Solved Websites getting redirected [Bootkit]

Status
Not open for further replies.
No change to redirect...files attached...
 

Attachments

  • 07032010_230945.log
    3.7 KB · Views: 1
  • OTL.Txt
    192.8 KB · Views: 2
At the beginning, you said, that you reinstalled Windows to get rid of the very same problem.
Was it clean install?
Are there any other computers connected to the very same router?
Is file sharing enabled?
 
It was a clean install after completely formatting.
Yes, there is one more computer on the same router but that one is not getting any problems.
File sharing is not enabled between the computers.
 
Did the redirection started right after fresh installation?

I'd like you to install Firefox and see, if same redirection happens.
 
Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.
 
Every time I try to attach the file google home page pops up instead..So I've pasted the text here...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
 
It looks fine....

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive2
MD5: 023fb285bf9850ccc10287a3a8db3603
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
465 GB \\.\PhysicalDrive2 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...
 
Aha....we have MBR rootkit.

Open Notepad
Copy and paste following text into Notepad:
Code: 
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT
Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.
 
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive2
MD5: 023fb285bf9850ccc10287a3a8db3603

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
465 GB \\.\PhysicalDrive2 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...
 
Open Notepad
Copy and paste following text into Notepad:
Code: 
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT
Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.
 
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive2
MD5: 023fb285bf9850ccc10287a3a8db3603

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
465 GB \\.\PhysicalDrive2 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...
 
Open Notepad
Copy and paste following text into Notepad:
Code: 
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive2
EXIT
Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.
 
Here's the log:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive2
MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
465 GB \\.\PhysicalDrive2 OK (DOS/Win32 Boot code found)


Press any key to quit...
 
Yes, I did a restart. Well, I'll start opening webpages that I use often then notice an extra page has opened. I click on it and it's te Google home page. I removed the Google toolbar thinking that might be the cause but it didn't have any effect. It doesn't do it all the time, just seems to be when it feels like it.
 
We may need to re-run some scans, but hopefully, we removed the main culprit, which got me puzzled for a good while.
Before we go to scans, which browser are we talking about here?
 
Normally, that MBR infection gives some indication in some scan, we ran, but in your case, there was nothing. On a top of it, you're just right after fresh install. I just learned another lesson, thanks to your problem :)

Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Same thing?
 
Status
Not open for further replies.

Similar threads

M
Windows update issues - Server 2012 & 2016 (mainly 2016)
Replies
1
Views
1K
msmeal
M
Julio Franco
Here's how you can get hired at your dream tech company
Replies
3
Views
148
erickmendes
erickmendes
Cal Jeffrey
Be warned: iPhone 15 users report BMW's wireless phone charger kills its NFC chip
Replies
20
Views
652
Watzupken
W

Latest posts

Back