TechSpot

Websites redirecting to junk sites

Resolved
By danilykewoah
Aug 1, 2010
Topic Status:
Not open for further replies.
  1. I recently removed a pretty bad virus from my laptop and I know that I got the worst parts of it, but there's something left because my websites keep redirecting to junk sites. Help???

    I've already run Avast, Malware Bytes & Spybot Search and Destroy. They are now running cleanly.

    I'm attaching my hijackthis log.
    Thanks!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Dan, obviously there is something on the system or you wouldn't be getting redirected. So let's get some more information: There is nothing apparent in the HJT log, which us why we don't use that program to 'screen' for malware. Can you tell me please if you are also getting multiple IE pop-ups and what they have in the and if you are hearing any audio in the background that you didn't request.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Instead of attaching the logs to your next reply, please paste them in instead. It cuts down our search time a lot. If you can't fit an entire log in one reply, please split the log.
  3. danilykewoah

    danilykewoah Newcomer, in training Topic Starter

    dds.txt

    dds.txt is too long to copy/paste, so I'm attaching it.

    TFC won't run. It freezes my computer and I end up needing to reboot.

    I'm running GMER now.

    Malware Bytes runs cleanly - the log just says that nothing malicious was found for everything.

    Attached Files:

  4. danilykewoah

    danilykewoah Newcomer, in training Topic Starter

    gmer

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-02 18:00:30
    Windows 6.0.6001 Service Pack 1
    Running: n1p36q3d.exe; Driver: C:\Users\na\AppData\Local\Temp\pgrdqpoc.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x904FDB9C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x904FD9C0]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x904FDAFA]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 821B1AD2 7 Bytes JMP 904FDAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82221A2A 5 Bytes JMP 904F95B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObInsertObject 8228A3D7 5 Bytes JMP 904FAF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!NtCreateSection 8228B1D7 7 Bytes JMP 904FD9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D62BA 7 Bytes JMP 904FDBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A34D480, 0x3C939, 0xE8000020]
    .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A38E900, 0x3CA, 0x48000040]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 0027000A
    .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 0028000A
    .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 0026000A
    .text C:\Windows\system32\svchost.exe[1200] ole32.dll!CoCreateInstance 75BCE188 5 Bytes JMP 0089000A
    .text C:\Windows\system32\svchost.exe[1200] USER32.dll!GetCursorPos 76B30F5E 5 Bytes JMP 0115000A
    .text C:\Windows\Explorer.EXE[3656] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 0040000A
    .text C:\Windows\Explorer.EXE[3656] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 0041000A
    .text C:\Windows\Explorer.EXE[3656] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 003F000A
    .text C:\Windows\system32\wuauclt.exe[3768] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 0012000A
    .text C:\Windows\system32\wuauclt.exe[3768] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 0013000A
    .text C:\Windows\system32\wuauclt.exe[3768] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 000C000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!LdrLoadDll 76F27933 5 Bytes JMP 002B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!NtProtectVirtualMemory 76F58968 5 Bytes JMP 008A000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!NtWriteVirtualMemory 76F592A8 5 Bytes JMP 008B000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5396] ntdll.dll!KiUserExceptionDispatcher 76F599E8 5 Bytes JMP 0089000A
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5968] USER32.dll!TrackPopupMenu 76B31417 5 Bytes JMP 620A721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
    IAT C:\Windows\system32\services.exe[668] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [733588B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [733998A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7335B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7334FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73357A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7334EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7338B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7335BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7335074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [733506B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [733471B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [733DD848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73377379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7334E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7334697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [733469A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73352465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have AVG and Avast on the system. I can't open the Attach.txt file. If you want me to help you, you will need to let me review the logs and check them for malware.

    Please download ComboFix HERE and save to your desktop:

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please paste the Combofix log on the next reply. If it's too long, split it into two replies.
  6. danilykewoah

    danilykewoah Newcomer, in training Topic Starter

    combofix gave me the blue screen of death, but I think I fixed it. I downloaded and ran hitman pro 3.5.6, cleared everything it said and I tested a few sites that were redirecting before. They're no longer redirecting, so I think I fixed it. Thanks for your help.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry to hear you got HitmanPro.

    But if you think the matter is resolved:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ================================================
    Yes, a few. Based on what I read and the cleaning programs I run. Others may think differetly. The publisher's description is:
    Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

    Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:
    The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability

    Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.[/quote]

    Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

    The new version of Hitman Pro, version 3, uses:
    None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

    Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Member says resolved.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.