Redirect to eBay phishing page - possible MBR rootkit infection

Welcome to Major Geeks!

You have a master boot record (MBR) infection.

We will need to boot to the Recovery Console ( you installed it while you installed ComboFix) to remove this infection. Note if you cannot boot to the Recovery Console you installed with ComboFix or if it fails to remove the infection, you will need your Windows XP boot CD.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

According to your logs, the MBR infection was removed and there don't appear to be any other infections. Try the below.

Click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now let's flush the Java Cache

• Click Start > Settings > Control Panel
• Double click the Java icon (be patient, it may take a while to open)
• Now click the General tab and under the Temporary Internet File area
• Click the Settings button and then click the Delete Files... button.
• In the next popup click OK.

If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


Now let's flush the FireFox Cache
To flush your FireFox Cache:

• click Tools
• select Options
• select Privacy
• in the section labeled Private Data click Clear Now
  

Now let's flush the Internet Explorer Cache
To flush your Internet Explorer Cache:

• click Tools
• Internet Options
• Now on the General tab and click Delete Files and select Delete all Offline content too
• Click OK.
• When it finishes Click OK.

Now run Ccleaner!

Some infections have been know to infect router hardware. If you have a router hooked up then follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.



Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\User\Local Settings\temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You could give it a try since it does help fix various problems. Note that it is going to have a bunch of false detections about tools from ComboFix and MGtools including process.exe.

However before running Dr. Web, first try the below two fixes.

1) Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

2) Run IE8 and then disable all of your add-ons. Click Tools, Manage Add-ons. Then select each one and click Disable. Then close ALL IE windows and then restart IE. See if you still have a problem. If not, slowly enable them to see if you can find the cause.

 

That is in agreement with my assessment since your MBR infection was removed. Let's make sure it did not come back but I doubt it.



Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

Also I want to see the below log:

Click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns > C:\dnslist.txt
• Hit Enter
• Exit the command window
• Attach the C:\dnslist.txt to your next message.

Are you 100% sure it is not just a valid page. Does this still only happen with IE and not FireFox? Are you sure that you have disabled ALL add-ons to IE?

 

Not a problem. This is normal to see after having an MBR infection. fixmbr just repairs sector 0 which kills the active part of the infection.

 

Okay then there must be something else hiding that is not showing up in the logs. Many of the logs are data/time stamp dependent and some malware can modify dates of their files to be much older than when they were saved on the PC. This would cause them not to show in these quick type scans. We will have to use a couple of more comprehensive scanners. Since you could not run Dr.Web Curit, let's try the below. Run each, one at a time and attach the logs.

Using ESET's Online Scanner
Using BitDefender Online Scan
Trend Micro Housecall

 

See if you can run it in normal bootmode.

If that does not help, uninstall Windows Internet Explorer 8 and then reboot your PC. Now see if you still have the same problem with IE7 which should remain.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

 

My point is that you must uninstall it to see if it is somehow infected. No I did not want you to reinstall it immediately because I wanted to check your logs and see the effects after it had been uninstalled. If you believe that this redirect is still malware then you should not be trusting this PC to be using it for work especially with a potentially (unknown as of yet) infected IE8.

In 100% of all previous ( and more occurring everyday ) cases with eBay or other financial type phishing scams ocurring due to an MBR infection, they have been fixed by running fixmbr and deleting the bad files if still necessary. Thus it would seem you have something else going on especially since you say it changed after running fixmbr. I even had you empty all caches where something could possible hang around to cause a problem like this and that had no effect. Thus, if uninstalling IE8 has no effect and then reinstalling it also has no effect, you will be looking at a reinstall unless you wish to rerun all of the previous steps first just to be sure nothing was skipped.


By the way, when you access eBay, are you going to it via a saved link or by typing the www.ebay.com into the address bar? If using a link of any kind, try physically typing into the address bar instead and see what happens.

 

False detections. Tool.prockill is just a false detection of process.exe which is used by MGtools, ComboFix and many other tools. It is just a DOS based task manager type program and has nothing to do with any problems you were having. And the A00xxxxx.exe files are just System Restore copies of the file and also are not problems. In addition, Dr.Web CureIt can not remove anything in System Restore anyway. Nothing can. You have to disable system restore to remove restore points.

Not true. SmitFraud even uses process.exe

Attach the log so we can see what it removed.