Firefox and Explorer redirection - Please help

Welcome to Major Geeks!

Actually you have not finished. You need to attach the log from TDSSKiller and you need to return to the READ & RUN ME FIRST and finish the rest of the cleaning process. You side tracked to the Google Redirect link and did not do what it said in step 5 after MBRcheck.

 

No not yet. You need to run the READ & RUN ME FIRST! You are only running the Google Redirect link and you are not going back and completing the READ & RUN ME FIRST as step 5 of the Google Redirect link instructs you to do. At the end of step 5 ( right after MBRcheck ) it says the below

 

Not sure why the below McQcModifier item exists. You don't have McAfee installed.

Run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

¤¤¤ Particular Files / Folders: ¤¤¤
[Faked.Drv][FAKED] nwlnknb.sys : c:\winnt\system32\drivers\nwlnknb.sys --> CANNOT FIX

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O23 - Service: Aswmonf - Unknown owner - (no file)
O23 - Service: Mpitoflmvnm - Unknown owner - (no file)

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
C:\ProgramData\Babylon
C:\Users\Tim\AppData\Local\Temp\15116100991017610.tmp
C:\Users\Tim\AppData\Local\Temp\41530318191022461.tmp

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
"DownloadRetries"=dword:00000000
"ShowSearchSuggestionsInAddressGlobal"=dword:00000001
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

With which browser? Firefox I assume? If so uninstall the addon or expenstion from Babylon.

 

That's strange since your last logs showed the below came back with Firefox.

I would say you need to uninstall this junk >> Freecorder It may be responsible for this.


Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  activex
  netsvcs
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

 

That may be but they are now installing Babylon Toolbar so you may have been bitten by an update that changed it. Freecorder has a toolbar and it may really be a Babylon Toolbar or a Conduit Toolbar ( it shows in your logs as Conduit Ltd ) and we don't recommend having either of these on a PC. For example, see the below:

http://www.systemlookup.com/CLSID/31788-tbFree_dll_tbFre0_dll_tbFre1_dll_tbFre2_dll_prxtbFree_dll_prxtbFre0_dll_prxtbFre1_dll_prxtbFre2_dll.html

To cure issues with Firefox type infections, we frequently uninstall Firefox, but you myst delete all the related Firefox folders afterwards to cleanup properly. Then reinstall.
However you said you had problems with Internet Explorer too???



Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..keyword.URL: "[URL]http://search.babylon.com/?affID=113959&tt=010812_ctrl_3112_7&babsrc=KW_ss&mntrId=28ca92d300000000000000064f892968&q[/URL]="
[2012/01/03 17:27:44 | 000,002,333 | ---- | M] () -- C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\ec7clmyo.default\searchplugins\askcom.xml
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2012/08/05 15:08:21 | 000,000,000 | ---D | C] -- C:\Users\Tim\AppData\Roaming\Babylon
[2012/08/05 15:08:29 | 000,000,316 | ---- | M] () -- C:\user.js
[2012/08/05 09:28:25 | 000,082,861 | ---- | M] () -- C:\Users\Tim\Desktop\template-8645918491464004577.xml
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling Mozilla Firefox 14.0.1 (x86 en-GB) and Mozilla Maintenance Service and then reboot. Do not skip the reboot.

After reboot, delete the below folders:
C:\Program Files (x86)\Mozilla Firefox
C:\Users\Tim\AppData\Roaming\Mozilla

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

Did that help with Firefox?

Now close Firefox, and right click on your IE icon and select Start Without Add-Ons. Does this appear to stop the problem in IE?

 

Did you start it without Add-ons?

Please download install and run the below

AdwCleaner

Does it show anything about Babylon? Please do not attempt to delete or change anything withit. I first just want to know if it shows anything. Then I want you to try the below registry patch first.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it. Make sure you first exit all browsers then double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work. Now if it said it was successful, restart IE and see if it is okay now.

 

You forgot to attach it or the filename has an extension that you are not allowed to attach. If the latter is the case, please put it into a ZIP file. Then try removing those references with your browsers closed and then see what happens.

 

Apparently the fixme.reg patch did not really succeed as I see that registry value did not get fixed. We will delete things manually. AswCleaner is does not allow selective fixing ( a deficiency in not allowing you to chose what to delete and what to keep. )

Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:Files
C:\Users\Tim\AppData\Local\Conduit
C:\Users\Tim\AppData\Local\Wajam
C:\Users\Tim\AppData\LocalLow\Conduit
C:\Users\Tim\AppData\LocalLow\PriceGong
C:\Program Files (x86)\Conduit
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT1060933]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\PriceGong]
[-HKEY_CURRENT_USER\Software\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Conduit.Engine]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm" 
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please try again after shutting down ALL protection software and closing all browsers. If that does not work, please try the instructions in safe boot mode.