Hello,
Each time I perform a search on either yahoo or google I get the normal results, but when I click on the url it redirects me to strange websites.
I have run the avast scan, reset IE, used another browser and used utilites such as tdsskiller, combofix, malwarebytes, gooredfix, etc., but with no luck. Below is the OTS scan I ran. Any help would be greatly appreciated…thank you! I will include the rest of the OTS in part 2.
Here is the second part of my OTS scan…thanks again.
Hi I see you have run combofix - could you post the log please (C:\Combofix.txt)
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Processes - Safe List]
YN -> rpcld.exe ->
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files - No Company Name]
NY -> ~40230648 -> C:\ProgramData\~40230648
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c
:end
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
Unfortunately I cannot attach the txt file b/c it is over 192KB. I have split the txt file into 2 and attached them to my previous 2 postings. I will run the fix today.
if to big you can upload to http://www.mediafire.com/ and post the download link here
Here is the log after running the fix…
Here is the mediafire link to my original OTS log that was over 192KB.
Have the redirects disappeared or are they still evident ?
Still evident…I get an avast message stating “Malicious url blocked” and it references the process C:\Program Files (x86)\Internet Explorer\iexplorer.exe. I’ve also tried installing another browser, but I get the same thing.
OK there is probably a driver that I cannot see
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
THEN
Download and Install CombofixDownload ComboFix from one of the following locations:
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Here is the aswMBR log…
Here is the combofix log…still redirecting.
I see it
Please read carefully and follow these steps.
[*]DownloadTDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png
[*]If an infected file is detected, the default action will be Cure, click on Continue.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
Here is the report from the tdsskiller scan…
Unfortunately, it is still redirecting ???
OK that sailed right past it
Create a Windows 7 System Repair Disc
Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.
[*]Click on Start(Windows 7 Orb) >> Run…(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:
recdisc.exe[*]Allow the[B] UAC(User Account Control)[/B] prompt via selecting [B]Yes[/B]. [*]You should now see a menu like the below:-
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD1.gif
[*]Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
[*]Note: If a AutoPlay window pops up, just close it.
[*]When the SRD has been created you will see the below:-
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD2.gif
[*]Now click on Close >> OK. Leave the disc in the drive as we will be using it shortly.
[*]You now have a Windows 7 System Repair Disc.
.
NOW REBOOT WITH THE DISC
When you reboot you will see this although yours will say windows 7. Click repair my computer
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg
Select your operating system
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg
Select Command prompt
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg
At the command prompt type the following
Bootrec.exe /FixMbr
[*]Once finished type Exit
Reboot to normal windows and run aswMBR again please
Created the disc and ran the command, but each time I reboot the machine it goes through a startup repair wizard, does not detect anything, and reboots again. I can’t get it past the startup repair wizard. Tried safe mode and last know good configuration, but won’t boot to windows.
I have a pretty recent backup of my data, should I just go ahead and rebuild the machine?
That is an option
But could you confirm that you went to the command prompt and fixed the MBR there
Confirmed.
I wonder if that is the latest version of the bootkit - I have not yet seen one but from the reports it is a pig to kill
A rebuild would be in order I feel