Browser Redirect

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by abern01, Apr 25, 2007.

  1. abern01

    abern01 Private First Class

    I set Google as my homepage. I do a lot of sourcing and browsing on Chinese, Japanese and Korean web sites via global trade search sites. It seems that after a few hours of browsing, my homepage becomes MSN. My Internet Options now show:

    http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

    as my home page. Now matter how many times I change it back and save Google as my home page, it eventually redirects back to MSN.

    I've run: AVG anti virus, Trend Micro House Call, Panda scan, AdAware, Trend Micro anti spyware, AVG anti spyware, Spybot, ATF, Ccleaner. I use jv16 to clean the registry. There aren't any problems detected anywhere ( a few innocent cookies).

    Is this something that will always happen when I got to these sites or do I have something that requires a Hijack this analysis?
    The sites I usually use are :
    http://www.globalsources.com/
    http://www.alibaba.com/
    http://www.made-in-china.com/

    I'm using Windows XP SP2

    Thanks in advance for any help.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Malware would not normally set you to MSN, so it is possible that you are just reverting back to another default setting. Are you sure that your antivirus and antispyware programs do not have your home page locked to MSN?

    Unknown without having a lot more info and HijackThis alone is not adequate.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - only for Windows XP, 2K, & NT users
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  3. abern01

    abern01 Private First Class

    MSN keeps on returning as my home page, no matter how many times I select Google in internet options. No programs have MSN as home page. Google has been home for a long time. This just started to happen recently. I also started to have problems today with getting to some web sites..."startup files were missing from Adobe Reader. Restarted the computer this afternoon and desktop settings were at 600 x 400 instead of 1280 x 1024. Then my computer refused to recognize my USB flash drive. Never had problems with it before...inserted it in USB port and it was always recognized as F drive. Now it appears in the toolbar and in Device Manager, but My Computer doesn't see any additional drive. Tried to allocate USB Flash to F in Computer Manager, it accepts the letter designation, but won't show up in My Computer. Go back to Computer Manager...next available letter is G. Where did F go?

    I followed instructions in Malware removal guide. The first step said to select "normal start up" in MSCONFIG. The computer refused to boot up after that. Just before Windows would start...it went to the blue screen saying "Window's encountered a problem...". I strted in safe mode, ran Ccleaner...no problems. Spybot...no problems. AVG Anti spyware, Bitdefender and Panda (logs attached).

    I get to step 6B and try to reboot in normal mode, but only get as far as the blue screen again, so am unable to proceed to GetRunKey, ShowNew or Hijack This.

    Things are starting to unravel. What next? :cry
     

    Attached Files:

  4. abern01

    abern01 Private First Class

    OK...relative amount of success. Was able to get to desktop, but not active desktop. Had to close all startup programs in MSconfig. At that point I ran RunKeys and Newfiles (see attached).

    Had to reset MSconfig to normal start for HJT. When it got to desktop, there were 3 erroror messages;
    1) Cannot find graphics card info.
    2) Product not installed.
    3) DAEMON TOOLS: This program requires at least Windows 2000 with SPTD.21 or higher. Kernel debugger must be activated.

    No idea what they meant, but I got to run HJT (attached).

    Please help. :cry
     

    Attached Files:

  5. abern01

    abern01 Private First Class

    Just before those messages popped up on Active Desktop Recovery, there was an Internet Explorer script error message. See attached
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm a little confused by your messages. Was the log from GetRunKey from Normal Startup mode or from Selective Startup? Based on what I see in it, it would appear that it is selective startup mode and that you have just about everything disabled from loading.

    Also you say you home page is set to google but your HJT log shows that your home page is not even set. If it is not set, it will default to MSN.

    In addition, you have a few indications of possible hardware or software problems showing in your HJT log:
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
     
  7. abern01

    abern01 Private First Class

    The computer is acting very strange...At first when startup was in Normal, I couldn't get past the blue screen. After a third try it opened to Active Desktop Recovery. I was relieved to see it get to the desktop, but I didn't change MSCONFIG to selective...unless somehow it reverted itself. That's when I ran GetRunKey

    My homepage now consistantly reverts to MSN. I type in Google's URL and get to my Google home page. I click on tools, Internet Options and select current, click Apply, OK. Then Google is my Home. If I close IE and then immediately click on it to open...it opens at MSN.

    I'll try to reboot again and make sure it is in normal mode and run GetRunKey again.

    Thanks.
     
  8. abern01

    abern01 Private First Class

    OK...If you're confused, how do you think I feel?

    I went to MSCONFIG and it has reverted back to Selective Startup. I clicked on Normal Startup. I opened the startup tab just to see how many programs were listed and there were only 6. Yesterday there were over 30.. When I went back to the General tab, Selective Startup was clicked. I clicked NORMAL, APPLY, CLOSE, RESTART. It rebooted to Active Desktop Recovery, I opened MSCONFIG and it was on SELeCTIVE again. I did it 3 times...same results. The last time I picked normal, rebooted and ran GetRunKeys anyway. I've attached them. I just can't get MSCONFIG to stay in NORMAL STARTUP.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Downloaded Program Files\WinFormX.dll
    C:\WINDOWS\system32\dccafcbbca_s.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.
    After reboot locate the below folder and delete if found:
    C:\Documents and Settings\Allan\Application Data\iWin
    C:\Documents and Settings\All Users\Application Data\Trymedia

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


    Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
  10. abern01

    abern01 Private First Class

    OK...Followed your instructions to the letter.

    First...after running HJT the 4 lines that began with 04 were not present. The other lines were fixed.

    Everything else was performed. While starting GetRunKey, a dos window initially appears and the first line says: "ERROR: The system was unable to find specified registry or value". Then it continues and the log pops up.

    3 new logs attached.

    What next?
     

    Attached Files:

  11. abern01

    abern01 Private First Class

    Chaslang,

    YOU DA MAN!!!

    Thanks very much!!! You earned your keep on this one. It appears as if things are back to normal. I thought I was in for a weekend of reformatting and downloading. But...instead, I think I'll go drinking.

    Next time I'm in Jersey...I owe ya a beer...or 6 :)

    Thanks again! :celebrate

    Just one thing...how can I get my USB flash drive to be recognized again? It used to be drive F, now it's nothing. Device manager says it's fine.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is normal! It just means a registry key being checked for does not exist which is fine.

    We are not finished yet! You have a ton of stuff locked into MSconfig registry keys even though MSconfig is not being used to control startups anymore. This is another one of the many reasons why we don't want anyone using MSconfig as a long term startup control tool. Many of the items in there you may or may not need. I will list them down at the end of this message. However first a couple more things that need to be removed and also let me ask a question!

    Are you using any other tool to control or deactivate startups?

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

    After clicking Fix, exit HJT.
    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. HJT



    Below is the list of items locked into your MSconfig registry entries which really should not be locked in like this:
    You may want to run this MSConfig Cleanup to clean them up.
     
  13. abern01

    abern01 Private First Class

    I am not using any other tool to control or deactivate startups. Just MSCONFIG.

    I'll follow your next steps and post back soon.
     
  14. abern01

    abern01 Private First Class

    Got a little problem...I ran HJT and the lines that were there before, aren't there now.
     

    Attached Files:

  15. abern01

    abern01 Private First Class

    wasn't able to "fix" lines with HJT as they weren't there. Did everything else. Set MSCONFIG to normal, rebooted and it was back in SELECTIVE STARTUP
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    According to your HJT log, two of them are there right now.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    And also a new blank setting:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    According to your GetRunKey log, you are in normal startup mode. If MSconfig still shows Selective Startup, attach a new log from GetRunKey while it still shows Selective Start.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this Using Sophos Anti-Rootkit and attach the requested log!

    What are you running that is creating all the XML files in the below folder?
    "C:\Documents and Settings\Allan\Local Settings\Temp\"
     
  18. abern01

    abern01 Private First Class

    I "fixed" those lines with HJT.

    I have no idea what is running and making those .xml files in the temp folder. Besides Outlook, there is nothing else running. I checked my Event Viewer...what a nightmare!!!

    MSCONFIG is still on SELECTIVE.
     

    Attached Files:

  19. abern01

    abern01 Private First Class

    I ran MSConfig Cleanup and it shows 22 lines (check boxes) that can be deleted. 9 of the lines don't show anything, they're blank and can be deleted.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you see any of the below:

    C:\Program Files\sbss\sbss.exe
    C:\Program Files\sbss\Stop sbss.lnk
    C:\Program Files\sbss\Uninstall sbss.exe

    Also search your PC for any other occurrences of sbss.exe. Let me know what you find.
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also open Event Viewer again and double click on any one of the below type errors
    Code:
    Error 4/27/2007 8:43:20 PM SideBySide None 59 N/A BEYONDASUS 
    Tell me what you see in the Descriptions.
     
  22. abern01

    abern01 Private First Class

    Nothing like that in Program Files. Did a search of the whole PC and nothing like sbss.exe

    Event viewer description:

    Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL. Reference error message: The operation completed successfully.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure that is the Description for Error lines having the SideBySide text on them?
     
  24. abern01

    abern01 Private First Class

    Not all the SideBySide descriptions are the same.

    Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL. Reference error message: The operation completed successfully.

    Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system.

    Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

    Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL. Reference error message: The operation completed successfully.

    Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system.

    Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.


    These last 6 all just occurred @ 10:57:12 and all were SideBySide
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we may be approaching a point where I send you to the Software Forum for things in your Event Viewer. The log you posted before was for the System selection of the Event Viewer. What do you see under the Application area?

    Did you fix anything with MSconfig Cleanup?
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  27. abern01

    abern01 Private First Class

    Application list from Event Viewer is attached.

    No I didn't fix anything with MSConfig Cleanup. I was afraid to refmove lines that I couldn't "see".
     

    Attached Files:

  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay there is nothing that stands out there to me as a malware problem.

    You really don't have much choice but to fix them. None of this is malware but they all are stuck in your MSconfig registry keys. I'm not sure which of them show as unchecked if you actually run MSconfig (you can check that yourself). At any rate these are also not malware issues. Your remaining problems seem more like issues with your Windows software.
     
  29. abern01

    abern01 Private First Class

    OK...I ran MSConfig Cleanup. It says there are no disabled startup items in MSConfig.

    If I continue to have problems, I'll go to the software forum.

    Thanks for your help. Things are a lot better now than they were earlier.

    I'll continue with this in the AM.
    Thanks again! :wave

    Hey...I can't believe it...MSConfig shows that it is in NORMAL STARTUP!!!! :hyper
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds