Jump to content

Browser redirect

Mike9999666
 Share

Recommended Posts

Mike9999666

Mike9999666

Posted
Posted

Hello Malwarebytes People,

My son's PC has been hijacked by malware which redirects his browser.

I have begun this procedure: http://forums.malwar...?showtopic=9573

The resulting malwarebytes log is this:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7193

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

19/07/2011 23:52:53

mbam-log-2011-07-19 (23-52-53).txt

Scan type: Quick scan

Objects scanned: 163328

Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I then installed DeFogger, as instructed in the thread, but I didn't ask me to Reboot. The log is here:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 07:20 on 20/07/2011 (Alfie)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Could you please tell me what to do next??

many thanks.

Link to post
Share on other sites
  • Replies 118
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Hello Mike9999666 and welcome to Malwarebytes!

I apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please do the following:

  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your Desktop.

-------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • DDS logfile
  • checkup.txt

How is your computer running now?

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

Hello again

Thanks for helping.

The DDS program only produced one text file which I have attached in a zip file.

The Security Check file produced the following log:

Results of screen317's Security Check version 0.99.17

Windows 7 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

McAfee Security Center

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 22

Out of date Java installed!

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

At the moment, the computer is still doing occasional browser redirects. For example, when I clicked a link to "Digital Spy" - a media news/gossip site - in Bing tab on Internet Explorer, it redirected me via Kelkoo to a site selling digital spy cameras.

DDS.zip

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted
Thanks for helping.

No problem ;)

Are the redirects in Firefox, Internet Explorer, or both? Please let me know.

-------------

Please do the following :):

***Note: In order for ComboFix to run properly McAfee must be uninstalled. Please go here and follow the instructions to uninstall McAfee.

McAfee needs to remain uninstalled until I tell you its safest to reinstall it.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
In your next reply, please include:
  • C:\ComboFix.txt
  • TDSSKiller log

How is your computer running now?

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

Well OK, if you can try that would be good. It had the same problem with Start Up before, but we managed to repair it, and it was only when my son was reloading programs on it that he downloaded the Browser Redirect malware.

What should I do next? If I turn it on it goes into Windows Error Recovery, then Start Up Repair, then it says "Start Up repair cannot repair this computer automatically".

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Okay, we need to restore your PC to an older, workable date.

Please see this link for instructions on accessing System Restore in the Windows 7 Recovery Environment: http://www.faultwire.com/solutions/using_system_restore_vista.php#recoveryDVD

Using System Restore, locate the restore point closest to the time the PC became dysfunctional. Then, select it and revert the PC to that point.

(don't do anything with the Command Prompt)

Let me know how it goes ;)

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

No problem, I'll post it here ;)

Please locate your Windows 7 Disc and do the following:

Use the following steps to get to the Recovery Console from the boot DVD:

Insert the DVD and boot from it. You'll get a black and white screen:

sysrestore1.gif

If this doesn't appear, it may be the DVD is not a Windows bootable DVD. Assuming you get this message, press a key (spacebar or anything else). If you don't press any key within about 5 seconds, it will boot from the hard disk.

Continuing to boot from the DVD you'll see a loading progress screen.

sysrestore2.gif

This typically takes 2-3 minutes. When complete the first options screen appears.

sysrestore3.gif

Change any options if desired, and press Next.

sysrestore4.gif

To start the Recovery Console, select Repair your computer.

sysrestore5.gif

Unless you have multiple copies of Windows installed, only one choice will appear. Select your OS, and press Next.

sysrestore6.gif

Here you can pick from a number of useful options.

Choose System Restore.

-----------

System Restore

After selecting System Restore from the options menu, the screen appears:

sysrestore7.gif

Press Next.

sysrestore8.gif

From the list of restore points, select the one you want to restore. You'll want to pick a date prior to the problem event, such as before an installation that you suspect caused the problem. You do not want to pick the newest restore point, since that has saved the very last problematic registry.

Press Next.

sysrestore9.gif

If you have multiple drives, in rare cases there may be restorable information on those other drives. The status will confirm which drives have recovery information. Check any drives that you want to recovery (including the system drive). Press Next.

sysrestore10.gif

This is the final confirmation. Press Finish to begin restoring the selected restore point.

It may take 10 minutes or more, so be patient and don't power down or reset the PC while the restoration is occurring. After the reboot and logging on again, Windows will confirm the restore completed successfully.

If you don't like the results of the restoration, you can return to System Restore and choose a different restore point.

-----------

After you have successfully reverted to an earlier Restore Point, please post back here and we'll take it from there ;)

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

"No restore points have been created on your computer system's drive. To create a restore point open System Protection".

When I click on System Protection it says : Your computer is running in a limited diagnostic state. If you use System Restore, you cannot undo the restore operation."

If I click on OK, it takes me back top the first message. I can't see an option to use System Protection.

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

Startup Repair cannot repair this computer automatically.

Problem details:

Probelem event name: StartupRepairOffline

Problem Signature 01: 6.1.7600.16385

Problem Signature 02: 6.1.7600.16385

Problem Signature 03: unknown

Problem Signature 04: 21200710

Problem Signature 05: AutoFailover

Problem Signature 06: 5

Problem Signature 07: FailureDuringSetup

OS Version: 6.1.7600.2.0.0.256.1

LocaleID: 1033

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

My sincerest apologies for the delay.

Leaving the Windows 7 DVD in the drive, please go back to the System Recovery Options. Select Command Prompt...

Once the Command Prompt opens up, please type the following:

chkdsk /r

Then, press Enter. Windows will begin checking for and attempting to repair corrupted files.

Let me know how it goes ;)

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

My sincerest apologies for the delay.

Leaving the Windows 7 DVD in the drive, please go back to the System Recovery Options. Select Command Prompt...

Once the Command Prompt opens up, please type the following:

chkdsk /r

Then, press Enter. Windows will begin checking for and attempting to repair corrupted files.

Let me know how it goes ;)

"The type of the file system is NTFS.

Cannot lock current drive.

Windows cannot run disk checking on this volume because it is write-protected."

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

Try running the following command first:

SFC /SCANNOW

Then, try running chkdsk /r

Having entered SFC/SCANNOW > Enter I get:

"Beginning system scan. This process will take some time.

THere is a system repair pending whcihj requires reboot to complete. Restart Windows and run sfc again."

Link to post
Share on other sites
Mike9999666

Mike9999666

Posted
  • Author
Posted

OK - I Restarted the computer.

Got the notice saying it couldn't be repaired automatically.

Gone to System Recovery Options > Command Prompt.

Entered SFC/SCANNOW on the same line as X:\windows\system32>

Got the same message as before:

"Beginning system scan. This process will take some time.

THere is a system repair pending which requires reboot to complete. Restart Windows and run sfc again."

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Something I'd like to verify:

are you able to successfully log in to Safe Mode?

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Let me know before we proceed.

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

I believe your Master Boot Record (MBR) may be corrupt.

Please insert your Windows DVD.

  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here

When you reboot you will see this although yours will say windows 7. Click repair my computer

RepairVista_7275.jpg

Select your operating system

RepairVista_7277202.jpg

Select Command prompt

RepairVista_7277.jpg

At the command prompt type the following (press ENTER after each one)


  • bootrec.exe /fixmbr
    bootrec.exe /fixboot
    bootrec.exe /RebuildBcd
  • Once finished type Exit
  • Close the command prompt window and click the ‘Startup Repair’ option.
  • The repair process may take some time, so wait until the process completes at which point you will see two messages “Windows cannot repair this computer automatically” and “Startup Repair cannot repair this computer automatically”.
    These messages are the result of the radical changes. Ignore the Send/Don’t send options.
  • Close this message window by clicking on the X in the upper right corner of the Send/Don’t send window. Next click on the ‘View advanced options for system recovery and support’ option and from the main menu once again click ‘Startup Repair’. This time the repair process may only that a few seconds and if prompted “Startup Repair could not detect a problem”, click ‘Finish’ and run the ‘Startup Repair’ option one more time, click ‘Finish’, and then remove the System Repair DVD and click ‘Restart’. Reboot the computer.

Please let me know if you can reboot successfully after doing that.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.