internet explorer page not found redirected to wbr4.com, etc.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by unblock, Mar 31, 2007.

  1. unblock

    unblock Private E-2

    i got infected with malware but my usual arsenal was largely up to the task.

    however, there is one remaining effect, which is:

    internet explorer works properly for normal searches; but, if i type in something that's way off, e.g., "http://qwert/", it redirects me to a sex site like wbr4.com.

    i believe i have followed the rules and here are the files:


    more to follow in a reply....
     

    Attached Files:

  2. unblock

    unblock Private E-2

    more files...


    thanks in advance!

    unblock

    [edited to correct files]
     

    Attached Files:

    Last edited: Mar 31, 2007
  3. unblock

    unblock Private E-2

    in case it's not clear, i ran panda, it found no errors.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Where is your log from CounterSpy?

    Also you ignore step 3 in the READ ME. You must uninstall AVG Antivirus or McAfee. You cannot have both installed.

    Also are CounterSpy and AVG Antispyware the free trial versions from the READ ME. If so, after attaching the log from at least one of them, uninstall them to avoid conflicts with Windows Defender which you have installed.

    Now uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44F9F417-849A-4C27-B8F9-E7E5B46CD0D6}: NameServer = 85.255.114.197,85.255.112.159
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD8457F-BAAC-4A46-9D50-8D73E7CEC197}: NameServer = 85.255.114.197,85.255.112.159
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BD2B464B-DB63-4C3C-AF90-04C1BFA686BB}: NameServer = 85.255.114.197,85.255.112.159
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.197 85.255.112.159
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.197 85.255.112.159

    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  5. unblock

    unblock Private E-2

    before your reply, i read some other threads about understanding hjt output and i screwed up the courage (and took the backups!) to fix it myself. once i looked closely at the hjt output, the "name server" lines jumped out at me; that had to be a dns redirect. a google on those ip addresses confirmed it.

    so i "fixed" those lines and a couple of the r0 lines and that solved the problem, at least in the sense that it wasn't redirecting me to sex sites. whaddya know, even a blind pig can stumble across an ear of corn....

    i hadn't saved any logs other than what i posted, so what's there is all i gots.

    i have uninstalled counterspy and avg, removed old java and installed the latest java.

    i have attached the 3 files you requested.

    all looks good on my end. if it all looks good to you i will cycle system restore.

    thanks!

    unblock
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You log is free of malware. The below item from Yahoo did not get fixed for some reason. This sometimes happens if browsers are open or if an antivirus or antispyware program blocks the change. It is not work worrying about though.

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds