Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect


  • Please log in to reply
9 replies to this topic

#1 Abn133

Abn133

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 03 July 2011 - 04:28 PM

Hi, well I've dealt with the redirect issue (on my own computer) before, but it seems like this time it's a bit more stubborn and there are a few other issues. (Just as a heads up, my roommate is the one who brought this to me, but he just left to do some ROTC stuff and I doubt I can get in touch with him, so as for specifics when this all started/how I don't know).

So anyways, problem started with a rogue AV (Trojan.FakeAlert is what it said) that I removed using MBAM. After I removed this, I rebooted and when I tried to launch Mozilla it would crash on start, so I uninstalled, hopped on Internet Explorer to go reinstall Mozilla and that’s when the redirect issue became apparent. MBAM also started notifying me it was blocking outgoing traffic to:

(1) 64.120.141.163
(2) 67.29.139.153
(3) 95.64.55.53
(4) 174.37.207.98
(5) 188.229.88.234
(6) 208.73.210.29
(7) 208.87.32.75

Ran MBAM again, and it removed a few more things (Sorry I can't be more specific, but the logs got deleted). After scanning/running MBAM again I went ahead and scanned with Avira, SAS, Sophos, GMER, and a few other things. They didn't bring up anything but the GMER and Sophos Anti-Rootkit both found suspicion of a rootkit and the problem was persisting, so I ran ComboFix and it cleaned up some of the remaining issues. I still can't run Chrome or Mozilla on his machine, he still has outgoing to 1,2,3,6, and 7 listed above, and the redirecting is still an issue. I've already checked the hosts file (it was clean), replaced it and changed it to read-only just to be safe, restarted, and still nothing. And whatever is wrong with running Mozilla or Chrome/the outgoing traffic is above me.

HJT log removed - HJT log can only be analyzed in our MRT forums and is removed. - Please do not use the spoiler function to post logs.
rigel
I'll make sure to let him know I was pretty lost and deferred to some real help so I don’t get stuck with this sort of thing again haha. Thanks!

Edited by rigel, 03 July 2011 - 05:54 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:38 AM

Posted 03 July 2011 - 04:33 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

====================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

===============================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

==================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Abn133

Abn133
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 03 July 2011 - 05:34 PM

Security Check results
Spoiler


MiniToolBox results
Spoiler


MBAM results
Spoiler


GMER results
Spoiler


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:38 AM

Posted 03 July 2011 - 05:53 PM

In the future, please paste straight logs, so I don't have to click on "Show" button. Thanks.....

Let's start with sorting out your AV programs...
I can see these:
Avira AntiVir Personal - Free Antivirus
Norton AntiVirus
Norton Internet Security (Symantec Corporation)
Norton Internet Security

You can run only one AV program.
Which one is your current AV program?

===================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Abn133

Abn133
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 03 July 2011 - 06:01 PM

Sorry, was trying to keep it to a managable amount of text. But I'm pretty sure Avira is the one he actively uses, I think he just never bothered to take the others off. And I just updated everything else

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:38 AM

Posted 03 July 2011 - 06:06 PM

No problem :)

Uninstall Symantec using this tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Then couple of questions...
Does the redirection happen in Firefox an Chrome, but not in IE?
Are you on a same router as your roommate?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Abn133

Abn133
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 03 July 2011 - 06:15 PM

When Firefox would still run (it crashes immediately upon opening now) it would redirect to various other things. I downloaded Chrome afterwards and it's doing essentially the same thing. IE is the only browser that will actually run on his machine, but it still redirects as well. I’m not using his router, but our other roommate was, and nothing is wrong with his computer. He's not using that router again until everything gets sorted out though.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:38 AM

Posted 03 July 2011 - 06:27 PM

I don't see any possible culprit, using tools allowed in this forum, so you'll have to travel to higher level.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Abn133

Abn133
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 03 July 2011 - 06:30 PM

Will do, thanks for the help, I'll make sure to update this once it all gets sorted out.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:38 AM

Posted 03 July 2011 - 06:33 PM

OK....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users