Resolved Websites redirecting to junk sites

[danilykewoah]

I recently removed a pretty bad virus from my laptop and I know that I got the worst parts of it, but there's something left because my websites keep redirecting to junk sites. Help???

I've already run Avast, Malware Bytes & Spybot Search and Destroy. They are now running cleanly.

I'm attaching my hijackthis log.
Thanks!

 

[Bobbye]

Dan, obviously there is something on the system or you wouldn't be getting redirected. So let's get some more information: There is nothing apparent in the HJT log, which us why we don't use that program to 'screen' for malware. Can you tell me please if you are also getting multiple IE pop-ups and what they have in the and if you are hearing any audio in the background that you didn't request.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Instead of attaching the logs to your next reply, please paste them in instead. It cuts down our search time a lot. If you can't fit an entire log in one reply, please split the log.

 

[danilykewoah]

dds.txt

dds.txt is too long to copy/paste, so I'm attaching it.

TFC won't run. It freezes my computer and I end up needing to reboot.

I'm running GMER now.

Malware Bytes runs cleanly - the log just says that nothing malicious was found for everything.

 

[danilykewoah]

gmer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-02 18:00:30
Windows 6.0.6001 Service Pack 1
Running: n1p36q3d.exe; Driver: C:\Users\na\AppData\Local\Temp\pgrdqpoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x904FDB9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x904FD9C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x904FDAFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 821B1AD2 7 Bytes JMP 904FDAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82221A2A 5 Bytes JMP 904F95B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 8228A3D7 5 Bytes JMP 904FAF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 8228B1D7 7 Bytes JMP 904FD9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D62BA 7 Bytes JMP 904FDBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A34D480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A38E900, 0x3CA, 0x48000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 0027000A
.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[1200] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 0026000A
.text C:\Windows\system32\svchost.exe[1200] ole32.dll!CoCreateInstance 75BCE188 5 Bytes JMP 0089000A
.text C:\Windows\system32\svchost.exe[1200] USER32.dll!GetCursorPos 76B30F5E 5 Bytes JMP 0115000A
.text C:\Windows\Explorer.EXE[3656] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 0040000A
.text C:\Windows\Explorer.EXE[3656] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 0041000A
.text C:\Windows\Explorer.EXE[3656] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 003F000A
.text C:\Windows\system32\wuauclt.exe[3768] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 0012000A
.text C:\Windows\system32\wuauclt.exe[3768] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 0013000A
.text C:\Windows\system32\wuauclt.exe[3768] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 000C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!LdrLoadDll 76F27933 5 Bytes JMP 002B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 008A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 008B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 0089000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5968] USER32.dll!TrackPopupMenu 76B31417 5 Bytes JMP 620A721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [733588B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [733998A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7335B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7334FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73357A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7334EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7338B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7335BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7335074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [733506B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [733471B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [733DD848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73377379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7334E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7334697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [733469A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73352465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

 

[Bobbye]

You have AVG and Avast on the system. I can't open the Attach.txt file. If you want me to help you, you will need to let me review the logs and check them for malware.

Please download ComboFix HERE and save to your desktop:

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..


Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste the Combofix log on the next reply. If it's too long, split it into two replies.

 

[danilykewoah]

combofix gave me the blue screen of death, but I think I fixed it. I downloaded and ran hitman pro 3.5.6, cleared everything it said and I tested a few sites that were redirecting before. They're no longer redirecting, so I think I fixed it. Thanks for your help.

 

[Bobbye]

Sorry to hear you got HitmanPro.

But if you think the matter is resolved:
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
================================================

Is there a particular reason you don't recommend the Hitman program?

Yes, a few. Based on what I read and the cleaning programs I run. Others may think differetly. The publisher's description is:

Anti-spyware program combines up to six popular engines to maximize removal effectiveness.

Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:

• 
  [*] Eset NOD32 antivirus system (trial, expires in 30 days)
  [*] Webroot Spy Sweeper (trial, expires in 7 days)
  [*] PC tools Spyware doctor (demo, will not clean anything)
  [*] Lavasoft AdAware SE (freeware)
  [*] Safer Networking Spybot - Search & Destroy (freeware)
  [*] TrendMicro CWShredder (freeware)
  [*] JavaCool Software SpywareBlaster (freeware)
  [*] McAfee VirusScan SuperDAT (virus signature definition updates, McAfee PrimeSupport license required for qualifying product)
  [*] Ewido Micro Scanner (freeware)(AVG)

The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability

Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.[/quote]

Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

The new version of Hitman Pro, version 3, uses:

• NOD32 Antivirus
• Avira AntiVir
• Prevx
• G DATA Anti-Virus
• a-squared Anti-Malware

Virus scanners are not installed on the local computer, but in the scan cloud on Internet
Unlimited free scanning and free 30-day version to remove detected malware

None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary.

 

[Bobbye]

Member says resolved.