another web page redirection/infection problem

I having problems with websites, especially search results, redirecting to other pages. It also periodically opens Internet explorer (even though I only use Firefox) to some random advertisement page such as 'thefutoncritic.com'. I was originally using Spybot Search and Destroy as malware protection but it wasn't able to detect anything. IE also shows a history of visited web pages such as 'baruvexowne.com' even though I haven't used it. A progam in the task manager iexplore.exe*32 is always running as well. I have followed the instructions in READ & RUN ME FIRST but I am still being redirected. SAS and Malwarebytes both showed nothing. Thanks in advance for any help you can give.

 

Hi and welcome to Major Geeks, ks66046!

The above partition needs to be deleted as you are infected with one of the latest versions of TDL. It's also what is causing the excess iexplore.exe processes to run.
____________
Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows 7 64-Bit (x64) Recovery Environment

Create a bootable CD, 1 for Gparted and 1 for the Windows 7 Recovery Enviroment, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.33 MB (1.33 MiB)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive? According to your logs, your OS drive is the 584.25 GB partition.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.

You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from the Windows 7 Recovery Environment CD and execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows.

Download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Attach that file.

 

I tried running Windows recovery CD but it says 'BOOTMGR is missing' and won't proceed further. I downloaded the file from another computer and burned it with imgburn. Gparted worked; I loaded the CD with no problems. I deleted the appropriate partition and marked the OS drive with a boot flag. Now when I try to run the second CD I keep getting this error.

 

Make sure you are booting off of the CD/DVD. Keep in mind that you have to "press any key to boot off the cd/dvd...". Look in the top left corner of your screen when you are rebooting. You only have about 4 seconds to respond otherwise it will try to boot off of the hard drive thus the message "bootmgr is missing".

Remember once you are in the recovery console, to type the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

If you still have issues booting, launch Startup Repair from the CD (not from the HDD!!)

 

I ran the recovery CD and entered the commands. It said they completed successfully. Startup repair says it can't complete the repair automatically. Trying to reboot after running the CD still says BOOTMGR is missing. Did I forget a step?

 

Boot back into the Recovery console using the CD.
Go back into Command Prompt and type in the following command:

• bootrec /rebuildbcd

Press ENTER

List what appears and wait for further instructions

 

It reads:
total identified Windows installations: 1
[1] c:\Windows
Add installation to boot list? yes/no/all

 

type Y for yes and press ENTER.

Then let me know what is displayed next.

 

The operation completed successfully.

X:\windows\system32>

 

type:

• exit

and then reboot your PC. Let me know if reboot was successful this time.

 

It still says BOOTMGR is missing.

 

Go back into Recovery Console from the CD.
Select Startup Repair.

 

Windows started successfully.

 

Ok good. Remember to complete the MBRCheck instructions I listed here and attach the log when you are ready.

 

MBRCheck completed. Here is the log.

 

That log is clean :cool

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Homepage Protection (unless you like this)
• Java(TM) 6 Update 26 (outdated)
• Shareaza 2.5.3.0 (P2P / not recommended)

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Users\d\Local Settings\TEMP\2147483647.dat
[COLOR="DarkRed"]Folder::[/COLOR]
c:\users\d\AppData\Roaming\OL8gTZqhYwUrOtP
c:\users\d\AppData\Roaming\F427C
c:\users\d\AppData\Roaming\EffEEL99gTZjY
c:\users\d\AppData\Roaming\EEEEL9gZYw
c:\users\d\AppData\Roaming\L99hhTXqjUCeIBz
c:\users\d\AppData\Roaming\udW8LhXUekIr
c:\users\d\AppData\Roaming\GUUUVeelIBtzN
C:\Users\d\Local Settings\TEMP\sva6m.tmp
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EEDB912-C5FA-486F-8334-57288578C627}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D8C606E8-D595-48CD-99F6-B733622A6E42}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D8C606E8-D595-48CD-99F6-B733622A6E42}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

Also let me know if you are experiencing any issues with hidden/missing desktop icons, start menu, quick launch, anything missing?​

 

I have completed all the steps and attached the logs. Everything seems to be working now. iexplore.exe is gone from the task manager. I check several websites and did not have any pages redirected. All Windows functions appear to be functioning normally.

 

Correction: I noticed that when I open the run command and begin to type the auto fill brings up a list of websites that I have never visited. Many of the sites are the same pages I was being redirected to earlier.

 

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

:dir /s
c:\windows\system64

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

SystemLook has completed. I have attached the log.

 

Please download CCleaner Slim
Go into the Options tab >> Uncheck All Items here
Now click the Cleaner tab and press the Run Cleaner button.
Press OK.
Autocomplete entries should have been removed once CCleaner has finished.

 

I ran CCleaner and everything seems to be removed. I am not being redirected and there are no strange programs running on my machine. Thanks for all your help.

 

Glad to hear it :cool

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!