Cheweys Browser Redirect Issue

**shelf life** · 2012-06-16, 14:25

Normally if its possible I like to get confirmation of malware in more than just one log before proceeding with attempting to fix it.

We will get another download to use. First download mbrcheck to your desktop. Double click it to run and produce a .txt (mbr.log) file on your desktop. Post the file in your reply.

I know you already ran aswMBR once but lets run it again. You can delete the old copy on your desktop if you havent already as well as the old aswMBR.txt log and MBR.dat file.
Download a new copy to your destop, double click to start and click the scan button. When its done click the save log button and post the log.

**Cheweybacca** · 2012-06-21, 12:27

MBR log

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: IC35L090AVV207-0 rev.V23OA66A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
sectors 156249998 (+255): user != kernel

**Cheweybacca** · 2012-06-21, 12:31

aswmbr log

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-21 11:29:33
-----------------------------
11:29:33.081 OS Version: Windows 5.1.2600 Service Pack 3
11:29:33.081 Number of processors: 1 586 0x207
11:29:33.096 ComputerName: BRIDS_DELL UserName: Gerry
11:29:34.096 Initialize success
11:30:20.987 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:30:20.987 Disk 0 Vendor: IC35L090AVV207-0 V23OA66A Size: 76293MB BusType: 3
11:30:21.003 Disk 0 MBR read successfully
11:30:21.003 Disk 0 MBR scan
11:30:21.003 Disk 0 unknown MBR code
11:30:21.003 Disk 0 Partition 1 00 DE Dell Utility 31 MB offset 63
11:30:21.003 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS 76253 MB offset 64260
11:30:21.003 Disk 0 scanning sectors +156232125
11:30:21.065 Disk 0 scanning C:\WINDOWS\system32\drivers
11:30:21.065 Service scanning
11:30:21.815 Service ACPI C:\WINDOWS\System32\DRIVERS\ACPI.sys **LOCKED** 32
11:30:56.549 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
11:31:02.924 Modules scanning
11:31:03.003 Disk 0 trace - called modules:
11:31:03.034 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8a9e5999]<<
11:31:03.034 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9ddab8]
11:31:03.034 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aa59d98]
11:31:03.034 Scan finished successfully
11:31:40.534 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gerry\My Documents\MBR.dat"
11:31:40.534 The log file has been saved successfully to "C:\Documents and Settings\Gerry\My Documents\aswMBR2.txt"

**Cheweybacca** · 2012-06-21, 12:37

One more thing i've noticed. Since we ran last combofix Windows update is not available. I looked at the event viewer and these errors are logged.

The @%SystemRoot%\system32\tcpipcfg.dll,-50004 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The @%SystemRoot%\system32\tcpipcfg.dll,-50004 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The Automatic Updates service failed to start due to the following error:
%%1290

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

My computer is still functioning but i think windows updates may go out of date soon. Virus redirect is quieter some days and not other days but still appears when the mood takes it. Really weird like it has a mind of its own.

Thanks for your help again.

**shelf life** · 2012-06-22, 02:20

Thanks for the info. Really I dont have a lot to go on with your logs. Normally you get confirmation of malware between logs but Iam having a hard time finding anything to go on with your logs. But your still getting the redirects.

When you ran aswmbr it created a MBR.dat file on your desktop. Go here browse for the file on your desktop then upload it using the Scan It! button.
Once its done scanning you can copy/paste the URL in your reply.

Also download Minitoolbox run it and select:
Report IE proxy settings
Report FF proxy settings
List Content of Host
List IP configuration
Next click GO at the bottom. It will create a Results.txt on your desktop. Post it in your reply.

**Cheweybacca** · 2012-06-27, 11:06

Got the redirect today first thing when googling 'spybot malware forum'
reran aswmbr. The line in bold below appears in red during scan ?

link to mbr.dat virustool scan
https://www.virustotal.com/file/f5aa...is/1340787730/

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-27 09:58:56
-----------------------------
09:58:56.859 OS Version: Windows 5.1.2600 Service Pack 3
09:58:56.859 Number of processors: 1 586 0x207
09:58:56.859 ComputerName: BRIDS_DELL UserName: Gerry
09:59:07.406 Initialize success
09:59:20.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:59:20.406 Disk 0 Vendor: IC35L090AVV207-0 V23OA66A Size: 76293MB BusType: 3
09:59:20.515 Disk 0 MBR read successfully
09:59:20.515 Disk 0 MBR scan
09:59:20.515 Disk 0 unknown MBR code
09:59:20.546 Disk 0 Partition 1 00 DE Dell Utility 31 MB offset 63
09:59:20.609 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS 76253 MB offset 64260
09:59:20.625 Disk 0 scanning sectors +156232125
09:59:20.875 Disk 0 scanning C:\WINDOWS\system32\drivers
09:59:20.906 Service scanning
09:59:23.343 Service ACPI C:\WINDOWS\System32\DRIVERS\ACPI.sys **LOCKED** 32
10:00:30.093 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
10:00:33.796 Modules scanning
10:00:34.078 Disk 0 trace - called modules:
10:00:34.109 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8a80a509]<<
10:00:34.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9ddab8]
10:00:34.109 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aa59d98]
10:00:34.109 Scan finished successfully
10:01:07.937 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gerry\My Documents\Downloads\MBR.dat"
10:01:07.968 The log file has been saved successfully to "C:\Documents and Settings\Gerry\My Documents\Downloads\aswMBR3.txt"

**Cheweybacca** · 2012-06-27, 11:14

MiniToolBox by Farbar Version: 25-06-2012
Ran by Gerry (administrator) on 27-06-2012 at 10:07:29
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com

There are 15218 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Cisco Systems VPN Adapter = Local Area Connection 2 (Disconnected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Connected)

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "{464B29D9-1754-4002-8858-1DE1933BA105}"

set address name="{464B29D9-1754-4002-8858-1DE1933BA105}" source=dhcp
set dns name="{464B29D9-1754-4002-8858-1DE1933BA105}" source=dhcp register=NONE
set wins name="{464B29D9-1754-4002-8858-1DE1933BA105}" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : BRIDS_DELL

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : lan

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : lan

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0B-DB-B2-A3-4F

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : fe80::20b:dbff:feb2:a34f%4

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

fec0:0:0:ffff::1%2

fec0:0:0:ffff::2%2

fec0:0:0:ffff::3%2

Lease Obtained. . . . . . . . . . : 27 June 2012 08:58:40

Lease Expires . . . . . . . . . . : 28 June 2012 08:58:40

Ethernet adapter {464B29D9-1754-4002-8858-1DE1933BA105}:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Check Point Virtual Network Adapter For Endpoint VPN Client - Packet Scheduler Miniport

Physical Address. . . . . . . . . : 54-51-E8-DD-9E-12

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : 80-00-23-3A-AB-34-DF-64

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 2001:0:5ef5:79fd:8000:233a:ab34:df64

IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6

Default Gateway . . . . . . . . . : ::

NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . : lan

Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : C0-A8-01-64

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.100%2

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%2

fec0:0:0:ffff::2%2

fec0:0:0:ffff::3%2

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: smart.lan
Address: 192.168.1.1

Name: google.com
Address: 87.125.87.99

Pinging google.com [87.125.87.99] with 32 bytes of data:

Reply from 87.125.87.99: bytes=32 time=125ms TTL=57

Reply from 87.125.87.99: bytes=32 time=124ms TTL=57

Ping statistics for 87.125.87.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 124ms, Maximum = 125ms, Average = 124ms

Server: smart.lan
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.38.140, 98.139.183.24, 209.191.122.70

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=168ms TTL=50

Reply from 209.191.122.70: bytes=32 time=171ms TTL=51

Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 168ms, Maximum = 171ms, Average = 169ms

Server: smart.lan
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0b db b2 a3 4f ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...54 51 e8 dd 9e 12 ...... Check Point Virtual Network Adapter For Endpoint VPN Client - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.100 192.168.1.100 20
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
255.255.255.255 255.255.255.255 192.168.1.100 3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

**** End of log ****

**shelf life** · 2012-06-28, 02:09

Ok thanks for the info. Next step is to rerun aswmbr like you did before by clicking the Scan button, when its done running click the Fix button.
Once its done click the save log button to save the .txt file somewhere then immediately reboot your machine and post the log you saved.

**Cheweybacca** · 2012-06-28, 19:35

The option to fix is greyed out / not available. The option to FixMBR is available.
should i take the option to fixMBR ?

**shelf life** · 2012-06-29, 03:12

Normally I dont like to run a fix without confirmation from another tool which I dont see in any of the logs and also we seem to have exhausted other possible causes for the redirects along with other utilities to use. So since this is the case I dont see any other option but to use the Fixmbr tool in aswMBR.exe.

Do you have data/files you dont want to lose backed up to other media, just as a precaution? The tool will rewrite a new master boot record to the hard drive.

Thread: Cheweys Browser Redirect Issue

Thread Tools

Display

Posting Permissions