?
Solved

Windows 7 SP1 Firefox and IE redirect from malware issue

Posted on 2011-10-17
18
Medium Priority
?
788 Views
Last Modified: 2012-05-12
Hi we have a Windows 7 machine that has malware causing issues with the browser redirect after showing legitimate google searches.

We have run Malwarebytes, Spybot, Kaspersky Total Secure, ComboFix, and OTL.exe¿

Any help would be great.

Thank you

0
Comment
Question by:networkadmin
  • 9
  • 5
  • 2
  • +2
18 Comments
 

Author Comment

by:networkadmin
ID: 36984145
This only happens when I search from http search pages not https://www.google.com

0
 
LVL 10

Expert Comment

by:Purple_Tidder
ID: 36984169
Check for a rootkit in your MBR. http://public.avast.com/~gmerek/aswMBR.htm
0
 
LVL 10

Expert Comment

by:Purple_Tidder
ID: 36984175
You checked out things with HijackThis also?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:networkadmin
ID: 36984263
Checked for rootkits and none were found with the above tool.  Also ran Hijack this.

0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36984302
Have you run IE in safe mode with no addons loaded? does it still redirect? Where does it redirect to?
It sounds like one of those wonderful IE addons that you get with some freeware software.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36984329
TDSSKiller is a good first step in troubleshooting redirects:

http://support.kaspersky.com/faq/?qid=208280684

If you have run Malwarebytes, Spybot, Kaspersky Total Secure, ComboFix, and OTL.exe you should consider the possibility of an infected router.

There is a useful article about this issue here:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html?sfQueryTermInfo=1+30+googl+redirect

Please could you post the Mbam and Combofix logs for review.
0
 

Author Comment

by:networkadmin
ID: 36984402
TDSSKiller didn't find anything.

Issue effects chrome, firefox, and IE 9.  

I will post Mbam and combofix logs shortly.

0
 

Author Comment

by:networkadmin
ID: 36985593
Random popups are also appearing from IE 9 while no user activity is taking place.
0
 

Author Comment

by:networkadmin
ID: 36985677
Malwarebytes results:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7970

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/18/2011 1:23:53 AM
mbam-log-2011-10-18 (01-23-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 342031
Time elapsed: 38 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:az
(No malicious items detected)

0
 
LVL 10

Expert Comment

by:Purple_Tidder
ID: 36986985
HijackThis log would be useful too.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36988743
@networkadmin

Please post the Combofix logs.

Further could you also try FixTDSS from Symantec:

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0
 

Author Comment

by:networkadmin
ID: 36989209
HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:38:16 PM, on 10/18/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files (x86)\Citrix\GoToAssist Express Customer\309\g2ax_user_customer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Administrator\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://encrypted.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{62F51E75-3DB1-432B-A7B7-BF7C25BB56B0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{62F51E75-3DB1-432B-A7B7-BF7C25BB56B0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{62F51E75-3DB1-432B-A7B7-BF7C25BB56B0}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll, C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky PURE (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist Express Customer\309\g2ax_service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - Unknown owner - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TightVNC Server (tvnserver) - GlavSoft LLC. - C:\Program Files (x86)\ShowMyPCService\tvnserver.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 6510 bytes
0
 

Author Comment

by:networkadmin
ID: 36989220
FixTDSS from Symantec found an infected MBR
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 2000 total points
ID: 36989541
The virus in the MBR is hard to remove if you have already booted the system. To remove the MBR virus you would need to re-create the MBR of the system. How to fix the MBR on Windows 7 could be found below. Please follow the steps and let us know of the result.

http://www.ehow.com/how_4836283_repair-mbr-windows.html
http://windows7themes.net/how-to-fix-mbr-in-windows-7.html
http://thebackroomtech.com/2010/08/24/repair-mbr-windows-7/

I hope that would help

Sudeep
0
 

Author Comment

by:networkadmin
ID: 36990579
Used the dell partition to reinstall the os but now the system will not boot.  Will read the above steps but the start-up repair fails in windows 7.

Any help would be great.

0
 

Author Comment

by:networkadmin
ID: 36990672
bootrec.exe /fixmbr did not work

Neither did bootsect /nt60 C:



0
 
LVL 10

Expert Comment

by:Purple_Tidder
ID: 36990682
Are you familiar at all with any linux distribution?  You could zero out the MBR but it's not for the faint of heart.  I had a feeling it was an MBR virus and now I have a new tool in my toolbox... thanks Sudeep!

If you are familiar with linux, running a dd command to zero out the first 446 bytes of the drive will blast out all mbr info from the drive.
0
 
LVL 10

Expert Comment

by:Purple_Tidder
ID: 36990697
I've googled a bit for a simpler way to zero out the MBR but I couldn't find one so I will do my best to explain.

I'm doing this from memory so I may have some names messed up.

These instructions are only if there is a single hard drive in this machine.  If there are others, unplug them.

Get an ubuntu LiveCD and boot up to it.  Go to applications -> accessories -> Terminal

In terminal type "sudo su" without the quotes.  If it asks for a password it should just be "ubuntu" without quotes.

run the command "dd if=/dev/zero of=/dev/sda bs=446 count=1" without quotes.

Run the "sync" command without quotes.

Shutdown, plug back in any drives you unplugged, repair MBR as normal or attempt to recover from Dell partition again.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question