Redirection problems and general slower running of PC

[x0pticLukeZz]

Hey all,

I've been having some redirection problems to various websites, sometimes from Google and sometimes if I type a URL in myself.

I've followed the steps from the sticky on this subject up to step 4, my TDSSkiller log is attached. Should I continue on to run the MBRCheck?

Thanks!

[chaslang]

Welcome to Major Geeks!

Quote:

Originally Posted by x0pticLukeZz

Should I continue on to run the MBRCheck?

Yes! And then continue on with the READ & RUN ME which is mentioned right after MBRcheck.

[x0pticLukeZz]

MBRCheck log is attached

[x0pticLukeZz]

Attached are logs from SAS, MBAM and MGtools.

Combofix would not run past the extraction stage; it displayed no blue screen as shown in the instructions.

RootRepeal is not included since I am using Windows 7 x64.

Also, MGtools displayed an error message stating that HiJackThis couldn't access the Hosts file for some reason.

I'm still having redirection problems after performing all the cleanup procedures and scans! I think it started a day or two ago. I'm afraid I'm not sure what I was doing at the time, sorry :s

[chaslang]

Go back and re-run TDSSkiller and if the below still appear like last time, cure/delete them ( which ever option is presented ) this time

Code:

15:44:25.0608 5620 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
15:44:25.0608 5620 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - .DEFAULT User Startup: toap.exe (User 'Default user')

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Files to delete:
C:\Users\Luke\AppData\Local\Temp\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
C:\Users\Luke\AppData\Local\Temp\~!#E12E.tmp
C:\Windows\TEMP\hki1143.exe
C:\Windows\TEMP\hki1264.exe
C:\Windows\SysWOW64\fv08j7LFs.com
C:\Windows\SysWOW64\fv08j7LFs.com_
C:\Windows\assembly\temp\@
C:\Windows\assembly\temp\cfg.ini
C:\Windows\assembly\temp\oemid
C:\Windows\assembly\temp\version
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Luke\AppData\Roaming\Microsoft\Windows\Templates\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
C:\ProgramData\7sS2lmg0.dat
C:\ProgramData\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Folders to delete:
C:\Windows\assembly\temp\U
C:\Users\Luke\AppData\Local\Temp\{0450AB7E-6644-45F5-BCD3-4BFF4E14B7D7}
C:\Users\Luke\AppData\Local\Temp\{6C1D6858-40B5-48C5-90DE-DC46042DFBEE}
C:\Users\Luke\AppData\Local\Temp\{9f11ca77-519a-44ec-9fa3-684e0d51a701}
C:\Users\Luke\AppData\Local\Temp\{A38D7227-150B-45CD-898D-9C36603054ED}
C:\Users\Luke\AppData\Local\Temp\{D6D1FF1C-E7BB-4980-B55F-C57955F2FF9F}
C:\combofix

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
00
[HKEY_LOCAL_MACHINE\system\controlset001\control\session manager\subsystems]
"Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
00
[HKEY_LOCAL_MACHINE\system\controlset002\control\session manager\subsystems]
"Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
00

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Sean Walsh\Local Settings\Temp

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[x0pticLukeZz]

HostsXpert says "Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit."

I click OK and the same window pops up, press it again and it goes away but the 'Make Writable?' button does nothing.

The 'Restore MS Hosts file' button also comes up with an error.

[chaslang]

Try running HostsXpert.exe by right clicking on it and selecting Run As Administrator.

If that does not work, just continue on with the rest of the instructions anyway.

[x0pticLukeZz]

HostsXpert.exe still wouldn't work even running as administrator.

Avenger rebooted my PC but didn't create avenger.txt anywhere nor show me a file on reboot... the closest thing I could find is the attached ozvxqu.txt

I didn't download ATF Cleaner because it says it's for Windows XP or 2000 and I'm running Windows 7.

Everything else seemed to go fine, I got the success message from fixme.reg and MGlogs.zip is attached.

Still getting redirected I'm afraid and browsing still doesn't seem as fast as it should be.