Internet redirects

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BCPInc, Jul 14, 2010.

  1. BCPInc

    BCPInc Private E-2

    Hi Geeks,

    I've come for some advice. This is for a customer if that makes a difference here, XP Home 32-bit.

    I've done a remote virus removal on her laptop, and still am unable to get rid of internet redirects, except in google chrome, that browser is fine.

    I have uninstalled IE and Firefox (which I installed to test out another browser), rescanned (clean) and re-installed, and the first couple of clicks is ok, then it's back to the redirects.

    It is giving a mouse-over of 'http://adwords.myonlinesecure.com/...', and Malwarebyte (running in auto-protect) is blocking it.

    Almost exclusively from safe mode, I've run Super Anti-Spyware, Malwarebyte, Avira, Spybot, Combofix, Kaspersky, rkill, MS Malic. Soft. Rem. Tool, as well as GMER. Have not run RootRepeal or MGTools, but did run HiJack This, and didn't notice anything (but I'm no expert with HJT). CCleaner has been run several times along the process.

    Please help if you can, I'd like to get this one done, and am stumped right now.

    I am not connected with the customer now, and will likely be later today, so whatever info is needed, logs, etc... let me know, and when I get connected I will take care of that and get them posted.

    Thanks.
     
  2. BCPInc

    BCPInc Private E-2

    Ok, here are the logs for all the scans.

    Still having the issue. After running the scans as directed, it takes about 3 or 4 clicks before the redirects start happening again. Then a mouse over shows 'http://adwords.myonlinesecure.com/...'
     

    Attached Files:

  3. BCPInc

    BCPInc Private E-2

    last log ...
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your infection is in your Master Boot Record (MBR).

    I need to ask some questions:
    1. Do you have any drives that has a non-windows installation on them
    2. Are all drives NTFS formatted
    3. Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.
    4. Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used
    5. Is drive-encryption being used?
    6. Are any drives external USB pen drives or external hard drives being used?
    7. VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.
     
  5. BCPInc

    BCPInc Private E-2

    Hi Kestrel13!,

    This is a customers laptop. It is a Gateway, no partition, just a c:.
    No non-Windows drives, all NTFS, no GRUB or drive encryption. No USB drives. Customer is backing up data as we speak (I just got off the phone with her), and is fine with losing everything on this machine if that happens.

    Their ISP was flagging the account as having the MeBroot/Torpig virus. They have a desktop and laptop on their network (sharing an internet connection only). The desktop was also infected (not sure if the MeBroot/Torpig was on that one or not), and we ultimately did a 'fixmbr \device0' 'fixboot c:' through Windows Recovery on that machine. I have actually posted logs (last night in a new thread) for their desktop to be sure it is now clean.

    I have attached the email sent by the ISP provider this morning informing them of the infection.

    Thank you for your time and willingness to help, I greatly appreciate this.
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh I see...

    This user is NOT using any anti virus! They need to install some after all this is over.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

    Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
    Close out all other open programs and windows.
    Double click the file to run it and follow any prompts.
    If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.


    Relates to inside Chat spy I believe. Did the user knowingly install this software? Let me know!

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    C:\WINDOWS\Temp\$$$dq3e
    C:\WINDOWS\Temp\$67we.$
    
    DirLook::
    c:\documents and settings\LocalService\Local Settings\Application Data\ICS
    c:\documents and settings\Emily\Local Settings\Application Data\ICS 
    c:\documents and settings\All Users\Application Data\AMMYY
    
    Folder::
    C:\Documents and Settings\HelpAssistant
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Also attach the new SAS log and the log from HelpAsst_mebroot_fix.exe

    Make sure you tell me how things are working now!
     
  7. BCPInc

    BCPInc Private E-2

    I have installed Malwarebyte for her.

    No, we can remove this.

    It seems the internet redirects are completely gone. The mbr fix did the trick.
    Thank you for your support, if you could let me know how to delete the ICS I'd appreciate it.

    Here are the final logs.
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Malware Bytes is NOT an anti virus ;)

    Right then, let's see if these last few items go quietly to save us running combofix again.

    Delete the whole folder.

    Delete those bold folders as well.

    Glad to hear it!

    You're most welcome.

    If those items delete with no issue then I shall give you final steps in my next post.
     
  9. BCPInc

    BCPInc Private E-2

    Kestrel13!,

    Thanks for all the help. A couple things for clarification, please.

    1) Malwarebyte running in auto-protect mode, alone is not sufficient for antivirus protection? If so, then would SAS, Norton, McAfee, Avast, or AVG be appropriate compliments to Malwarebyte?
    I personally run Norton 360 and Malwarebyte, but have sort of thought the Norton was unnecessary with Malwarebyte on there in auto-protect mode. As I'm in the business, a brief explanation as to why would be hugely appreciated. I'm soaking up applicable knowledge in these forums like a sponge right now!

    2) As to deleting the folders, I'm certainly not adverse to running Combofix again. Maybe we should just go ahead and script it, and if trying to delete the folders manually isn't successful, then I can run Combofix on 'em without the wait and time of another post (I know you are busy and giving of your time freely here).

    I am going to be connecting with the customer on Monday morning to finish up, and would like to have this be the final step for her. I had her toggle system restore on and off last night, with a reboot in the middle. I then had her set a manual system restore point, so that has already been done, but can be repeated after all this is finished if you feel it is appropriate to do so.

    Again, thank you for your help, being a volunteer it is even more so appreciated.

    BCP, Inc.
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No! MBAM is antispyware not anti virus.

    Yes, I personally use avast, and have both the free versions of MBAM and SAS.

    Norton has got better lately but I think it's still quite a big resource hog.
    Just see if they go quietly with a manual deletiion and let me know after a reboot whether they still exist or not.

    Shouldn't have done that until we are properly finished here.

    You're welcome. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds