Inactive Random popups and browser hijacks. 8-step files attached

Status
Not open for further replies.
C

Carlinator

Posts: 11   +0
I am running Windows 7 64-bit. For the past several weeks, since upgrading from Vista due to issues that I realize now I probably should have fixed first, my computer has been acting strangely. While browsing in Firefox with adblock on, I will occasionally be redirected to a random page. Before adblock, it would redirect me to various ads, not only on the newly requested page, but all pages I had viewed in that tab since opening; I.e. after page 10 of a thread did the redirect, hitting back multiple times to go to page 5 would end up redirecting as well. Since I put adblock on, these redirects occur as follows: The page I want will just begin to load, then go blank. The URL at the bottom of the screen flashes to pixel.quantserve.com, then to google-analytics.com, at which point that tab will hang. Also, if I leave the browser open for a while, it occasionally opens a new window which redirects to the Google homepage, rarely to Yahoo as well. Removing/reinstalling FF and clearing temp files has had no effect.

The following may compound the problem somewhat: my mom's computer, an XP Media Center box on the same home wireless network, has the exact same problem. It started happening just before I upgraded my OS, though I didn't find out until about a week later. On hers, the original problem was that she could not connect to any web page at all, but I dug through her settings and disabled proxies (why they were on, I couldn't say) and now her browser's behavior is identical to mine.

Most sites are fine, but anti-malware sites in particular seem to be targeted for inaccessabiltiy. I had to find alternate links to get Spybot onto our computers.

I am currently running AVG Antivirus, Spybot and Microsoft Security Essentials. Full scans have not found anything which has helped in the least.

8-step files are attached. Any help would be GREATLY appreciated. :)
 

Attachments

  • mbam-log-2010-07-14 (00-06-20).txt
    880 bytes · Views: 2
  • DDS.txt
    25.1 KB · Views: 2
  • Attach.txt
    2.9 KB · Views: 1
I am currently running AVG Antivirus, [...] and Microsoft Security Essentials
Click to expand...
You can't run two AV programs. Please, uninstall one of them.
If AVG, make sure to use AVG Remover: http://www.avg.com/us-en/download-tools

=================================================================

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Got AVG removed.



Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: bb4f1627d8b9beda49ac0d010229f3ff
\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Press any key to quit...
 
Very good :)
How are the issues?


Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Still having the issues, unfortunately. :(

Text files from OTL attached.
 

Attachments

  • Extras.Txt
    30.3 KB · Views: 2
  • OTL.Txt
    83.8 KB · Views: 3
When I go to certain sites, i.e. forums.somethingawful.com, the page will begin to load, then I will get redirected to random ad sites. I also get them popping up in new windows in the background. I have adblock plus running, it doesn't affect the new windows. The redirects happening on my pages, it no longer loads the ads, but it just hangs while trying to load google analytics or whatever. It was happening before occasionally on links to photobucket, youtube, etc.; somethingawful is the first page I regularly visit that's been afffected.
 
What browser is getting redirected?

Let's check something else before I check your OTL logs...

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
Browser is Firefox v. 3.6.6

MBRCheck, version 1.1.0

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected





Done! Press ENTER to exit...
 
Browser is Firefox v. 3.6.6
Click to expand...
Can you check, if you have redirection in Internet Explorer, please?

Oh, btw, did you restart computer after running Bootkit Remover?
If you didn't, please do so and check for redirection again.
 
I've restarted, redirects still happening. Internet Explorer does not suffer from the problem; I'm hesitant to use it, though, with its notorious security issues.
 
I understand.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

==================================================================

Download Kenco.exe to your desktop
  • Close all windows and run the program.
  • It wont take long to run.
  • Kenco will reboot the system if it finds anything.
  • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
 
All clean...
Check one more thing for me.

Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Same redirection?
 
I suspect, what may be the problem. Let's see, if we can fix it.

Also, I suggest, you uninstall Registry Booster. Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

====================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211 1.1.1.1
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O33 - MountPoints2\{2c55f6b2-7a5b-11df-b1ac-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2c55f6b2-7a5b-11df-b1ac-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Setup.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Setup.exe -- [2009/10/08 23:09:09 | 000,266,752 | R--- | M] (XFX)
[2010/06/21 15:50:03 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll.install_backup
[2010/06/18 00:39:05 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\avg
[2010/06/18 00:35:33 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/06/18 00:35:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
I can see. Most likely, this is your issue:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.117 213.109.75.211 1.1.1.1
Click to expand...

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

Check for redirection and post fresh OTL "Quick Scan" log.
 
O17 entry is still there.
We'll have hard reset your router.
Turn the computer off.
On your router, you should find a small pinhole, marked "Reset".
Using a pencil, or a paperclip, keep pushing that hole until all lights flash on and off briefly.
Restart computer, check for redirection and post fresh OTL log.
 
Well, that seems to have done it. Was it a piece of malware in the router itself?
 

Attachments

  • OTL.Txt
    65.8 KB · Views: 1
Great news :)
It was, most likely, what we call, DNS hijacker.

Let's run one more scan, to make sure, you're totally clean....

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Status
Not open for further replies.

Similar threads

midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
122
James Ryan
J
D
Google, Apple, Microsoft and Mozilla release Speedometer 3.0 to benchmark browser performance
Replies
10
Views
272
Madbiker1960
M
Cal Jeffrey
Bitwarden's password manager browser extension has a known exploit it hasn't addressed...
Replies
16
Views
895
anastrophe
anastrophe

Latest posts

Back