TechSpot

System check virus? IE being redirected randomly

Inactive
By cricket04
Mar 29, 2012
  1. Hello everybody,

    last week I had "system check" pop up on my laptop. I closed the window without clicking on it but it would randomly popup when searching the internet. I found the program folder and deleted it which has removed that problem. The new problem I'm having is being redirected to sites different than ones I click on.

    Anyhelp is greatly appreciated,
    Thanks

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.29.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    T & L :: DELL_LAPTOP [administrator]

    Protection: Enabled

    28-Mar-12 11:00:11 PM
    mbam-log-2012-03-28 (23-00-11).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 194375
    Time elapsed: 5 minute(s), 10 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-29 16:22:49
    Windows 6.1.7601 Service Pack 1
    Running: rebdn1u3.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004eeb0139
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004eeb0139 (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----


    I can't get DDS to run. A black box flashes that says:

    'C:\Users\T' is not recognized as an internal or external command, operable program or batch file. The system cannot find the path specified.


    Please advise what to do next,
    Thanks
  2. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  3. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    aswMBR

    dowloaded but won't run when i double click it.

    I'm running windows 7 and have Zonealarm Extreme Security running. Do I need to shut down Zonealarm??

    Do you want me to download/run Bootkit Remover now or wait?

    Patiently waiting...
  4. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    God ahead with Bootkit Remover.
  5. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`afd00000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
  6. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  7. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    TDSSKiller won't do anything when i double click.

    Thanks again for your help
  8. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
  9. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Just wanted to point out, I'm running Windows 7.

    Do I have to turn off system restore??

    Thanks
  10. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    No..................
  11. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    computer restarted and TDSS Fix Tool scan results says:

    ***Infected MBR detected

    repair/close
     
  12. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Just had zonealarm pop up stating scan result "Rootkit.Boot.SST.b" auto treatments repaired successfully removed
  13. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    just had blue screen come up and then windows restarted asking me if i want to restore using system restore.

    Help
  14. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    No.
    Turn the computer off.
    Wait one minute.
    Start normally.
    If normal mode doesn't work try safe mode.
  15. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Restarted laptop and i have the windows Error Recover black screen saying

    " Windoows failed to start. A recent hardware or software change miight be the cause.

    If windows files have been damaged or configured incorrectly, startup Repair can help diagnose and fix the problem. If power was interrupted during startup, choose start windows Normally"

    -Launch Startup Repair (recommended)
    -Start Windows Normally
  16. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    Try to start normally.
    If that doesn't work try "startup repair".
  17. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Start windows normally wouldn't work had to choose repair.

    Now it's back to the restore screen with the option to Restore or Cancel??
  18. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    Go ahead with restore.
  19. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Startup Repair
    Windows cannot repair this computer automatically.

    -send information about this problem (recommended)
    -Don't send
  20. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    Don't send.
    See if you can start in safe mode.
  21. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    There is also a drop down with problem Signature details if you want me to type it out let me know.
  22. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    It may be helpful....
  23. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Problem signature:

    Problem Event Name: Startup Repair Offline
    Problem Signature 01 6.1.7600.16385
    Problem Signature 02 6.1.7600.16385
    Problem Signature 03 Unknown
    Problem Signature 04 328
    Problem Signature 05 AutoFailover
    Problem Signature 06 1
    Problem Signature 07 0x109
    OS Version: 6.1.7600.2.0.0.256.1
    Locale ID: 1033
  24. Broni

    Broni Malware Annihilator Posts: 46,728   +254

    See if you can boot to safe mode.
  25. cricket04

    cricket04 TS Rookie Topic Starter Posts: 33

    Safe mode with or without networking??

    Thanks again for all your help!!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.