Browser Redirect

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KenB2014, Jul 19, 2010.

  1. KenB2014

    KenB2014 Private First Class

    Began having issues yesterday with my browser being redirected.

    Ran all the "Read and Run Me First" steps and "Vista" for windows 7 32 bit.

    Could not get RootRepeal to install. Got an error message:
    FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000dc)
    DeviceIoControl Error! Error Code = 0x1e7
    FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000dc)

    During ComboFix, received error "SteelWerX Who Am I has stopped working." The rest of ComboFix completed ok.

    After this, some browser search results are still being redirected.

    Thanks.
     

    Attached Files:

    KenB2014, Jul 19, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Open up the Malware Bytes program, hit the update tab > rescan after updated definitions > fix anything it may find and attach the log if it did.

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v

    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
    Still having redirects after running the above?
     
    Kestrel13!, Jul 20, 2010
    #2
  3. KenB2014

    KenB2014 Private First Class

    Ran into some issues trying to complete the steps. Not sure why...I think I have everything set as directed in the tutorials.
    Running Windows 7 Pro-32 bit. Following Vista steps.

    Couldn't get Malware Bytes to update. Tried installing on another computer and the same problem:
    An error has occurred. please report this error code to our support
    team.
    MBAM-ERRoR-UPDATING (12007,0, winHttpSendRequest)

    Ran TDSSKiller and it did not report finding anything. The log is attached.

    Deleted all previous dated files in C:/Windows/Temp except couldn't delete:
    FxSAPiDebugLogFiIe.txt 7/19/2010 6:51 PM
    FXSTIFFDebugLogFile.txt 7/19/2010 6:51 PM

    Couldn't get access to C:\Users\Ken\Local Settings\TEMP:
    C:\Users\Ken\Local Settings is not accessible.
    Access is denied.

    Ran Getlogs.bat and attached the file
     

    Attached Files:

    KenB2014, Jul 20, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't forget to address my question regarding the redirects ;)
     
    Kestrel13!, Jul 22, 2010
    #4
  5. KenB2014

    KenB2014 Private First Class

    Sorry. I Thought I included that.

    Yes, no change. Still redirects.
     
    KenB2014, Jul 23, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm and this is happening with Internet Explorer I take it as I do not see Firefox installed. What happens when you use Firefox? Could you download it and try?

    Then - using IE in safe mode with networking... could you tell me if the redirects still occur?

    I am struggling to find the cause of them... let's try this:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\USERS\KEN\LOCALS~1\TEMP\3580722.OD
C:\USERS\KEN\LOCALS~1\TEMP\CVRA33~1.CVR
C:\USERS\KEN\LOCALS~1\TEMP\JET8381.TMP
C:\USERS\KEN\LOCALS~1\TEMP\JETA7B3.TMP
C:\USERS\KEN\LOCALS~1\TEMP\JETBEFA.TMP
C:\USERS\KEN\LOCALS~1\TEMP\MAR32C2.TMP
C:\USERS\KEN\LOCALS~1\TEMP\MAR32D3.TMP
C:\USERS\KEN\LOCALS~1\TEMP\MARA1E9.TMP
C:\USERS\KEN\LOCALS~1\TEMP\MARA219.TMP
C:\USERS\KEN\LOCALS~1\TEMP\MARC32F.TMP
C:\USERS\KEN\LOCALS~1\TEMP\MARC39D.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DF0EA~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DF0FB~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DF531~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DF613~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DF84C~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DF892~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DFB93~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DFCF9~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DFE4F~1.TMP
C:\USERS\KEN\LOCALS~1\TEMP\~DFF07~1.TMP

Folder::
C:\USERS\KEN\LOCALS~1\TEMP\FREEDO~1
C:\USERS\KEN\LOCALS~1\TEMP\LOW
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now this...

    Using ESET's Online Scanner

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. and also include the ESETScan.txt to your next reply.
     
    Kestrel13!, Jul 23, 2010
    #6
  7. KenB2014

    KenB2014 Private First Class

    Installed Firefox - Still get browser redirects.

    Booted in safe mode with network - still get browser redirects.

    Ran ComboFix with updates and CFscript – log attached.

    Ran ESETS. Log attached. Drives other than the C drive have backups from various computers and nothing run from those drives.

    Ran GetLogs.bat. Log attached.


    Tested and still getting browser redirects.
    Tested Google and Yahoo search. It seems that the redirects are primarily with Yahoo search results and rarely within Google search results.
    Never get redirects if pasting URL from search results to go to site.

    Thanks.
     

    Attached Files:

    KenB2014, Jul 24, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please copy that report to this thread
     
    Kestrel13!, Jul 24, 2010
    #8
  9. KenB2014

    KenB2014 Private First Class

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\D: --> \\.\PhysicalDrive1
    \\.\E: --> \\.\PhysicalDrive2
    \\.\F: --> \\.\PhysicalDrive3
    \\.\G: --> \\.\PhysicalDrive4

    Size Device Name MBR Status
    --------------------------------------------
    698 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    1397 GB \\.\PhysicalDrive3 Windows XP MBR code detected
    1397 GB \\.\PhysicalDrive4 Windows XP MBR code detected


    Done! Press ENTER to exit...
     
    KenB2014, Jul 24, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmmm that showed no issues. Try resetting the router and flushing the dns cache as follows:

    • On your local machine, open a command prompt.
    • Within the prompt, type ipconfig /flushdns.

    Still having redirects?
     
    Kestrel13!, Jul 24, 2010
    #10
  11. KenB2014

    KenB2014 Private First Class

    Reset the router and did the DNS flush.
    No change in redirects.

    I am getting no Google search redirects. I was getting a few before today, but not consistantly like with Yahoo.

    I am seeing a pattern this morning and maybe this may help. I'm not sure if this is different today or if this behavior is the same as the last few days.

    I use right click and "open a new tab" to go to a search result.
    Yahoo redirects occur the first time accessing a specific search result.
    The second time accessing that same site, the new tab does not redirect.
    It will redirect three times for a specific search, then I get directly to any subsequent pages from that same search.
    A new search phrase yields three new redirects.

    Example:
    If I do a search from Yahoo using a phrase, I see the above behavior.
    In that same search result window, deleting the history using Tools|Internet Options, does not reset the behavior and generate new redirects.
    If I close the browser, reopen and repeat the same search, I do not get new redirects. It seems that I used my three for that search phrase.
    If I delete one word in the search and do a new search on the remaining words of the previous search, I get three new redirects.
     
    KenB2014, Jul 24, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try uninstalling your Yahoo! Toolbar. Then run CCLeaner...both the cleaner and the registry ( making sure you backup when prompted). Then re-install the toolbar if you just have to have it. See if that helps.
     
    TimW, Jul 24, 2010
    #12
  13. KenB2014

    KenB2014 Private First Class

    Uninstalled the Yahoo task bar, ran Ccleaner for both cleaner and registry.

    Did not reinstall the toolbar... it was installed as a tagalong on something else and I didn't have it selected under "View" since3 I never use it.

    Same redirect pattern.
     
    KenB2014, Jul 24, 2010
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download TDSSKiller from Kaspersky to your directly onto your Desktop

    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
    TimW, Jul 25, 2010
    #14
  15. KenB2014

    KenB2014 Private First Class

    Ran TDSSKiller...log attached.

    Still the same Yahoo search browser redirects. Today, it sometimes redirects from Google search also.
     

    Attached Files:

    KenB2014, Jul 25, 2010
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well that was disappointing. Do you have the same issues if you run in safe mode? Have you disabled all your add-ons and toolbars?
     
    TimW, Jul 25, 2010
    #16
  17. KenB2014

    KenB2014 Private First Class

    Booted in safe mode with network. Started Internet Explorer (No add-ons)
    Still redirects.


    I just decided to widen my search and this just got more interesting...


    My wifes computer, an XP machine, has been getting redirects also since about the same time, but I figured it was because many people use and I know some programs were installed and figured some malware tagged along. I was going to resolve my issue and then run removal on hers.

    For testing, I hooked up my netbook and it too has redirects. I don't use the browser at home, only connecting it to sync before travel. I was not getting redirects in the hotel last Wednesday and have not turned it on at home until just now. I have redirects the first time I tried it.

    I tried another desktop computer in the house and it is getting redirects.

    I just learned that a guest at our house is getting redirects on her laptop here, but it didn't do it at home.

    My son just tried his macbook pro using safari and he is getting redirects if using yahoo search.

    I just asked my daughter, and she has been getting redirects from search results.


    Can this be out on Charter Cable's network or related to my home network?
     
    KenB2014, Jul 25, 2010
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It very well could be your router!! There is a little button on the bottom ( on most models ) to reset it to factory settings. Do that. You may then need to go back into it to set any special setting that you may have set up originally. But do that first and see if that doesn't take care of it.

    You can test this theory by connecting directly to your modem and if the redirect stop, then you know it is the router that is infected.
     
    TimW, Jul 25, 2010
    #18
  19. KenB2014

    KenB2014 Private First Class

    Cabled to the modem and no redirects.

    Tried resetting the router several times and thought it did, but no.
    Had to log in to the router and restored to factory settings and got a good reset.
    Problem solved! No more redirects on any machines now.

    A learning experience for me. I've cleaned many computers following your guides and usually don't need assistance. This one stumped me.

    I didn't realize that the router could be infected with malware.
    Is there a sticky or good thread about router issues?

    Thank you to everyone for your patients and great advice. It is appreciated.
     
    KenB2014, Jul 25, 2010
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. And no, there is not a sticky about router issues since this has just recently become a problem.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     
    TimW, Jul 26, 2010
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds