Browser redirect.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by personman, Jul 4, 2011.

  1. personman

    personman Private E-2

    A few days ago I got hit with a rogue anti virus/ anti spyware program, Window Repair 2012 to be exact. It gave me the false scan and claims of problems that weren't there and hid all the files on my computer. After running Malwarebytes and Combofix in safe mode I was able to stop this and restore everything to normal. However now I am having my browser redirected constantly when trying to search for anything and have to right click, copy link location, and paste it into the address bar to get anywhere. I also occasionally get a pop up from IE with a random page on it that I assume is an attack site. I'm guessing this is residual from the rogue program from before. In fact I wouldn't be surprised if it is still there in some shape or form.

    I followed the instructions laid out in the sticky concerning removal of such things and the only result I got was when I reset my router to factory default the problem stopped for about three pages then started again. All other scanners found nothing.

    Notably though when I got to Combofix again it insisted that Avira's scanner was still running despite being disabled. So I uninstalled it and rebooted and even still Combofix didn't want to start due to Avira's scanner. I decided to let it run despite. Hopefully that won't cause any problems.

    I greatly appreciate any insight.
     

    Attached Files:

  2. personman

    personman Private E-2

    ----
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Is everything as it should be with your Startup, Program Files, Desktop, and Quick Launch? Is anything hidden from you, nothing unusual?

    Java(TM) 6 Update 22 <--- Uninstall outdated Java.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {01437A4B-F2CA-473E-8626-152345147D0d} - C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {30190B43-04D9-C440-448E-829D16441BDD} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {36AF21DF-D679-B43F-B833-1B8B32042C10} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {5142587F-1132-66DF-711D-A2A3619B8239} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {8184D44A-AF93-B911-8A29-C9625E847376} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {81E46840-9EAB-841F-CCFD-24640C87B28D} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {8D812281-C81D-9A66-0521-68B0AF9BCB55} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {AB8984E2-D5E3-1DDD-8351-94B8B5F153DA} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {CE186A18-CA5E-929C-5F18-01B7311EB87E} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {E48110B6-7007-B9AD-B849-3C6D6DA29676} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O2 - BHO: ec7dd4e7 - {F59F8FD7-64CE-4732-F9C3-B711D4C43843} - C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll (file missing)
    O4 - HKCU\..\Run: [UHIJJnghFrId] C:\ProgramData\UHIJJnghFrId.exe

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    DirLook::
    C:\Users\Jeremiah\AppData\Local\{35AA8283-8AF0-4A95-A373-D58F423D329B}
    C:\Users\Jeremiah\AppData\Local\{5E80D98B-743F-4EB1-9348-AA2D514DC4A9}
    c:\users\Jeremiah\AppData\Local\{32BAAE3A-886D-46A4-ADF2-42B79A698B4A}
    c:\users\Jeremiah\AppData\Local\dxhr
    C:\Users\Jeremiah\Desktop\dhr
    c:\users\Jeremiah\AppData\Local\ALI213
    c:\users\Jeremiah\AppData\Local\28070
    
    Driver::
    Themes32
    
    File::
    C:\Windows\SysWOW64\1721799621
    C:\Windows\SysWOW64\9c0e84b21270C.manifest
    C:\Windows\SysWOW64\9c0e84b21270O.manifest
    C:\Windows\SysWOW64\9c0e84b21270P.manifest
    C:\Windows\SysWOW64\9c0e84b21270S.manifest
    C:\Windows\SysWOW64\tmp.txt
    C:\Windows\system32\tmp.txt
    C:\Windows\system32\9c0e84b21270C.manifest
    C:\Windows\system32\9c0e84b21270O.manifest
    C:\Windows\system32\9c0e84b21270P.manifest
    C:\Windows\system32\9c0e84b21270S.manifest
    C:\ProgramData\~42786552
    C:\ProgramData\~42786552r
    C:\ProgramData\711cw4r6q5ajfu8xk
    C:\ProgramData\42786552
    C:\ProgramData\4c8e83b5
    C:\Users\Jeremiah\AppData\Roaming\Microsoft\Windows\Templates\711cw4r6q5ajfu8xk
    C:\Users\Jeremiah\AppData\Local\711cw4r6q5ajfu8xk
    C:\ProgramData\UHIJJnghFrId.exe
    C:\Users\Jeremiah\AppData\Roaming\2282.7E8
    c:\windows\system32\compobj32.exe
    c:\users\Jeremiah\AppData\Roaming\GetValue.vbs
    c:\users\Jeremiah\AppData\Roaming\SetValue.bat
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UHIJJnghFrId"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01437A4B-F2CA-473E-8626-152345147D0d}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30190B43-04D9-C440-448E-829D16441BDD}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36AF21DF-D679-B43F-B833-1B8B32042C10}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5142587F-1132-66DF-711D-A2A3619B8239}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8184D44A-AF93-B911-8A29-C9625E847376}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81E46840-9EAB-841F-CCFD-24640C87B28D}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D812281-C81D-9A66-0521-68B0AF9BCB55}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB8984E2-D5E3-1DDD-8351-94B8B5F153DA}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE186A18-CA5E-929C-5F18-01B7311EB87E}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E48110B6-7007-B9AD-B849-3C6D6DA29676}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F59F8FD7-64CE-4732-F9C3-B711D4C43843}]
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    Have the redirects stopped? Also answer any other questions I asked, please. :)
     
  5. personman

    personman Private E-2

    Alright, I have run Combofix with the script and uninstalled Java. Downloading the up to date software as I type.

    I have noticed a couple minor things: I customize my start menu to include the run command, but every time I reboot it dissapears but I think that has to do with combofix. Firefox also likes to pin itself to the taskbar when I specify nothing to do anything of the sort and actually shutting down the computer is what is strange rather that start up. Everytime I shut down an unspecified program is apparently holding it up and I have to tell it to force shut down despite the fact that no programs are listed.

    Other than that, things seem fine. Also like before I did a search and the first three times I entered a site were fine. After that the redirects began.

    Also concerning combofix it is still saying avira is running even though it currently isn't installed. I'm wondering if that may be what is preventing this from being fixed. I figured so long as I rebooted after uninstall there would be no problems, perhaps there's another step I'm skipping?
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete these folders:

    c:\users\Jeremiah\AppData\Local\{32BAAE3A-886D-46A4-ADF2-42B79A698B4A}
    c:\users\Jeremiah\AppData\Local\{35AA8283-8AF0-4A95-A373-D58F423D329B}
    c:\users\Jeremiah\AppData\Local\{5E80D98B-743F-4EB1-9348-AA2D514DC4A9}

    Delete these files:

    c:\users\Jeremiah\AppData\Roaming\GetValue.vbs
    c:\users\Jeremiah\AppData\Roaming\SetValue.bat

    Does just Mozilla Firefox redirect or does another browser do the same?
     
  7. personman

    personman Private E-2

    Done, but I'm afraid the issue persists. I checked to see if Internet Explorer had the same problem and it does as well.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have an MBR infection I think :(

    Do you have your Win 7 install disc? If not:

    Vista and Win7 Recovery disc


    To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

    1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
    2. Press a key when you are prompted.
    3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
    4. Click Repair your computer.
    5. Click the operating system that you want to repair, and then click Next.
    6. In the System Recovery Options dialog box, click Command Prompt.
    7. Type Bootrec.exe, and then press ENTER.

    Then you can do this:

    Bootrec.exe /fixmbr
     
  9. personman

    personman Private E-2

    I've downloaded the iso for the 64bit version of the recovery disk and burned it with IMGburn but I can't seem to get the disk to boot. I'm asked to format the disk each time I try to boot it manually so I'm going to try formatting a fresh disk and burning it afterwards with IMGburn. If that will even make a difference, I have not had to use cds much before.

    I'm hoping then it will boot properly on start up.
     
  10. personman

    personman Private E-2

    Sorry to double post but in my haste I didn't realize I downloaded the image for Vista when I am actually running Windows 7. The link provided unfortunately has its download link to the torrent suspended due to copyright reason, whatever they may be.

    I suppose I could search for an image on my own via BTjunkie or Piratebay but to be honest I'm hesitant to do so seeing as I have no proper protection right now.
     
  11. personman

    personman Private E-2

    Just to keep you updated.

    Ended up finding a site that had the iso for windows 7 and I decided to take a chance and download it. Looked legit enough and burned it. I also finally remembered to switch the boot priorities to the dvd drive and ran the commands to fix the mbr. Said it did so and I rebooted and reset the priorities back to my hard drive. Unfortunately now I get a blue screen that flashes in a split second and request I run a start up repair or start windows normally. All attempts to choose the latter have had the same result so I went through with the repair and it is currently going through the motions.

    This is the place I found the iso: http://digiex.net/downloads/downloa.../2660-windows-7-64-bit-x64-recovery-disc.html

    Hopefully I haven't dug myself a bigger hole.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let me know how you get on!
     
  13. personman

    personman Private E-2

    As of now I cannot boot my main computer. The start up repair simply states that it cannot repair the problem. If this has to do with anything I went to the command prompt through the repair disk and entered bootrec/osscann and it reported finding no operating systems.
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh this is not good news at all. I am currently seeking advice. Hang in there.
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm afraid I am going to have to refer you onto the software forum at this point. Feel free to post there for advice explaining what has happened and then you can always return here to come back for malware removal at a later date. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds