Redirect help please

Discussion in 'Malware Help (A Specialist Will Reply)' started by DLT, May 13, 2015.

  1. DLT

    DLT Private E-2

    This problem occurs both on IE and Firefox. So far I have only seen the redirect when I attempt to go to a photo forum I use: PhotoCamel.

    Usually it starts out as a URL of zeroredirect1 or 2. Then usually switches to mediaupdate99.com. This looks to be a Firefox site telling me to update my "video player." I of course did not click on anything on this site.

    I think I went through your entire procedure correctly and below are the logs in the same order as in your instructions.

    Computer is a Dell Inspiron One.

    If you need any more info, let me know, but I'm at my wit's end trying to get rid of this nasty bit of nonsense. Many thanks for your help! Lee


    ===================================================================

    RogueKiller V10.6.3.0 (x64) [May 11 2015] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Lee [Administrator]
    Started from : C:\Users\Lee\Downloads\RogueKillerX64.exe
    Mode : Scan -- Date : 05/13/2015 11:15:18

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 33 ¤¤¤
    [Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
    [Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
    [Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF949550-9094-4807-95EC-D1C317803333} -> Found
    [Orphan] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} : avast! Online Security -> Found
    [Orphan] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {21FA44EF-376D-4D53-9B0F-8A89D3229068} : -> Found
    [Orphan] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {21FA44EF-376D-4D53-9B0F-8A89D3229068} : -> Found
    [Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} | CLSID : {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16} -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : http://www.bing.com -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : http://www.bing.com -> Found
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
    [PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
    [PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
    [PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
    [PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4079665189-765800943-815352536-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 2 ¤¤¤
    [PUM.Proxy][FIREFX:Config] febeprof.Lee2 : user_pref("network.proxy.type", 4); -> Found
    [PUM.HomePage][FIREFX:Config] febeprof.Lee2 : user_pref("browser.startup.homepage", "http://www.netvibes.com/privatepage/1#Home"); -> Found

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST350041 3AS SATA Disk Device +++++
    --- User ---
    [MBR] 47920a7f0b364335a1d2071206d0204e
    [BSP] c53107c2cb68d4113e71329dc9f634e7 : HP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
    1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 80325 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30800325 | Size: 461899 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
    ********************************************************
    View attachment log1.txt

    View attachment TDSSKiller.3.0.0.44_13.05.2015_11.47.55_log.txt

    View attachment HitmanPro_20150513_1226.log

    View attachment runkeys.txt

    View attachment newfiles.txt
     
    DLT, May 13, 2015
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    We need the entire MGlogs.zip.. not individual files that it contains.
     
    dr.moriarty, May 13, 2015
    #2
  3. DLT

    DLT Private E-2

    Thank you. Got it now. By the way, forgot to mention. I also tried a system restore in both normal and safe mode and apparently the virus will not let me do a restore. Lee

    View attachment MGlogs.zip
     
    DLT, May 14, 2015
    #3
  4. DLT

    DLT Private E-2

    UPDATE: I'm totally confused. The PhotoCamel site is now working OK. It was down, but after posting a query, no one seems to have experienced the redirect to the malicious site (zeroredirect) I encountered.

    Also, I got system restore working again -- not quite sure how with all the troubleshooting I have been doing. ;)

    I guess you can consider my problem solved -- since I sent the logs, if you could do a quick scan of them and see if anything suspicious appears, I would appreciate it.

    Many thanks and what a wonderful asset you folks are! Lee
     
    DLT, May 14, 2015
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome.

    There's only a little to do:

    Please re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.
    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in the original instructions and attach the new log.
     
    dr.moriarty, May 14, 2015
    #5
  6. DLT

    DLT Private E-2

    Thanks. Ran the scan. The first parts of the ones you posted are there, but not the whole string so did not delete anything. See attachment. Do you still want me to delete these and run a new scan?

    Thanks, Lee

    2015-05-15_070821.jpgA.jpg
     
    DLT, May 15, 2015
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds