Browser Redirects

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by cahandy, Feb 26, 2009.

  1. cahandy

    cahandy Private E-2

    I'm getting frequent browser redirects in Firefox and can't clean myself up. (Thanks in advance for your help - free support is amazing.)

    I've followed your sticky procedure, except that combofix and MGtools will not run. (I can't even get 'cmd' to run, although 'msconfig' will ??)
    so only SuperAntiSpyware and Malwarebytes logs are attached.

    As for describing the behaviour I get: sites I often go to seem to work fine, but almost every time I try to access a new site I get a redirect. I haven't noticed any kind of pattern to where I am getting redirected.

    Thanks for your assistance!
    craig.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there Craig. We really need to be able to get your machine into a state where CF and MGTools will run. Otherwise I do not know what is going on. Have you tried to boot into safemode and run them? Running them in normal mode is preferable, so could you explain to me any error messages that you receive when attempting to run combo and MGTools?

    Thanks
    Kes
     
  3. cahandy

    cahandy Private E-2

    Wouldn't work in safemode either. I don't get an error message. With combofix I get the small progress bar, but when it finishes Windows resets - ie everything but my wallpaper disappears and then the taskbar, shortcuts, etc reappear.
    I tried to run>cmd, but can't get a dos shell at all. Windows resets - no message, just Windows explorer crashing or whatever it is doing.
    (msconfig works though, as does Ctrl-Alt-Del)

    thanks...

     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this explains what happens when you try to run ComboFix but what happens when you run MGtools.exe?

    Also check to see if the C:\MGtools folder has been created.

    Also using Windows Explorer, navigate to C:\Windows\system32 and locate the cmd.exe file and right click on it. First tell me what it indicates for Size: It should look something like 379 KB (388,608 bytes). Give me both numbers. I don't need the Size on disk: info. Then click the Version tab and on the next screen, tell me what it shows for File version:

    Also do you have a folder named C:\i386
     
  5. cahandy

    cahandy Private E-2

    The same thing. It creates the MGtools folder, but wouldn't run any of the batchfiles in it - Windows resets or whatever. What exactly is happening when the Windows apparatus disappears and restarts?

    cmd.exe size is 380 KB (389,120 bytes) and file version is 5.1.2600.5512 (xpsp.080413-2111)

    Yes, I have c:\i386

    Thanks...

     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think that's the Size on disk which is what I said I did not want. I want the info from the line that just says Size:


    This means explorer.exe which is Windows Explorer and it is also the Windows shell, is being terminated and then restarting. This sometimes happens for valid reasons other times it happens due to malware or due to problems within Windows itself.

    Try doing the below and let me know what happens.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    If the above is successful, see if you can run the cmd.exe now. And also see if C:\MGtools\GetLogs.bat will run. Also check to see if you can run C:\MGtools\analyse.exe by double clicking on it.
     
    Last edited: Mar 2, 2009
  7. cahandy

    cahandy Private E-2

    That is Size - Size and Size on Disk are identical (although I would have sworn they were not last time??).

    No luck. The shell crashes with your reg-fix, cmd.exe, and GetLogs.bat. HijackThis ran and the log file is attached.

     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They should not be.


    Does the Windows Registry editor run. You can run it by either clicking Start, Run, and entering regedit and clicking OK. Or you can go to the C:\Windows folder and find regedit.exe and double click on it.

    There is not much showing in your HJT log so we still need the other logs, but do the below anyway.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O20 - Winlogon Notify: hggdbaa - hggdbaa.dll (file missing)
    O20 - Winlogon Notify: wylcmfbf - wylcmfbf.dll (file missing)

    After clicking Fix, exit HJT.
     
  9. cahandy

    cahandy Private E-2

    They are - cmd.exe is still 380 KB (389,120 bytes).

    regedit does not run - the Windows Explorer resets.

    when runnig HijackThis:
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto - no longer exists.
    These two aren't removed - I 'fixed' them, HijackThis closes after a confirmation message without saying anything more. So I ran it again, they were still there. I fixed them again, rebooted and rescanned - still there.
    A logfile is attached.
    O20 - Winlogon Notify: hggdbaa - hggdbaa.dll (file missing)
    O20 - Winlogon Notify: wylcmfbf - wylcmfbf.dll (file missing)

     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your HJT log showed you had a ton of stuff from Lenovo running including Rescue and Recovery

    Are you trying to use it to recovery your system? Perhaps it is getting in your way of doing anything. I see all of the below related to Lenovo running which is quite a lot:
    Between all of this junk and the Thinkpad stuff, it is a wonder that your laptop runs at all.

    If this Lenovo stuff is really a backup system of some sort, perhaps you should just restore a backup.

    Have you tried running Windows's System Restore to try and go back to an earlier date? Based on all your problems running anything, I'm not sure System Restore will work.

    Your next steps may be to do a System Repair ( a topic for the Software Forum) and if that does not help, a reinstall is next. You system appears to have more than just malware problems.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds