 15 June 2011 - 07:04 AM

I ran the kaspersky virus tool in safe mode without networking and it found nothing. It said the data base was old but I ran it anyway. I ran it again in safe mode with networking and updated the database and it still found nothing. I'm still getting the redirects however. BTW, this all started when I got the Windows recovery virus. I followed the tutorial from this site and removed it but that's when the redirects started.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 15 June 2011 - 07:40 AM

Please download aswMBR.exe and save it to your Desktop.
  • Double click on aswMBR.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click, click the Save log button and save it to your Desktop.
  • Do not select any Fix options at this time.
  • Copy and paste the contents of that log in your next reply.
-- Important note: Upon the first run aswMBR will back up the MBR and save it to the Desktop as MBR.dat. Do not delete this file until advised.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 jigga365

jigga365
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 15 June 2011 - 12:21 PM

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-22 13:13:59
-----------------------------
13:13:59.937 OS Version: Windows 5.1.2600 Service Pack 3
13:13:59.937 Number of processors: 2 586 0x404
13:13:59.937 ComputerName: VISHALCLARI UserName:
13:14:01.187 Initialize success
13:14:15.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:14:15.078 Disk 0 Vendor: Intel___ 1.0. Size: 476832MB BusType: 3
13:14:15.109 Disk 0 MBR read successfully
13:14:15.109 Disk 0 MBR scan
13:14:15.109 Disk 0 unknown MBR code
13:14:15.109 Disk 0 scanning sectors +976543155
13:14:15.156 Disk 0 scanning C:\WINDOWS\system32\drivers
13:14:23.453 Service scanning
13:14:24.671 Disk 0 trace - called modules:
13:14:24.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a9581ed]<<
13:14:24.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2b2ab8]
13:14:24.718 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8ad9a030]
13:14:24.718 \Driver\iastor[0x8b2f4a08] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a9581ed
13:14:24.718 Scan finished successfully
13:16:04.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\VISHAL BEHARRY\Desktop\MBR.dat"
13:16:04.187 The log file has been saved successfully to "C:\Documents and Settings\VISHAL BEHARRY\Desktop\aswMBR.txt"


aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-22 13:13:59
-----------------------------
13:13:59.937 OS Version: Windows 5.1.2600 Service Pack 3
13:13:59.937 Number of processors: 2 586 0x404
13:13:59.937 ComputerName: VISHALCLARI UserName:
13:14:01.187 Initialize success
13:14:15.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:14:15.078 Disk 0 Vendor: Intel___ 1.0. Size: 476832MB BusType: 3
13:14:15.109 Disk 0 MBR read successfully
13:14:15.109 Disk 0 MBR scan
13:14:15.109 Disk 0 unknown MBR code
13:14:15.109 Disk 0 scanning sectors +976543155
13:14:15.156 Disk 0 scanning C:\WINDOWS\system32\drivers
13:14:23.453 Service scanning
13:14:24.671 Disk 0 trace - called modules:
13:14:24.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a9581ed]<<
13:14:24.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2b2ab8]
13:14:24.718 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8ad9a030]
13:14:24.718 \Driver\iastor[0x8b2f4a08] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a9581ed
13:14:24.718 Scan finished successfully
13:16:04.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\VISHAL BEHARRY\Desktop\MBR.dat"
13:16:04.187 The log file has been saved successfully to "C:\Documents and Settings\VISHAL BEHARRY\Desktop\aswMBR.txt"
13:16:18.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\VISHAL BEHARRY\Desktop\MBR.dat"
13:16:18.828 The log file has been saved successfully to "C:\Documents and Settings\VISHAL BEHARRY\Desktop\aswMBR.txt"

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:41 PM

Posted 15 June 2011 - 12:25 PM

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users