TechSpot

Random popups and browser hijacks. 8-step files attached

By Carlinator
Jul 14, 2010
  1. I am running Windows 7 64-bit. For the past several weeks, since upgrading from Vista due to issues that I realize now I probably should have fixed first, my computer has been acting strangely. While browsing in Firefox with adblock on, I will occasionally be redirected to a random page. Before adblock, it would redirect me to various ads, not only on the newly requested page, but all pages I had viewed in that tab since opening; i.e. after page 10 of a thread did the redirect, hitting back multiple times to go to page 5 would end up redirecting as well. Since I put adblock on, these redirects occur as follows: The page I want will just begin to load, then go blank. The URL at the bottom of the screen flashes to pixel.quantserve.com, then to google-analytics.com, at which point that tab will hang. Also, if I leave the browser open for a while, it occasionally opens a new window which redirects to the Google homepage, rarely to Yahoo as well. Removing/reinstalling FF and clearing temp files has had no effect.

    The following may compound the problem somewhat: my mom's computer, an XP Media Center box on the same home wireless network, has the exact same problem. It started happening just before I upgraded my OS, though I didn't find out until about a week later. On hers, the original problem was that she could not connect to any web page at all, but I dug through her settings and disabled proxies (why they were on, I couldn't say) and now her browser's behavior is identical to mine.

    Most sites are fine, but anti-malware sites in particular seem to be targeted for inaccessabiltiy. I had to find alternate links to get Spybot onto our computers.

    I am currently running AVG Antivirus, Spybot and Microsoft Security Essentials. Full scans have not found anything which has helped in the least.

    8-step files are attached. Any help would be GREATLY appreciated. :)
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    You can't run two AV programs. Please, uninstall one of them.
    If AVG, make sure to use AVG Remover: http://www.avg.com/us-en/download-tools

    =================================================================

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  3. Carlinator

    Carlinator TS Rookie Topic Starter

    Got AVG removed.



    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: bb4f1627d8b9beda49ac0d010229f3ff
    \\.\D: -> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Press any key to quit...
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Very good :)
    How are the issues?


    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  5. Carlinator

    Carlinator TS Rookie Topic Starter

    Still having the issues, unfortunately. :(

    Text files from OTL attached.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    What are the issues?
     
  7. Carlinator

    Carlinator TS Rookie Topic Starter

    When I go to certain sites, i.e. forums.somethingawful.com, the page will begin to load, then I will get redirected to random ad sites. I also get them popping up in new windows in the background. I have adblock plus running, it doesn't affect the new windows. The redirects happening on my pages, it no longer loads the ads, but it just hangs while trying to load google analytics or whatever. It was happening before occasionally on links to photobucket, youtube, etc.; somethingawful is the first page I regularly visit that's been afffected.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    What browser is getting redirected?

    Let's check something else before I check your OTL logs...

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  9. Carlinator

    Carlinator TS Rookie Topic Starter

    Browser is Firefox v. 3.6.6

    MBRCheck, version 1.1.0

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0

    \\.\D: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected





    Done! Press ENTER to exit...
     
  10. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Can you check, if you have redirection in Internet Explorer, please?

    Oh, btw, did you restart computer after running Bootkit Remover?
    If you didn't, please do so and check for redirection again.
     
  11. Carlinator

    Carlinator TS Rookie Topic Starter

    I've restarted, redirects still happening. Internet Explorer does not suffer from the problem; I'm hesitant to use it, though, with its notorious security issues.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I understand.

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

    ==================================================================

    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
     
  13. Carlinator

    Carlinator TS Rookie Topic Starter

    Here's the new logs.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    All clean...
    Check one more thing for me.

    Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Same redirection?
     
  15. Carlinator

    Carlinator TS Rookie Topic Starter

    Yes, still happening in safe mode.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I suspect, what may be the problem. Let's see, if we can fix it.

    Also, I suggest, you uninstall Registry Booster. Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

    ====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211 1.1.1.1
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O33 - MountPoints2\{2c55f6b2-7a5b-11df-b1ac-806e6f6e6963}\Shell - "" = AutoRun
      O33 - MountPoints2\{2c55f6b2-7a5b-11df-b1ac-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Setup.exe -- File not found
      O33 - MountPoints2\F\Shell - "" = AutoRun
      O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Setup.exe -- [2009/10/08 23:09:09 | 000,266,752 | R--- | M] (XFX)
      [2010/06/21 15:50:03 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll.install_backup
      [2010/06/18 00:39:05 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\avg
      [2010/06/18 00:35:33 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
      [2010/06/18 00:35:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  17. Carlinator

    Carlinator TS Rookie Topic Starter

    Done. No improvement.
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I can see. Most likely, this is your issue:
    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
    Reconnect everything.
    Restart computer.

    Check for redirection and post fresh OTL "Quick Scan" log.
     
  19. Carlinator

    Carlinator TS Rookie Topic Starter

    Redirection still happening.
     

    Attached Files:

    • OTL.Txt
      File size:
      65.5 KB
      Views:
      2
  20. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    O17 entry is still there.
    We'll have hard reset your router.
    Turn the computer off.
    On your router, you should find a small pinhole, marked "Reset".
    Using a pencil, or a paperclip, keep pushing that hole until all lights flash on and off briefly.
    Restart computer, check for redirection and post fresh OTL log.
     
  21. Carlinator

    Carlinator TS Rookie Topic Starter

    Well, that seems to have done it. Was it a piece of malware in the router itself?
     

    Attached Files:

    • OTL.Txt
      File size:
      65.8 KB
      Views:
      1
  22. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Great news :)
    It was, most likely, what we call, DNS hijacker.

    Let's run one more scan, to make sure, you're totally clean....

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Are you still out there?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...