URL Redirection and Blocked Websites

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by PumpkinPieman, May 19, 2010.

  1. PumpkinPieman

    PumpkinPieman Private E-2

    I know there is another thread about the google redirection virus, but to be perfectly honest I have tried so much to get rid of this. Gone through post after post, but nothing seems to fix this. It would be better if this was treated as a different case.

    All right. Here are the general symptoms

    - Google \ Yahoo Redirects websites to search<x>.google\yahoo.ca; sometimes to the right websites, sometimes not.
    - Blocks Virus Scanner websites and prevents them from being able to update, also blocks any windows updates from getting through.
    - On all machines in our house.
    - AVG, Clam, Norton, Malware Bytes, Kaspersky, Macafee, Spybot, and Super AntiSpyware all can't find anything wrong (with their definitions ).
    - Websites that use google advertising will sometimes be redirected to google-analytics.com
    - Pops up ad windows in FireFox when visiting any website infrequently.

    I generated all the logs I figured everyone would ask for, although some applications wouldn't run on Windows 7 x64.

    Thank you for all your help.
     

    Attached Files:

    PumpkinPieman, May 19, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome, I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. :)
     
    Kestrel13!, May 20, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Indeed it is! Never follow advice for another computer > different machine > different fix.

    IMPORTANT:

    1. You need to follow step 6 of the R&R before we continue: Disabling disk emulation software. I see daemon tools running in your logs.
    2. Please go to Add/Remove programs and uninstall the following software:

    • Viewpoint Media Player

    3. You version of MalwareBytes is outdated, you should open up the program, flick to the updates tab > let it update > rescan > fix all it may find > and attach the log into your next reply please.

    4. You have SpyBot Search & Destroy's TeaTimer function running. This could get in the way of any fixes I give to you so please refer to this link for how to disable it:

    How to disable Spybot's TeaTimer

    5. I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage.

    You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here.

    6. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    • O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    • O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
    • O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
    • O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

    After clicking Fix exit HJT.


    7. Now I would like for you to use windows explorer to locate the below bold folder. Now without clicking on any of it's contents, please let me know what files reside within the directory.

    8. Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    9. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    10. Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

    or... run these if the above fails.

    Attach those two logs and also the logs from MBAM and OTM. :)

    11. Let me know how the machine is behaving now please.
     
    Last edited: May 21, 2010
    Kestrel13!, May 20, 2010
    #3
  4. PumpkinPieman

    PumpkinPieman Private E-2

    1, 2, 4, 5, 6, 8: Done

    3: This is part of the problem, I can't update. Anything. I can get people to send me the files from the websites which are blocked for me. But these silly scanners don't have offline definitions I can download so it's impossible to update them. Same goes for Windows Update.

    7: Okay, C:\Windows\System32\1033 has one file.
    VSJitDebuggerUI.dll
    I have no clue why it's here, but it sounds like a DLL I would have for Visual Studio. Sounds like the addon I use for debugging the content pipeline in XNA.

    9: C:\Users\David Tremayne\Local Settings\ - access is denied

    10:
    GRK64.bat
    zip error: Invalid command arguments (cannot write zip file to terminal)

    11: For a day or so, since I did the initial logs and the post. Google has stopped forwarding, and doesn't open in a target window. Which is good. But, AV websites and Windows update still timeout.


    Here are the two files from the bat files. But I didn't get to save the OTM one, I ended up pressing clean after I rebooted. >.< I got to the last step then looked for the log in the application then going back and reading about the folder. But by then I had cleaned the folder.
     

    Attached Files:

    PumpkinPieman, May 22, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Kestrel will not be logging in until late tonight, when she can finish helping you. In the meantime:

    You have signs of a DNS hijacker. The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup. After doing this, continue with on with the below.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now re-run MBAM.

    Download HostsXpert and then follow the below steps.

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    * Click Restore Microsoft's Hosts File and then click OK.
    * Click the X to exit the program

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * MBAM log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 22, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds