lpr

Browser Redirect

Recommended Posts

Are there any known solutions to detect what is causing a browser redirect problem? a-squared deep scan shows nothting.

Share this post


Link to post
Share on other sites

Hi lpr, and welcome to the forum

=======

Read the following instructions

START HERE, if you don't we are just going to send you back to this thread <--click

Prepare and post (attach) the required log files into this thread

Wait for reply from ShadowPuterDude, Katana, or JeanInMontana

for assistance and further instructions.

=======

Translation Links for Forum Instructions

My regards

P.S. Even if the Deep Scan currently doesn't show anything, please update a-squared; rescan; and attach the report

Share this post


Link to post
Share on other sites

~WHOLE QUOTATION REMOVED {Lynx}

Pursuant to your instructions, please find attached hereto the requested files.

It may also be noteworthy and useful to your analyses to know of the following characteristics:

1. While IE8 is the default browser, it does not show up as an installed program on the control panel list of installed software;

2. Outlook 2007 starts continually with the message that it is restoring files becuase of improper termination when in fact it was shut down in normal fashion.

Best regards,

lpr

Share this post


Link to post
Share on other sites
One additional attachment is below that didn't appear to attach to my last email.
lpr,

The attachment didn't show up since you used whole quotation again despite the warning given and in addition you edited the quote incorrectly so the "Attachment" tag got inside the quote

Most importantly - you should not run Win32Diags since your a-squared report does not meet the conditions described in the instruction.

If you encounter lines in your a-squared log, that are similar to the below:

[908] \\?\globalroot\Device\__max++>\7DE87252.x86.dll detected: Gen.Trojan!IK

... etc.

Moreover, you report does not show any detections.

Provide required log files by ISeeYouXP and HiJackFree

Share this post


Link to post
Share on other sites

Sorry for the "full quotation" replies. I was unfamiliar with what was meant by "full quotation", but I beleive I now understand.

I agree with you. a-squared is not detecting the broswer redirect that I'm experiencing.

Attached is the ISeeYouXP log, as requested.

Also, please find the web address of the online analysis prepared by HiJackFree. I presume this linkage is what you meant by "attached required log files by ....HiJackFree". If there is a way to create a log file from HiJack Free, I'm not sure otherwise how to do it.

http://analyze.hijackfree.com/analyze/?id=0047a8b6-599d-46ff-a95d-266ef8b7f0dd

Share this post


Link to post
Share on other sites
...If there is a way to create a log file from HiJack Free, I'm not sure otherwise how to do it...

Savelog.jpg<<--click on the image

use the button highlighted near the printer icon at the left

ignore the one highlighted at the right (image was taken from another case)

My regards

Share this post


Link to post
Share on other sites

Your logs show nothing to explain the redirects.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Scans logs attached, as requested.

Before running ComboFix, it was discovered through a GMER log review that it appears the machine was/is infected with TDL3 rootkit. ComboFix also identified that a rootkit, perhaps the same, was operating.

I also noted that after the ComboFix run, the a-squared scan identified the TDSS rootkit sitting in the ComboFix quarantine, which I believe is related to the TDL3 rootkit found by ComboFix.

I quarantined the TDSS rootkit found by a-squared as you will see.

It appears the browser redirects are still happening in IE, but at least for now, not in FireFox. The redirects in IE are getting blocked by a-squaredGuard. Given that these blocks are happening, I presume the TDL3 or TDSS rootkits are still operative on my machine.

Please advise.

Share this post


Link to post
Share on other sites

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u17 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java 6 Update 3

Java 6 Update 7

-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

File::
c:\windows\Txuku.dat
c:\windows\Enaranuperamiya.bin
c:\windows\system32\exitwx.exe
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini

Folder::
c:\program files\sbqojr

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

As requested please find attache hereto the following logs:

1. ComboFix.txt

2. ISeeYou

With resepct to machine behvaior characteristics, the following observations are made:

1. At first, both IE8 and FireFox appear to no longer be redirecting, although speed seems to be improving;

2. Both IE8 and FireFox start-up very slow (about 40 seconds for the first browser window to appear, although speed seems to be improving.

3. Browser tabs load slow (about 30 seconds with a "connecting" message appearing in the tab) before the new tab appears, although speed seems to be improving.

4. Application software (i.e. Word, Excel) seem to load slowly.

Otherwise, major improvement over waht we were experiencing before.

Are we "out of the woods", so to speak?

All the best,

lpr

Share this post


Link to post
Share on other sites

Additionally, the a-squared 'pop-up' message "connection attempt to suspicious host" is appearing frequently. I'm unsure if this is related or unrelated to the TLD3 issue we are addressing.

All the best,

lpr

Share this post


Link to post
Share on other sites

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Share this post


Link to post
Share on other sites

As requested, please find the attached logs.

Does it look like we are "out of the woods", so to speak?

Best regards,

lpr

Share this post


Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Services
    
    :Reg
    
    :Files
    @C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log (don't check the boxes beside LOP Check or Purity this time)

Share this post


Link to post
Share on other sites

Things are running quite well, by all appearances. Can you summarize what was rootkit was found, and can it be confirmed that its no longer operating?

All the best,

lpr

Share this post


Link to post
Share on other sites

One thing I did notice that seems a bit strange is that some applications do not start after a double-click on the associated icon. A second attempt usuallys starts, but its strange that it won't start on the first attempt. Any suggestions?

lpr

Share this post


Link to post
Share on other sites

You did have the TDL3 RootKit present on the system. It appears to no longer be active and has been removed from the system.

The behavior you are describing may be a side effect of the removal process, or there may still be something on the system.

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

Attach the report to your reply.

Share this post


Link to post
Share on other sites

Please find attached hereto the requested report generated by RootRepeal. Any indications of residual problems from removal of the rootkit or the operation of other malware?

All the best,

lpr

Share this post


Link to post
Share on other sites

Also for what it is worth, I noticed in the Device Manager, under "Non-Plug and Play Devices" there is a SASKUTIL present with a yellow exclaimation point.

Share this post


Link to post
Share on other sites

Today, I noticed a few pop-up windows with advertisements. I cancelled them. It seems like something may still be lingering.

Attached is the last a-squared scan.

Share this post


Link to post
Share on other sites

Hi lpr,

Since there are still problems and you are providing a-squred's report

please attach the Deep Scan report (after updating)

My regards

Share this post


Link to post
Share on other sites

There are no visible RootKits on the system. Your A2 log is clean. Pop ups in and of them selves are not necessarily malware related. When do you get the pop ups? When only visiting certain sites? Every time you open a webpage? When you are just using the computer, without the browser open?

Share this post


Link to post
Share on other sites

Pusuant to your questions, please find the answers below.

When do you get the pop ups? They seemed to appear randomly.

When only visiting certain sites? Yes, but I did not note the site and terminated the brower and pop-up immediately upon observing the pop-up window.

Every time you open a webpage? No, only randomly and the pop-ups are not appearing today.

When you are just using the computer, without the browser open? Only with a brower open.

Share this post


Link to post
Share on other sites

Pusuant to your questions, please find the answers below.

When do you get the pop ups? They seemed to appear randomly.

When only visiting certain sites? Yes, but I did not note the site and terminated the brower and pop-up immediately upon observing the pop-up window.

This may be the site you are visiting serving the pop-up.

We'll use a more advanced tool to take another look at the system.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log

Share this post


Link to post
Share on other sites

Please find attached the requested files/logs.

By the way, your help is very much appreciated and speaks volumes for the commitment Emsi Software has to customer service.

All the best,

lpr

Share this post


Link to post
Share on other sites

  • Close all windows then double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program
    begin
    DeleteFile('C:\WINDOWS\system32\MsSip1.dll');
    DeleteFile('C:\WINDOWS\system32\MsSip2.dll');
    DeleteFile('C:\WINDOWS\system32\MsSip3.dll');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1','$DLL');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2','$DLL');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3','$DLL');
    RebootWindows(true);
    end.


  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

hi Kevin -

Ran the script, as requested. Ran without incident and the computer restarted. Things seem to be working just fine.

I'm curious what the script removed? Please advise.

All the best,

lpr

Share this post


Link to post
Share on other sites

3 trojan files masquerading as Microsoft Trust Verification (WinTrust) and the related Registry keys for running the files at system start.

So, the browser redirects have stopped?

Share this post


Link to post
Share on other sites

Thanks for the info.

Browser redirects have stopped. The only unusual thing remaining is that on the online Wall Street Journal site, videos will not play. I've reinstalled Adobe Flash Player version 10, several times, but the videos do not play. WSJ helpline says it could some kind of blocking software. Do you think a-squared is preventing the flash player to work?

Share this post


Link to post
Share on other sites

A2 could be blocking the videos. You would have to clear the hosts portion of the Surf Protection module to find out, if this is the case.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude or Lynx to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.