Redirect issues (cont. from PC crashes to restart)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by thedon01, Nov 2, 2011.

  1. thedon01

    thedon01 Corporal

    i had random crashes to restart and made a thread about the issue. i ended up reformatting and the problem has gone away. Now i have redirect issues such as a simple google search resulting in a redirection to fake sites, virus infested sites, and advertisement sites. it usually takes 3 or 4 trys before i get the actual site i want.

    i followed the redirect procedures in the dedicated thread and still have the problems.

    my pc is a gateway
    pentium 4 3.00ghz
    3gb ram (4gb installed)
    150gb internal hd
    3 external WD hard drives titles M:p:Q: with Q having MBR issues.

    The Q drive was attached during the scan per request and all logs except for MGtools are attached in the following posts. When double clicking on the MGtools.exe a window loads for a brief second and then disappears, too quick to identify what's in the window.
     

    Attached Files:

  2. thedon01

    thedon01 Corporal

    root repeal and combofix
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hi don,

    I will review your logs.
     
  4. thisisu

    thisisu Malware Consultant

    Can you complete the below: Make sure the Q: external drive is attached to the PC!!!!

    Basically I want you to perform the below with the same exact devices attached when you ran the latest scan with MBRCheck!!

    If you do not have your Windows XP CD, you can create one with the Recovery Console.
    • Download the ISO file from the below link:
    • Then burn this file to a CD as a disk image file. Do not just copy/burn the file to the CD as a data disk. This will not make a bootable CD.
    • Then see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says How to use the Recovery Console
    • If you can get to the command prompt of the Recovery Console, type the below command
      • fixmbr \Device\HardDisk2
    • and then hit enter. Note that there is a space after the fixmbr and note the direction of the \
    • After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.
    If you were able to run fixmbr, rerun MBRCheck and attach a new log. Also tell me how things are working.

    Note if you are unsure how to burn an image file see the below link which has some additional details:



    Also, attach MGlogs.zip after you perform the above.
     
  5. thedon01

    thedon01 Corporal

    so at what point do i run the mgtools.exe or did it already run? i thought the brief pop up meant the program didnt run correctly?
     
  6. thisisu

    thisisu Malware Consultant

    Sorry I missed that you were having issues running MGtools. Focus on the FIXMBR instructions first. The below can wait

    [​IMG]Please download OTL by Old Timer to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
    • Select Scan All Users.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      %systemdrive%\*.exe
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      explorer.exe
      ipnat.sys
      ipsec.sys
      netbios.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemroot%\*. /mp /s
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\software\microsoft\windows\currentversion\run|exe /rs
      hklm\software\microsoft\windows\currentversion\runonce|exe /rs
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)
     
  7. thedon01

    thedon01 Corporal

    i followed your directions on the fixmbr, but i had the same problems that happened when chas directed me too.
    after typing "fixmbr \Device\HardDisk2" i received "the old master boot record cannot be read".

    i did run the other OTL scan and attached the results.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    There are a few things to clean-up from your OTL logs. MBR is more important though. Do you still have your data backed up from Q:\. Please make sure you do before proceeding! Very important!

    Not sure if this will even work but worth a try I think.

    [​IMG] Download Hiren to your desktop. - 535.21 MB (561208675 bytes)
    Burn the Hiren's.BootCD.15.0.iso to a blank CD-R as an image, using software such as ImgBurn.
    Now boot off of this CD...
    I made a short video for the rest of the procedure as I think it would be easier for you to follow: http://www.youtube.com/v/PFup_ytGPsg&hl=en_US
    Reboot your PC using the HDD (not the CD again), and rerun MBRCheck so we can see if it's any different.
     
  9. thedon01

    thedon01 Corporal

    yes i do, i will follow through with the directions and let you know as soon as i complete it
     
  10. thedon01

    thedon01 Corporal

    having a little difficulty seeing the steps in the video. i understand Dos programs>9>1>8>3, but after that point i'm confused. i think it extracts then Mouse Driver > Auto > US > extracts again > mbr 2 /install std > enter. Am i correct?
     
  11. thisisu

    thisisu Malware Consultant

    Correct
     
  12. thedon01

    thedon01 Corporal

    i dont think it worked. after typing mbr 2 /install std i got the result "hdnum out of range (0-0)
     
  13. thisisu

    thisisu Malware Consultant

    The program must only be able to detect and repair the MBR on harddisk0 (In this case, your OS drive).

    Give me a while to think of some other ways we can go about this.
     
  14. thedon01

    thedon01 Corporal

    sounds good, but im trying to understand this; is the problem isolated to the external Q drive or related to the C drive with the OS?
     
  15. thisisu

    thisisu Malware Consultant

    From what I can tell at the moment, the problem seems to be with the Q: external drive only.

    Make sure your external drive is attached to the system before attempting the below:


    Boot back into the Windows XP Recovery Console and then type the following command: fixboot Q:
    Now press ENTER
    You should receive a message similar to the below:
    Type y for yes and press Enter.
    If you receive the below message:
    Retry typing in fixmbr \Device\HardDisk2 and pressing ENTER. Let me know if the same "the old master boot record cannot be read" persists or if you got a different message.
     
  16. thedon01

    thedon01 Corporal

    in windows recovery console im asked "which windows installation would you like to log onto" and the only option present is 1:C:\WINNT. (not sure if that is relevant or not)

    as i select 1 im prompted to type in a command. i typed fixboot Q: and receive "FIXBOOT cannot find the system drive, or the drive specified is not valid". i typed exit and rebooted.
     
  17. thisisu

    thisisu Malware Consultant

    Normal. Yes press 1 and press ENTER.

    When you are at the command prompt, type in the following command: map

    Type the results of what appears in your next message.
    Should be something like this:
    [​IMG]
     
  18. thedon01

    thedon01 Corporal

    im on a second pc at the moment and keeping the windows recovery console up and running on the infected pc.

    after typing map i received:
    D: NTFS 476930MB \Device\Harddisk0\Partition1
    C: NTFS 152626MB \Device\Harddisk5\Partition1
    A: \Device\Floppy0
    I: \Device\CDRom0
    J: \Device\CDRom1
    K: \Device\CDRom2
     
  19. thisisu

    thisisu Malware Consultant

    type the following command: fixboot D:
    Now press ENTER
    You should receive a message similar to the below:
    Type y for yes and press Enter.
    If you receive the below message:
    Retry typing in fixmbr \Device\HardDisk0 and pressing ENTER. Let me know if the same "the old master boot record cannot be read" persists or if you got a different message.
     
  20. thedon01

    thedon01 Corporal

    the target partition is D: Are you sure you want to write a new bootsector to the partition D:?
     
  21. thisisu

    thisisu Malware Consultant

    Refresh this page, I updated my post for the rest of the instructions
     
  22. thedon01

    thedon01 Corporal

    the file system on the start up partition is NTFS. FIXBOOT is writing a new boot sector. The new boot sector was successfully written.
    C:\WINNT>fixmbr \Device\HardDisk0
    **CAUTION**
    This computer appears to have a non-standard or invalid master boot record.
    FIXMBR may damage your partition tables if you proceed
    This could cause all the partitions on the current hard disk to become inaccessible.
    If you are not having problems accessing your drive, do not continue.
    Are you sure you want to write a new MBR?
     
  23. thisisu

    thisisu Malware Consultant

    press Y for yes :)
     
  24. thedon01

    thedon01 Corporal

    blue screen came up

    a problem has been detected and windows has been shut down to prevent damage to your computer.

    if this is the first time you have seen this stop error screen, restart your computer. if this screen appears again, follow these steps:

    check to be sure you have adequate disk space. if a driver is identified in the stop message, disable the driver or check with the manufacture for driver updates. try changing video adapters.

    check with your hard drive vender for any BIOS updates. disable BIOS memory options such as caching or shadowing. if you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced start up options, and then select safe mode.

    technical information:

    *** STOP: 0X00000083 (0XC0000005, 0X8082B267, 0XF7024EDC, 0X00000000)
     
  25. thedon01

    thedon01 Corporal

    i take it that wasnt expected?
     
  26. thisisu

    thisisu Malware Consultant

    Did you get anything other than the Bluescreen after typing in fixmbr \Device\HardDisk0 and pressing Enter.

    Typically it should say "The new master boot record has been successfully written."

    Try rebooting the PC without the 500GB external hdd connected.

    Do you still get a bsod?
     
  27. thedon01

    thedon01 Corporal

    in all honesty i can't remember, but i thought so, the blue screen happened quickly after typing y.

    i rebooted the pc without the Q drive plugged in and it booted to desktop without problems.
     
  28. thisisu

    thisisu Malware Consultant

    It may have worked, only one way to find out.

    Plug in the external USB drive again while you're already in Windows.

    now run a new MBRCheck scan and attach the new log.
     
  29. thedon01

    thedon01 Corporal

    nope still got the non-standard or infected mbr error, and when looking at the log results of the MBRcheck scan i see that Q switched from drive 2 in the first scan yesterday to drive 5 today. Why is that?
     

    Attached Files:

    Last edited: Nov 3, 2011
  30. thisisu

    thisisu Malware Consultant

    Good question, I don't know either.

    Unfortunately, I am out of new ideas. I would personally try the same procedure again and see if you can get it to complete without getting a BSOD. Since the Harddrive# appears to be changing frequently, I would reuse the map command to make sure you are targetting the harddrive with 465GB of space (your external) and retry the fixmbr \Device\HardDisk# command.

    I'll leave this here for chaslang or another Malware Fighter(s) to review and offer suggestions.

    Just so your answer is here in this thread, answer the below: Do you experience redirects while the 500GB external hard drive is NOT connected to the PC?
     
  31. thedon01

    thedon01 Corporal

    Yes i receive redirects without the External 500gb (Q drive) connected.
     
  32. thedon01

    thedon01 Corporal

    finally!!! i ran the scan again like instructed and this time the map resulted in HardDrisk0 as the 500gb external Q drive. It wrote successfully and the scan is attached below. Whats next lol?
     

    Attached Files:

  33. thisisu

    thisisu Malware Consultant

    Good job! :)

    Now let's try to remove the traces of malware I found in your OTL log.

    [​IMG]Now we need to make use of OTL by Old Timer.
    • Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      [COLOR="DarkRed"]:processes[/COLOR]
      killallprocesses
      [COLOR="DarkRed"]:otl[/COLOR]
      O3 - HKU\S-1-5-21-1409082233-764733703-682003330-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
      O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab (Java Plug-in 1.4.2)
      O37 - HKU\S-1-5-21-1409082233-764733703-682003330-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found
      [2011/10/31 23:01:05 | 000,000,000 | ---D | C] -- C:\WINNT\System32\1061
      [2011/10/25 00:29:39 | 000,000,000 | ---D | C] -- C:\WINNT\System32\3038
      [9 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
      [6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
      [2011/10/26 16:17:04 | 000,000,000 | ---- | M] () -- C:\WINNT\System32\dvdtest10024.dat
      @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
      @Alternate Data Stream - 181 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
      @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
      [COLOR="DarkRed"]:files[/COLOR]
      sc config x10nets start= disabled /c
      xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
      xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
      xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
      xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
      C:\Windows\Tasks\At*.job
      [COLOR="DarkRed"]:commands[/COLOR]
      [purity]
      [clearallrestorepoints]
      [emptytemp]
      [resethosts]
      
    • Now click the [​IMG] button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click the OK button.
    • When complete, Notepad will open.
    • Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (How to attach items to your post)
    • Now open OTL again and click the [​IMG] button
      Note: This automatically updates the OTL.txt log on your desktop.
    • Attach OTL.txt to your next message. (How to attach items to your post)

    Please download Windows Repair by Tweaking.com to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
    • Now open this folder and double-click Repair_Windows.exe.
    • Click the Start Repairs tab on the far right.
    • Click Custom Mode so there is a bullet in it.
    • Click the Start button (bottom right)
      Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
    • Click Unselect All
    • Put a checkmark in the following items:
      • Remove Policies Set By Infections
      • Repair Winsock and DNS Cache
      Note: Leave everything else unchecked
    • Put a checkmark in Restart System When Finished
    • Now click the Start button (bottom right)

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
  34. thedon01

    thedon01 Corporal

    still doing the lop and purity check?
     
  35. thisisu

    thisisu Malware Consultant

    Nope. Just quick scan button.
     
  36. thedon01

    thedon01 Corporal

    here are the OTL scan logs. is there a log for the repairwindows.exe program?
     

    Attached Files:

  37. thisisu

    thisisu Malware Consultant

    No there is not.

    A few of the files did not get removed due to part of the script I used. This should do it though.

    [​IMG]Now we need to make use of OTL by Old Timer.
    • Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      [COLOR="DarkRed"]:otl[/COLOR]
      [2011/11/03 10:10:00 | 000,000,460 | ---- | M] () -- C:\WINNT\Tasks\At1.job
      [2011/11/03 20:40:00 | 000,000,460 | ---- | M] () -- C:\WINNT\Tasks\At2.job
      [2011/11/03 17:11:00 | 000,000,460 | ---- | M] () -- C:\WINNT\Tasks\At3.job
      [2011/11/03 14:00:02 | 000,000,460 | ---- | M] () -- C:\WINNT\Tasks\At4.job
      [2011/10/31 23:01:05 | 000,000,346 | ---- | M] () -- C:\WINNT\Tasks\At5.job
      [2011/09/03 00:05:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2011/10/26 22:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
      
    • Now click the [​IMG] button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click the OK button.
    • When complete, Notepad will open.
    • Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (How to attach items to your post)
    • Now open OTL again and click the [​IMG] button
      Note: This automatically updates the OTL.txt log on your desktop.
    • Attach OTL.txt to your next message. (How to attach items to your post)

    Let me know how the PC is running afterwards
     
  38. thedon01

    thedon01 Corporal

    here you go
     

    Attached Files:

  39. thisisu

    thisisu Malware Consultant

    Logs are looking good. Let me know if you are still getting redirected whenever you get a chance.
     
  40. thedon01

    thedon01 Corporal

    so far so good, havent had any issues. You're incredible. i can't thank you guys enough. Chaslang offered me some links on how to learn how to fight malware, im definitely going to give it a shot.

    I'm going to check it out for a day or so to make sure i don't have any problems and ill get back to you.

    thank you again for all your time and effort.

    2 questions:

    1.i noticed that on the P drive i had a virus/malware stuck in the system file information, what the best way to remove it? i found the problem when scanning with spydoctor and i'm pretty sure i mentioned the infection in the original thread.

    2. should i remove all the scan programs i downloaded?
     
  41. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well done Thisisu ;)
     
  42. thisisu

    thisisu Malware Consultant

    That's a great idea. You should see it through, IMO. It takes time and patience and a strong desire to learn but it's well worth it.
    Ok
    You're welcome.
    Chaslang answered:
    As chaslang stated, whenever you get to the very last clean-up steps, you will be asked to flush the restore points. Make sure you do this while that external hard drive is plugged in so you flush those restore points too. That will remove entries like the below you were talking about

    P:\SYSTEM VOLUME INFORMATION\_RESTORE{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx}\RP151\A0023876.EXE
    P:\SYSTEM VOLUME INFORMATION\_RESTORE{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx}\RP151\A0023877.EXE


    I would wait at least a couple of days to make sure you are not experiencing any more problems with the redirects. Your logs are clean though. You can perform the below (which includes flushing system restore points) whenever you feel that you are not experiencing any more problems.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:

    Thank you :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds