IE redirecting/hijack

Wwlcome to Major Geeks!

Yes you have one of the most recent waves of infections going around the removed your BFE and MpsSvc registry keys which in is noticable to you in that your firewall stops working.

Okay now press the Windows key and the R key at the same time to bring up the Run box. Type in regedit and hit OK.

• Then in the Registry Editor click File, Import.
• Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
• Then click the Open button and allow this to be added into your registry

Tell me what happend exactly. Like do you get any error messages or do you get a success message?

If you received a success message then repeat the above import but with below to files from the MGtools folder.

• fixW7FW.reg
• FixW7FWdrv.reg

Then so that we can see what effect this had, I need to you to run a newer version of MGtools.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

This is not going to fix all your problems. It is just a start.

 

Note, it also appears that your hard disk as been infected with a newer for of TDL infection that replaces your boot partition with an infection and makes it the active partition to boot from.

Code:

 
Partition Disk #0, Partition #3 
Partition Size 1.70 MB (1,785,856 bytes) 

Do you have your Windows 7 Boot DVD? We are going to need it

 

You're welcome.

See if either of these two disks allows you to boot from it into the System Recovery Environment and get into the Command Prompt as illustrated in the below link:

http://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/

I don't want you to do anything in the command prompt right now. We just need to verify that you are able to do this before we take other steps. Also it is highly recommended that you back up important data before we start to fix this problem.

 

While there is always a chance that this type of infection could spread to another drive, I don't think that is going to happen with the variety you have. So it should be okay. You don't have much of a choice anyway.

See if you can get to the command prompt window. You don't need to worry about this causing any damage before your backup. We are not fixing anything. We are just testing you can get there.

I have another boot CD that you are going to need to create that will contain G-parted partitioning software. This will be next after we confirm you get to the command prompt.

 

This is due to the infection changing the active boot partition to not boot from Windows.

What did the first option say?



First, download Download gparted-live-0.10.0-3.iso (115.1 MB)
You will need a blank CD to burn this ISO to. You can burn the .ISO using software like ImgBurn. You can see info on how to do this here >>
Using ImageBurn to Burn an ISO image

Now boot off of this newly created CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.70 MB (MiB)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive? -- According to your logs, your OS drive is the 683.57 GB size partition.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.

You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot into the Windows 7 System Recovery Environment command prompt as you previously did using your CD. And in the command prompt, execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

 

No problem. It's Sunday. I will be in and out of here too.

 

Sorry about that. I just forgot to edit that line for your PC. Your logs actually showed it as 919.22 GB

Yes if you ran both the
bootrec /fixmbr and bootrec /fixboot commands, you need to type exit and reboot normally. Then rerun MBRcheck and attach a new log. Also rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file.

 

Should be normally but since you have received this error message, boot up the CD again but this time instead of choosing the command prompt, choose Startup Repair

It should prompt you to reboot when it finishes the repair.

 

Not entirely correct. Your boot drive and the fake partition has been fixed. Your second drive still has an infected MBR which needs to be fixed now.

But I have a question about this 2nd drive. Is this a different drive than you had earlier. When you first posted your very first MGlogs.zip, there was a log from MBRcheck that showed

Code:

PhysicalDrive0 Model Number: SAMSUNGHD103SJ, Rev: 1AJ10001
PhysicalDrive1 Model Number: ST31000340AS, Rev: SD15    
      Size  Device Name          MBR Status
  --------------------------------------------
    931 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   MBR Code Faked!
            SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B
    931 GB  [URL="file://\\.\PhysicalDrive1"]\\.\PhysicalDrive1[/URL]   MBR Code Faked!
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

And now it shows

Code:

\\.\C: --> [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL] at offset 0x00000003`12600000  (NTFS)
[URL="file://\\.\E"]\\.\E[/URL]: --> [URL="file://\\.\PhysicalDrive1"]\\.\PhysicalDrive1[/URL] at offset 0x00000000`00007e00  (NTFS)
PhysicalDrive0 Model Number: SAMSUNGHD103SJ, Rev: 1AJ10001
PhysicalDrive1 Model Number: SAMSUNGHD502HI, Rev: 1AG01118
      Size  Device Name          MBR Status
  --------------------------------------------
    931 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   Windows 7 MBR code detected
            SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
    465 GB  [URL="file://\\.\PhysicalDrive1"]\\.\PhysicalDrive1[/URL]   Unknown MBR code
            SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F

You appear to have been changing drives??????????????

 

Please re-read my last message which I edited to add more comments. You need to explain why you are changing hard disks!!!!

 

You will need to boot back to the System Recovery Environment and figure out the drive letter for this second drive, by entering commands like the below. One command changes drives, and the second ( the dir ) lists the contents. From the contents, you should be able to figure out what the drive letter of this other infected drive is while in the Recovery Environment. Drive lettes may not be the same as when in normal Windows.

c:\
dir
d:\
dir
e:\
dir
f:\
dir
.....etc

One you find the correct drive letter, you would run the below command and substitute in for the x, the actual drive letter.

bootsect.exe /nt60 x: /mbr

Then you would reboot normally and attach another new log from MBRcheck.


Seems likely that all of your hard disks are infected.

 

Great. You will need to fix that other 931 GB drive at some point but not now.

As stated in my first message, you have other problems. Your MBR and Partition infections needed to be removed first. Now the rest of your problems with the BFE and MpsSvc services and a load of file, folder, and registry permissions need to be fixed. You are far from done. Such is the nature of the infections you managed to get. However you picked them up, you need to be much more careful or you will be doing these fixes all the time and not having any time to actually use your computer for anything. In addition, these infections can be dangerous and may steal information.


Now you need to run C:\MGtools\GetLogs.bat and attach a new log before I can start the next steps.

 

You need to avoid getting the infections to begin with. Only you know what you were doing when you got infected. As you can see McAfee is not going to protect you 100%. Not even close. You ( and other users of the PC ) are the most important component of security.

I'm not sure what you are saying. It is a "drive" not a "driver" which would be software. And you did put both of them into this PC. Hence they may have gotten infected when you plugged them in, or they may have been already infected.

 

Unknown but in most cases there is some kind of interaction by the end user that would possibly be deemed as questionable behavior or the inappropriate response may have been taken.

Malware is a generic term to cover all malicious software. A virus is malware, but this infection is not a virus. We don't know exactly where people are picking it up. There could be many ways. Typical ones include

• downloading bittorrents
• download illegal software ( normally obtained with the above )
• accessing any kind of video downloading site especially porn and even more so if they have you download any special codecs.
• opening questionable email content
• but this does not mean you cannot get it from legit sites either. Especially ones that do no police their content or are too big to properly police. Even Google as been know to be a spreader of malware.

Next steps.



Download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm-x64.cmd
• Now right click onresetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.


Okay now press the Windows key and the R key at the same time to bring up the Run box. Type in regedit and hit OK.

• Then in the Registry Editor click File, Import.
• Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
• Then click the Open button and allow this to be added into your registry

Tell me what happend exactly. Like do you get any error messages or do you get a success message?


If you received a success message then repeat the above import but with below to files from the MGtools folder.

• fixW7FW.reg
• FixW7FWdrv.reg

Wherther the imports work or not, now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Good job!

Okay the BFE service has now started. But the MpsSvc service for the Windows Firewall has not started. This is likely due to the error message you saw when importing FixW7FWdrv.reg.

The below registry entry is missing and we need to get this in.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000\Control]
"ActiveService"="mpsdrv"

Can you try powering down your PC? Wait a minute and then turn back on and try just importing the FixW7FWdrv.reg patch again. Let me know what happens with any full error messages just like you supplied to me last time. We may need to try some manual permissions editing in the registry.

 

Thanks.

Yes and this is an important part of the task and giving me good/complete feedback on what happens makes it easier for me to know what is going on. So when you provided information like below

It is very helpful and much better than one someone just tells us "it didn't work" or "I got an error" which are not helpful because the details are left out.


Let's try running the Windows Registry Editor as Administrator and see what happens. Click Start and in the search box just type regedit do not hit enter. In the area above you should see a regedit.exe icon appear when it is found. Right click on it and select Run As Administrator. Retry importing the same registry key. And see what happens. If it still has the same error, just tell me later, but try the below.


Navigate to the below registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

• Then right click on it and select Permissions
• What names do you see in the section under Group or user names:
• Also select SYSTEM from the names area and then look in the bottom box under Permissions for SYSTEM and tell me which check boxes are checked.
• Now also with that Permissions for Root form open, click on the Advanced button down towards the bottom right.
• On the next Advanced Security Settings for Root form, click the Owner tab and tell me which names appear in the below two boxes
  • Current owner:
  • Change owner to:

 

Okay let's modify the Owner by adding Everyone to the list.

• On this Advanced... form, Click the Other users of groups... button
• One the next form, in the Enter the objec name to select box, type in Everyone and then click Check Names which will then verify that Everyone exists and will underline the text to show it was found
• Then click OK
• Then back on the Advanced Security Settings for Root form select Everyone and then click the Apply button. And then OK out of this form.
• Now you should be back at the Permissions for Root form.
• Select Everyone and see if you can now give Full Control by checking the box and clicking Apply.

If the above works, do the same thing for the below subkey of Root

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV

It may even already have Everyone set to full control if we are lucky.

If all of this works, then try importing the fixW7FWdrv.reg file again.

Tell me what happens.

 

You're welcome. Okay that is sounding good.

Please reboot your PC and after reboot continue with the below.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

You should just double check each one now to make sure they are okay before performing the below final instructions.

No! Everything we needed has been added already.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Renable UAC and see what you get.

 

After changing making any changes to UAC, you have to reboot for them to take effect.

Also changes to Protected Mode will not take effect until all browsers are exited and then restarted. But this also has a dependency on UAC being enabled first.

See some tips here: http://www.sevenforums.com/tutorials/63141-internet-explorer-protected-mode-turn-off.html

 

Just fix it the same way you fixed the other drive. Minimize any use of the drive to only plugging it in and fixing it.... until it is fixed.

Thanks! I tried to make things as detailed as possible to cover all scenarios and to give lots of tips to avoid questions that many less experience users run into. It makes the documents bigger and some people are put off by this, but the details are there for the less experienced people.

No. I have full time job that occupies 10 to 12 hrs a day on average.

No I do not get a percentage. The forums are maintained and run by the owners at their expense. Typical of most websites they get kick back for the advertisements and software being recommended thru them. Use the main download site at www.majorgeeks.com to download applications whether free or for ones you may eventually purchase. Purchasing is your choice. Every application on the site is tested before being made available for download. We don't just put everything that exists there. In fact, many submissions may be rejected.

 

You're welcome. Surf safely!

 

Excellent!

Currently I would recommend purchasing Malwarebytes over SUPERAntiSpyware.

You're welcome and thanks. Merry Xmas and Happy New Year to you too.