Browser Hijack

You have a DNS hijacking infection that we need to clear up. We will also run TDSSKiller considering your complaint of browser redirection.

Now do this: (It will run in reduced functionality mode as it is not really designed for 64 bit systems however we have seen it find and fix things)

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Reboot the machine!

Run Ccleaner.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

How are things running now?

 

Please attach the TDSSKiller log:
C:\TDSSKiller.2.4.7.0_09.11.2010_11.00.43_log.txt

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell Kes how things are working now!

 

Java(TM) 6 Update 20 <--- Uninstall outdated Java.
WinSCP 4.2.9 <--- Uninstall this if you did not knowingly install it yourself.

Reboot the machine.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters]
"DhcpNameServer"="192.168.1.1"

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

How are things running now? Are we making any progress?

 

Are you running through a router? If so, try directly connecting to the modem and see if the problem still exists. If it doesn't, reset your router. Before you try this, do the following again.

Copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If after doing the above and then connecting directly to the modem, if the issue is resolved you will know that your router is infected and you need to press the recessed red button to set it back to factory settings. Let me know what you find.

 

Let's try again. Make sure you have disabled all AV and AS software.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Processes
explorer.exe

:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"="192.168.1.1"

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"DhcpNameServer"="192.168.1.1"

:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\MGlogs.zip

 

How do you feel about going into the registry and editing it? You would have to go to start / run / and type:
regedit

Then expand your way to these keys and remove the last IP setting in each:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
DhcpNameServer REG_SZ 192.168.1.1 213.109.64.53
--

HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters
DhcpNameServer REG_SZ 192.168.1.1 213.109.64.53
--

HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters
DhcpNameServer REG_SZ 192.168.1.1 213.109.64.53

Hitting f5 immediately after each edit.

 

Is the problem happening in all browsers? Have you tried connecting directly to the modem? If so, does the problem persist?

Use windows explorer to find and delete:
C:\Users\jeff\Local Settings\TEMP\180680.od
C:\Users\jeff\Local Settings\TEMP\2C92.tmp
C:\Users\jeff\Local Settings\TEMP\34066531.od
C:\Users\jeff\Local Settings\TEMP\367.tmp
C:\Users\jeff\Local Settings\TEMP\464804.od
C:\Users\jeff\Local Settings\TEMP\572320.od
C:\Users\jeff\Local Settings\TEMP\8C7E.tmp
C:\Users\jeff\Local Settings\TEMP\962B.tmp
C:\Users\jeff\Local Settings\TEMP\CVR17A4.tmp.cvr
C:\Users\jeff\Local Settings\TEMP\CVRBBA0.tmp.cvr
C:\Users\jeff\Local Settings\TEMP\CVRC189.tmp.cvr
C:\Users\jeff\Local Settings\TEMP\CVRD063.tmp.cvr