Browser redirects or wont load pages

Shishya · Jun 2, 2009

Hello,
Before posting here I have read quite a few threads and followed all the directions for removing malware and spyware for windows XP. I am still having some problems with my Firefox browsing and some pages (not all now, although it was for a time) are being redirected or cannot load. I am hoping you can take a look at my logs and let me know if you see something in the logs that is suspicious or if you can give me any other suggestions. I did have a lot of spyware which earlier runs of Malwarebytes, Avast, Smitfraud fix have largely cleaned out. My PC is running well now except for the browser loading issues. Maybe there is something else which is causing this.
Thanks in advance for your help. I am fairly new to these procedures but can follow directions pretty well. Please excuse any unintentional gaffes in posting etiquette.

Shishya

Shishya · Jun 2, 2009

Hello,

I would like to clarify my original post. The redirection only happens with Google search pages. If I type or paste a URL address it goes to that address. But if I click on Google search pages that is where the page doesn't load or will sometimes be redirected to to another site,usually a promotional site.
Hope that helps.

Thanks,
Shishya

TimW · Jun 4, 2009

There are a few items to remove, after which I want you to do this:
Using Google Redirects.

Now use windows explorer to find and delete:
C:\WINDOWS\system32\0fb8d004-.txt
C:\WINDOWS\tguazlnr
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\00000014

Now attach the log from running the above.

Shishya · Jun 4, 2009

Dear TimW,

Thanks for your response and recommendations. I have followed your instructions re deleting the files and have attached the Goored.txt log to this message. I have not run the fix until you instruct me what to do next.
I really appreciate your help with this.

Shishya

TimW · Jun 4, 2009

Please download Rooters to your desktop

Then doubleclick it to start the tool

A Notepad file containing the report will open, also found at C:\Rooter.txt. Post that here

Shishya · Jun 4, 2009

Dear TimW,

Here is the Rooters log.

Thanks,
Shishya

TimW · Jun 4, 2009

Please attach this file:
C:\Rooter$\Rooter_2.txt

Shishya · Jun 4, 2009

For some reason it is not allowing me to upload that file so I have pasted it here.

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:181750 Mo/Free:3982 Mo)
D:\ [Fixed] - NTFS - (Total:95393 Mo/Free:3040 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)
K:\ [Removable] (Total:0 Mo/Free:0 Mo)

Thu 06/04/2009|16:07

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashServ.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\iHateSpam Outlook Express\iHateSpam Outlook Express Edition\piiserviceOE.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
---------- C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
---------- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
---------- C:\WINDOWS\ehome\ehtray.exe
---------- C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
---------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\WINDOWS\eHome\ehRecvr.exe
---------- C:\WINDOWS\eHome\ehSched.exe
---------- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
---------- C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
---------- C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\MsPMSPSv.exe
---------- C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
---------- C:\WINDOWS\ehome\mcrdsvc.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\eHome\ehmsas.exe
---------- C:\WINDOWS\system32\dllhost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\HP\KBD\KBD.EXE
---------- c:\windows\system\hpsysdrv.exe
---------- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
---------- C:\WINDOWS\explorer.exe
---------- C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
---------- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
---------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
---------- C:\Program Files\uTorrent\uTorrent.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\WINDOWS\system32\BRMFRSMG.EXE
---------- C:\Program Files\PeerGuardian2\pg2.exe
---------- C:\Program Files\PeerGuardian2\pg2.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- c:\program files\common files\mcafee\mna\mcnasvc.exe
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
---------- C:\Program Files\Outlook Express\msimn.exe
---------- C:\Program Files\iHateSpam Outlook Express\iHateSpam Outlook Express Edition\PostalInspectorOE.exe
---------- C:\Program Files\WMR11\WM Converter\worprmw.exe
---------- c:\program files\internet explorer\iexplore.exe
---------- c:\program files\internet explorer\iexplore.exe
---------- C:\Program Files\WMR11\WM Converter\WMConvert.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Program Files\WMR11\WM Converter\ffmpeg_.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

1 - "C:\Rooter$\Rooter_1.txt" - Thu 06/04/2009|16:04
2 - "C:\Rooter$\Rooter_2.txt" - Thu 06/04/2009|16:08

Thanks.

TimW · Jun 4, 2009

Thats ok. Use windows explorer to find and delete:
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Then drop down the menu in google / google links / search preferences and tell me what is there.

Also delete your cookies and clear the cache.

Shishya · Jun 4, 2009

Hi,

I couldn't find exactly "google / google links / search preferences" I was able to get to the search preferences but I could only find "subscribed links" through the Google home page. Didn't see anything unusual about the preferences but I'm not sure what I was supposed to be looking for. I had one subscribed link to a Cooking site which I deleted. I also cleaned the private data including the cache and cookies. My browser seems to be working fine now so hopefully everything has been cleared out. Please let me know if there is anything additional to be done.
I really appreciate your help with this problem.
Shishya
:-D:-D

TimW · Jun 6, 2009

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Shishya · Jun 6, 2009

Dear TimW,

My PC seems to be working fine the past few days but I notice the Autoplay function is no longer working for my DVDs or CDs when I insert them into the drive. I have heard that Autoplay may be a factor in spreading malware but I am wondering if anything that was done during the "fix" disabled the Autoplay function. I just thought about this and wanted to get your advice about it.

I tried the MS utility to fix the Autoplay but it didn't do anything. All the necessary autoplay features are turned on to the best of my knowledge.

I will wait for your reply before I do the final steps.

Thanks once again,

TimW · Jun 8, 2009

We didn't do anything to remove the autoplay function....but I would recommend that you leave it disabled! This can be a means for malware to spread in your system.

Shishya · Jun 15, 2009

Dear TimW,

I just wanted to thank you again for your excellent help with my browser redirection and malware problems. My PC has been running fine for the past week. It's nice to be able to use Google again. It is wonderful of you and your colleagues to volunteer in this way.

All the best,
Shishya:clap:clap:clap

TimW · Jun 18, 2009

Here is a utiility to help prevent these kind of infections:
AutoEater.

Log in or Sign up

Browser redirects or wont load pages

Shishya Private E-2

Attached Files:

mbam-log-2009-06-02 (18-23-40).txt

SUPERAntiSpyware Scan Log - 06-02-2009 - 18-06-54.log

MGlogs.zip

ComboFix.txt

Shishya Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Shishya Private E-2

Attached Files:

GooredLog.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Shishya Private E-2

Attached Files:

Rooter.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Shishya Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Shishya Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Shishya Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Shishya Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member