Solved Websites getting redirected [Bootkit]

[verity25]

I have been getting this problem for some time and have reinstalled Windows to try to fix it but it's still happening. I chanced upon your site so I'm hoping you fix the problem for me as it's driving me nuts. I followed the 8 step process and have attached the doc files as requested. I would appreciate your help...

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[verity25]

Attached the combofix log file

 

[Broni]

I don't really see much there.

Which browser is getting redirected?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[verity25]

Hi,
I am using IE8, I did want to use Firefox but don't want to install it until this is fixed. Also, when opening a new website Google opens automatically in a seperate window for some reason. Anyhow, the logs are attached.

 

[Broni]

Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[verity25]

Here's the text file...

 

[Broni]

So far, I see nothing dangerous...

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

Check for redirection.

 

[verity25]

Did everything as stated, and although it appears to have stopped Google from loading randomly I am still getting redirected. Most sites are pretty good, but certain ones are still redirecting. The main one that I can see at moment giving problems is the Rocketdock website, can't get into it at all.

 

[Broni]

Please, bypass the router and connect your computer straight to the modem.
See, if redirection still happens.

 

[verity25]

I don't have a modem, just a router. I am still getting Google opening randomly when opening websites. I have blocked each website when I get redirected to it so it doesn't come up again, but I still redirected to other sites, and some sites won't load at all.

 

[Broni]

Is PROLITE-NET your ISP?

 

[verity25]

Negative..talktalk.net

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[verity25]

Here's the OTL logfile. Had to zip it as it was too big to upload.

 

[Broni]

If you want to attach any file, it's fine, but please, don't zip them.
I still need Extras.txt

 

[verity25]

Only one file was produced by OTL, there was no extras file only the one I previously uploaded

 

[verity25]

Ooops! sorry I missed the bottom part of your post. I'll do it right this time...

 

[verity25]

Here's the first file....

 

[verity25]

How can I post the next file..says its too big..

 

[Broni]

Split it in half, like I did.
How is redirection?

 

[verity25]

Still happening...here are the logs..

 

[Broni]

Turn the computer off.
Disconnect power and ethernet cable from your router.
Your router should have a small reset pinhole, which you can push with a pencil tip.
Reset the router and restart everything.
Check for redirections.

 

[verity25]

Followed your instructions, and nothing has changed. Same thing happening and Google home page still loading randomly for some reason.

 

[Broni]

Let repeat some steps...
Please pay attention to the order those steps has to be taken.
You may write it down, because we'll disconnect your computer from the internet for a moment.

1. Disconnect ethernet cable from your computer (while computer on).

2. Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


3. Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

NOTE Since you're not connected to the internet at the moment, simply keep those two logs and post them back, when you'll reconnect your computer back.

3. Turn computer off.

4. Reset the router, using reset pinhole. Keep cables connected. Keep pushing reset pinhole until router's lights go off for a brief moment.

5. Reconnect computer's ethernet cable and restart computer.

6. Check for redirection and post both OTL logs.