Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus: Most Options Exhausted


  • Please log in to reply
10 replies to this topic

#1 redirected2

redirected2

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 May 2012 - 07:21 AM

Good Morning,

I have been an avid reader of bleeping computer for years, this has been the place I tend to find all intelligible answers for any mishaps and malware that tend to come in to contact with mine or my friends/relatives computers. Generally speaking I have always been able to conquer the foe on my own (with help from these forums) but this time, on this computer, the redirect virus is thwarting my every attempt.

The following are some quick points about this case:
  • Redirection occurs in all browsers.
  • Ran RKill with no resolution.
  • Ran Hitman 3.6 with no resolution.
  • Ran Comodo with no resolution.
  • Ran TDSSKiller but would crash due to Data Execution Prevention
  • This PC is running Windows Vista
  • 64 bit OS
  • Checked hidden devices.
  • Checked Hosts

I would be extremely happy for any support you can lend. I was reading a similar active thread on bleepingcomputer regarding this virus but I wanted to post my own in case there was an order to the steps that could differ in my case.

Thank you in advance for your time,

R

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:37 PM

Posted 18 May 2012 - 07:55 AM

Download

FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot let me know what it finds


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 redirected2

redirected2
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 May 2012 - 08:54 AM

Ok,

FixTDSS found no infection.

I ran aswMBR but I am not sure it finished. It hung for a while and so i took a log after a while:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-18 09:04:44
-----------------------------
09:04:44.860 OS Version: Windows x64 6.0.6002 Service Pack 2
09:04:44.860 Number of processors: 2 586 0x1706
09:04:44.860 ComputerName: MICHELLE-PC UserName: michelle
09:04:58.557 Initialize success
09:15:42.791 AVAST engine defs: 12051800
09:16:09.666 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:16:09.666 Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
09:16:09.667 Disk 0 MBR read successfully
09:16:09.674 Disk 0 MBR scan
09:16:09.690 Disk 0 Windows VISTA default MBR code
09:16:09.702 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 258880 MB offset 2048
09:16:09.720 Disk 0 Partition - 00 0F Extended LBA 31255 MB offset 530188288
09:16:09.760 Disk 0 Partition 2 00 12 Compaq diag NTFS 15109 MB offset 594198528
09:16:09.798 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 31254 MB offset 530190336
09:16:09.848 Disk 0 scanning C:\Windows\system32\drivers
09:16:25.138 Service scanning
09:17:05.797 Modules scanning
09:17:05.822 Disk 0 trace - called modules:
09:17:05.860 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
09:17:05.875 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006a35650]
09:17:05.890 3 CLASSPNP.SYS[fffffa60011d5c33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004c11050]
09:17:07.462 AVAST engine scan C:\Windows
09:17:12.684 AVAST engine scan C:\Windows\system32
09:24:50.338 AVAST engine scan C:\Windows\system32\drivers
09:25:08.840 AVAST engine scan C:\Users\michelle
09:42:49.737 Disk 0 MBR has been saved successfully to "C:\Users\michelle\Desktop\MBR.dat"
09:42:49.737 The log file has been saved successfully to "C:\Users\michelle\Desktop\aswMBR.txt"

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:37 PM

Posted 18 May 2012 - 09:07 AM

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log


Which site are you getting redirected too? Does redirect happen on all browsers?

#5 redirected2

redirected2
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 May 2012 - 12:51 PM

Malwarebytes Antimalware is still running but I thought I would post the others:

This is from ESET:


C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\graphic\kids\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\graphic\newgraphic\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\prince\examples\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\printout\holoco\jour\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\printout\holoco\pactrickstjames\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\printout\holoco\tronics\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\printout\printout\newtechlab\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\test\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\thres\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\web\final\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\web\final\main.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\web\finalp\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\web\group8\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\web\kidpresent\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined
C:\Users\michelle\Documents\Startlogic Backup\public_html\Everything\web\lifeduringwartime\index.html HTML/TrojanDownloader.Agent.IJ trojan cleaned by deleting - quarantined

This is from minitoolbox:


MiniToolBox by Farbar Version: 18-01-2012
Ran by michelle (administrator) on 18-05-2012 at 13:33:52
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® Wireless WiFi Link 5100 = Wireless Network Connection (Connected)
Broadcom NetLink ™ Fast Ethernet = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled mldversion=version2


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : michelle-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Intel® Wireless WiFi Link 5100
Physical Address. . . . . . . . . : 00-21-6B-8F-BC-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e1ed:2f24:2a85:5a79%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, May 18, 2012 9:50:53 AM
Lease Expires . . . . . . . . . . : Saturday, May 19, 2012 9:50:53 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 335552875
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-C9-9C-15-00-1F-16-07-CC-49
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Broadcom NetLink ™ Fast Ethernet
Physical Address. . . . . . . . . : 00-1F-16-07-CC-49
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : isatap.home
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: google.com
Addresses: 173.194.43.32
173.194.43.46
173.194.43.39
173.194.43.34
173.194.43.37
173.194.43.38
173.194.43.40
173.194.43.33
173.194.43.35
173.194.43.36
173.194.43.41



Pinging google.com [173.194.43.39] with 32 bytes of data:

Reply from 173.194.43.39: bytes=32 time=11ms TTL=251

Request timed out.



Ping statistics for 173.194.43.39:

Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 11ms, Maximum = 11ms, Average = 11ms

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.139.183.24
209.191.122.70
72.30.38.140



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=65ms TTL=249

Reply from 209.191.122.70: bytes=32 time=132ms TTL=249



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 65ms, Maximum = 132ms, Average = 98ms

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
13 ...00 21 6b 8f bc 64 ...... Intel® Wireless WiFi Link 5100
10 ...00 1f 16 07 cc 49 ...... Broadcom NetLink ™ Fast Ethernet
1 ........................... Software Loopback Interface 1
15 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
16 ...00 00 00 00 00 00 00 e0 isatap.home
14 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.5 281
192.168.1.5 255.255.255.255 On-link 192.168.1.5 281
192.168.1.255 255.255.255.255 On-link 192.168.1.5 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.5 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.5 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
13 281 fe80::/64 On-link
13 281 fe80::e1ed:2f24:2a85:5a79/128
On-link
1 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [94208] (Apple Computer, Inc.)
Catalog5 06 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 08 C:\Windows\SysWOW64\wshbth.dll [34304] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [61440] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [62976] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [27648] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [44032] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/18/2012 10:12:09 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3.manifest.

Error: (05/18/2012 09:47:57 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/18/2012 09:00:43 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/18/2012 03:22:36 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/17/2012 10:41:13 PM) (Source: Application Error) (User: )
Description: Faulting application sd.com, version 2.7.35.0, time stamp 0x4fb32125, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000,
process id 0x2a0, application start time 0xsd.com0.

Error: (05/17/2012 10:39:03 PM) (Source: Application Error) (User: )
Description: Faulting application djdf.com, version 2.7.35.0, time stamp 0x4fb32125, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000,
process id 0x10b0, application start time 0xdjdf.com0.

Error: (05/17/2012 10:37:59 PM) (Source: Application Error) (User: )
Description: Faulting application tdsskiller.exe, version 2.7.35.0, time stamp 0x4fb32125, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000,
process id 0x1338, application start time 0xtdsskiller.exe0.

Error: (05/17/2012 10:37:39 PM) (Source: Application Error) (User: )
Description: Faulting application tdsskiller.exe, version 2.7.35.0, time stamp 0x4fb32125, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000,
process id 0x1278, application start time 0xtdsskiller.exe0.

Error: (05/17/2012 10:36:40 PM) (Source: Application Error) (User: )
Description: Faulting application TDSSKiller.exe, version 2.7.35.0, time stamp 0x4fb32125, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000,
process id 0x620, application start time 0xTDSSKiller.exe0.

Error: (05/17/2012 10:12:30 PM) (Source: Application Error) (User: )
Description: Faulting application TDSSKiller.exe, version 2.7.35.0, time stamp 0x4fb32125, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000000,
process id 0x1384, application start time 0xTDSSKiller.exe0.


System errors:
=============

Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe Flash Player 11 Plugin 64-bit (Version: 11.1.102.62)
ATI Catalyst Install Manager (Version: 3.0.786.0)
Broadcom Gigabit Integrated Controller (Version: 10.52.10)
ccc-utility64 (Version: 2010.0803.2125.36577)
COMODO Internet Security (Version: 4.0.4167.742)
Dolby Control Center (Version: 2.0.0706)
Dropbox (Version: 1.2.52)
Google Chrome (Version: 19.0.1084.46)
Google Talk (remove only)
HitmanPro 3.6 (Version: 3.6.0.156)
Intel® Matrix Storage Manager
Juniper Networks Setup Client (Version: 1.3.0.11779)
Lenovo Bluetooth with Enhanced Data Rate Software 6.1.0.4600 (Version: 6.1.0.4600)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft SQL Server Native Client (Version: 9.00.2047.00)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Motorola SM56 Data Fax Modem
Octoshape add-in for Adobe Flash Player
PicasaExt (Version: 1.0.1)
Spotify (Version: 0.8.3.222.g317ab79d)
Synaptics Pointing Device Driver (Version: 11.1.7.0)
Windows Driver Package - Lenovo (ACPIVPC) System (01/03/2008 3.1.0.1) (Version: 01/03/2008 3.1.0.1)
Windows Driver Package - Lenovo (ICOLOR) System (05/25/2007 2.1.0.1) (Version: 05/25/2007 2.1.0.1)
XBMC

========================= Memory info: ===================================

Percentage of memory in use: 56%
Total physical RAM: 4092.26 MB
Available physical RAM: 1787.43 MB
Total Pagefile: 11967.54 MB
Available Pagefile: 9601.49 MB
Total Virtual: 4095.88 MB
Available Virtual: 3995.63 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:252.81 GB) (Free:35.1 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:30.52 GB) (Free:28.71 GB) NTFS

========================= Users: ========================================

User accounts for \\MICHELLE-PC

Administrator Guest michelle


**** End of log ****

To answer your questions. This occurs in FF and Chrome. I thought it was occurring in IE but I am not sure, i cannot get it to recur after the above steps but I do not know if it was fixed or if it just didnt do it in the first place. Still occurs in FF and Chrome tho. I am getting directed to a number of different fake websites, not just one in particular.

#6 redirected2

redirected2
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 May 2012 - 04:09 PM

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.18.06

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
michelle :: MICHELLE-PC [administrator]

5/18/2012 1:56:52 PM
mbam-log-2012-05-18 (13-56-52).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 518812
Time elapsed: 3 hour(s), 12 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:37 PM

Posted 18 May 2012 - 04:23 PM

Download

Hosts fixit

Run it,restart the PC and let me know if you still have redirects

#8 redirected2

redirected2
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 May 2012 - 04:38 PM

I couldn't get it to recur in firefox but when I tried chrome it redirected the first website I tried. After that it redirected firefox websites again.

So unfortunately the problem still exists.

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:37 PM

Posted 18 May 2012 - 04:45 PM

Reinstall both firefox and chrome.While uninstalling firefox ,make sure to check mark Remove my Firefox personal data

See if that stops the redirect

good luck

#10 redirected2

redirected2
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 18 May 2012 - 05:12 PM

I am cautiously optimistic!

I cannot reproduce the redirection any more in any browser. I will report back within a few days if I notice it again but as of now it looks good!

Thank you so much!

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:37 PM

Posted 18 May 2012 - 05:58 PM

Thats ok

Download

TFC


Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off


Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

Edited by narenxp, 18 May 2012 - 05:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users