google redirect & possibly other issues

Discussion in 'Malware Help (A Specialist Will Reply)' started by l22zh, Dec 21, 2009.

  1. l22zh

    l22zh Private E-2

    hi

    I'm using a XP Pro system.

    About 2 days ago, I started having this google redirect problem from all browers i.e. firefox/chrome/ie, whenever I accessed *.google.com, it downloaded some scripts from http://jsfeed.net/js.php/l=1&u=280 (info get from Fiddler), then google search results will be redirected to hochu-spat.com or ftrer.com.

    At the same time, my laptop freezed itself frequently especially when I'm using bowsers (don't know if they are relevent).

    I did a scan following the steps stated in the Read & RUN ME FIRST thread except the MGtools last night. It seems the google redirect issue is solved at the time (no connection to jsfeed.net at all). But it started all over again this morning. So I run the MGtools and come here for help.

    Thanks!
     

    Attached Files:

    l22zh, Dec 21, 2009
    #1
  2. l22zh

    l22zh Private E-2

    the MGtools.zip

    by the way, I received the following error messages twice when I ran MGtools

    C:\WINDOWS\system32\cmd.exe
    NTVDM has encountered a System Error
    NTVDM has encountered a System Error c0h Choose 'Close' to terminate the application
     

    Attached Files:

    l22zh, Dec 21, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    It looks like your Google Redirect issue is solved. but I want to see the log from TDSSKiller that you ran. Please attach the below file:

    C:\Documents and Settings\lzhang\Local Settings\temp\TDSSKiller.txt

    However your main problem is that you have a Master Boot Record infection.

    You have a Master Boot Record infection. We will need to boot to the Recovery Console ( you installed it while you installed ComboFix) to remove
    this infection.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record
    infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the
    below.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on
    it, use right click and select Run As Administrator )



    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 22, 2009
    #3
  4. l22zh

    l22zh Private E-2

    Hi chaslang,

    Thanks for helping me out.

    First of all, I believe the redirect issue did dissapear after I ran the standard "RUN ME" procedure the last time. But it came back mysteriously... should I ran the same procedure again?

    Second, I cannot run the recovery console at all. The first time I ran it, I was told,
    Since the console's been installed ages ago, I removed it according to,
    http://support.microsoft.com/kb/555032

    and reinstlled it manually without a Windows CD according to,
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery

    Then I've got the same error messages twice after I ran it, with a typical Windows blue background error screen,
    Third, the TDSSKiller.txt file you requested at that specific location (C:\Documents and Settings\lzhang\Local Settings\temp\TDSSKiller.txt) is definately not a description of my computer. But I attached it anyway, with the name TDSSKiller-renny.txt.

    And I ran the TDSSKiller again at C:/ and attached the log from the same dir (C:/) as TDSSKiller-l22zh.txt

    What's more, the new MGlogs.zip is attached.
     

    Attached Files:

    l22zh, Dec 23, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run this tool: Prevx 3.0 Additional MBR infection info from PrevX is published here:http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html

    After running PrevX, if it does not ask you to reboot, make sure that you reboot anyway. Then continue on with the below.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 25, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds