TechSpot

Websites getting redirected [Bootkit]

By verity25
Jun 29, 2010
  1. I have been getting this problem for some time and have reinstalled Windows to try to fix it but it's still happening. I chanced upon your site so I'm hoping you fix the problem for me as it's driving me nuts. I followed the 8 step process and have attached the doc files as requested. I would appreciate your help...
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Attached the combofix log file
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I don't really see much there.

    Which browser is getting redirected?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  5. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Hi,
    I am using IE8, I did want to use Firefox but don't want to install it until this is fixed. Also, when opening a new website Google opens automatically in a seperate window for some reason. Anyhow, the logs are attached.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  7. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Here's the text file...
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    So far, I see nothing dangerous...

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
    Reconnect everything.
    Restart computer.

    Check for redirection.
     
  9. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Did everything as stated, and although it appears to have stopped Google from loading randomly I am still getting redirected. Most sites are pretty good, but certain ones are still redirecting. The main one that I can see at moment giving problems is the Rocketdock website, can't get into it at all.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, bypass the router and connect your computer straight to the modem.
    See, if redirection still happens.
     
  11. verity25

    verity25 TS Booster Topic Starter Posts: 110

    I don't have a modem, just a router. I am still getting Google opening randomly when opening websites. I have blocked each website when I get redirected to it so it doesn't come up again, but I still redirected to other sites, and some sites won't load at all.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Is PROLITE-NET your ISP?
     
  13. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Negative..talktalk.net
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  15. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Here's the OTL logfile. Had to zip it as it was too big to upload.
     

    Attached Files:

    • OTL.zip
      File size:
      28.9 KB
      Views:
      1
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    If you want to attach any file, it's fine, but please, don't zip them.
    I still need Extras.txt
     

    Attached Files:

  17. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Only one file was produced by OTL, there was no extras file only the one I previously uploaded
     
  18. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Ooops! sorry I missed the bottom part of your post. I'll do it right this time...
     
  19. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Here's the first file....
     

    Attached Files:

  20. verity25

    verity25 TS Booster Topic Starter Posts: 110

    How can I post the next file..says its too big..
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Split it in half, like I did.
    How is redirection?
     
  22. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Still happening...here are the logs..
     

    Attached Files:

  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Turn the computer off.
    Disconnect power and ethernet cable from your router.
    Your router should have a small reset pinhole, which you can push with a pencil tip.
    Reset the router and restart everything.
    Check for redirections.
     
  24. verity25

    verity25 TS Booster Topic Starter Posts: 110

    Followed your instructions, and nothing has changed. Same thing happening and Google home page still loading randomly for some reason.
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let repeat some steps...
    Please pay attention to the order those steps has to be taken.
    You may write it down, because we'll disconnect your computer from the internet for a moment.

    1. Disconnect ethernet cable from your computer (while computer on).

    2. Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    3. Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
    NOTE Since you're not connected to the internet at the moment, simply keep those two logs and post them back, when you'll reconnect your computer back.

    3. Turn computer off.

    4. Reset the router, using reset pinhole. Keep cables connected. Keep pushing reset pinhole until router's lights go off for a brief moment.

    5. Reconnect computer's ethernet cable and restart computer.

    6. Check for redirection and post both OTL logs.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...