Windows 7 SP1 Firefox and IE redirect from malware issue

Hi we have a Windows 7 machine that has malware causing issues with the browser redirect after showing legitimate google searches.

We have run Malwarebytes, Spybot, Kaspersky Total Secure, ComboFix, and OTL.exe¿

Any help would be great.

Thank you

Who is Participating?
Sudeep SharmaConnect With a Mentor Technical DesignerCommented:
The virus in the MBR is hard to remove if you have already booted the system. To remove the MBR virus you would need to re-create the MBR of the system. How to fix the MBR on Windows 7 could be found below. Please follow the steps and let us know of the result.

I hope that would help

networkadminAuthor Commented:
This only happens when I search from http search pages not

Check for a rootkit in your MBR.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

You checked out things with HijackThis also?
networkadminAuthor Commented:
Checked for rootkits and none were found with the above tool.  Also ran Hijack this.

Neil RussellTechnical Development LeadCommented:
Have you run IE in safe mode with no addons loaded? does it still redirect? Where does it redirect to?
It sounds like one of those wonderful IE addons that you get with some freeware software.
TDSSKiller is a good first step in troubleshooting redirects:

If you have run Malwarebytes, Spybot, Kaspersky Total Secure, ComboFix, and OTL.exe you should consider the possibility of an infected router.

There is a useful article about this issue here:

Please could you post the Mbam and Combofix logs for review.
networkadminAuthor Commented:
TDSSKiller didn't find anything.

Issue effects chrome, firefox, and IE 9.  

I will post Mbam and combofix logs shortly.

networkadminAuthor Commented:
Random popups are also appearing from IE 9 while no user activity is taking place.
networkadminAuthor Commented:
Malwarebytes results:

Malwarebytes' Anti-Malware

Database version: 7970

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/18/2011 1:23:53 AM
mbam-log-2011-10-18 (01-23-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 342031
Time elapsed: 38 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:az
(No malicious items detected)

HijackThis log would be useful too.
Sudeep SharmaTechnical DesignerCommented:

Please post the Combofix logs.

Further could you also try FixTDSS from Symantec:

I hope that would help

networkadminAuthor Commented:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:38:16 PM, on 10/18/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files (x86)\Citrix\GoToAssist Express Customer\309\g2ax_user_customer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{62F51E75-3DB1-432B-A7B7-BF7C25BB56B0}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{62F51E75-3DB1-432B-A7B7-BF7C25BB56B0}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\..\{62F51E75-3DB1-432B-A7B7-BF7C25BB56B0}: NameServer =,
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll, C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky PURE (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist Express Customer\309\g2ax_service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - Unknown owner - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TightVNC Server (tvnserver) - GlavSoft LLC. - C:\Program Files (x86)\ShowMyPCService\tvnserver.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

End of file - 6510 bytes
networkadminAuthor Commented:
FixTDSS from Symantec found an infected MBR
networkadminAuthor Commented:
Used the dell partition to reinstall the os but now the system will not boot.  Will read the above steps but the start-up repair fails in windows 7.

Any help would be great.

networkadminAuthor Commented:
bootrec.exe /fixmbr did not work

Neither did bootsect /nt60 C:

Are you familiar at all with any linux distribution?  You could zero out the MBR but it's not for the faint of heart.  I had a feeling it was an MBR virus and now I have a new tool in my toolbox... thanks Sudeep!

If you are familiar with linux, running a dd command to zero out the first 446 bytes of the drive will blast out all mbr info from the drive.
I've googled a bit for a simpler way to zero out the MBR but I couldn't find one so I will do my best to explain.

I'm doing this from memory so I may have some names messed up.

These instructions are only if there is a single hard drive in this machine.  If there are others, unplug them.

Get an ubuntu LiveCD and boot up to it.  Go to applications -> accessories -> Terminal

In terminal type "sudo su" without the quotes.  If it asks for a password it should just be "ubuntu" without quotes.

run the command "dd if=/dev/zero of=/dev/sda bs=446 count=1" without quotes.

Run the "sync" command without quotes.

Shutdown, plug back in any drives you unplugged, repair MBR as normal or attempt to recover from Dell partition again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.