IE/Firefox - strange brew of symptoms

Hi - After a lot of cleaning and fighting off malware, I'm continue to be troubled by inconsistent browser access to the Internet (described below).

I have a 2 year old Dell Dimension, Win XP Pro with SP2 right up to date. It is my home PC and I have it set up for multiple logins for my family - so the kids and adults can have their own desktop. I use Firefox 0.9. Everyone else prefers IE6.0. With teens, MSN messaging is unavoidable. To date I haven't been providing too much direction on which sites shouldn't be accessed. That may have to change. I have AVG for virus and Zone Alarm firewall. Outlook and Outlook Express and other MS Office apps appear to be functioning normally.

As much as possible, I have followed the post "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal".

SYMPTOMS:
=========
1. Some sites/web pages cannot be accessed by my home PC - both IE and Firefox are the same.
- For example, I am authoring this note using my work PC since the forums area seems to be blocked on my home PC. I get the interminable wait and the spinning globe. I however can go to the downloads section of majorgeeks without problems.
- Other pages that are problematic include both the scan pages listed in the README 1st posting - Trendmicro scan (never ending wait for the page to render) and the Norton/Symantic scan page (pops up a not-found message)

2. Upon bootup, sometimes IE 6/Firefox0.9 cannot access the internet for any users. However, MSN and the e-mail apps continue to work normally. I can't predict when it will happen, but when I do a reboot, it usually seems to clear things up and access is restore.

3. Sometimes, when internet access is restored, I can bring the target pages fully in IE, however, the progress bars at the bottom indicate the things are still happening because they slowly (over several minutes) creep to the right - for example the downloads page of majorgeeks displays this symptom.

As I mentioned, I have downloaded and tried to execute each of the steps outlined in the README.

TEST RESULTS
===========

0. Turned off system restore

SAFE NET MODE as Admin
Step 1:
- attempted to run Trendmicro and Symantic scan. Unsuccessful at accessing these pages at all.
- succesfully ran Stinger. Nothing found

SAFE MODE as Admin
Step 2:
- ran CCcleaner - cleaned up 400+ items of all categories

Step 3:
- with up-to-date Ad-aware and Spy-bot (my norms for the past year)
- Ad-aware - nothing to report.
- Spy-bot - DSO Exploit - quarantined.

Step 4:
- ran CWSchredder, kill2me, about:blaster - nothing found. HSremove - did not run

NORMAL MODE as Admin
Step 5:
- optional instructions for "Only the Best" - did not attempt

Step 6:
- run HiJackThis - I have the log file available for the Admin. Should I run this for all the other users??

What now?? Hoping to hear from you. I have embargoed uncontrolled browser activity for the family until we can resolve this. You can imagine the reaction -

 

go to start.. run..type

notepad C:\windows\system32\drivers\etc\hosts

hit enter

Your hosts file should like this.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


if there are any entries below the local host entry, delete them ALL. Then try browsing again.

 

Hi Kodo - thanks for responding. I thought about the hosts file, too and had scanned it for suspicious entries. All the entries had been inserted by Spy-bot and pointed back to the localhost (127.0.0.1). However, I did remove a few hundred entries such that it only has the single entry now. I then rebooted to flush the cache.

Alas, no luck with IE to hit this forum or either of theTrendmicro/Norton-Symantic sites. Funnily enough, Firefox now seems to be able to get to all these sites. However, since the scans depend upon IE, I'm still unable to do them.

BTW - I tried to set all these sites as Trusted in IE and no difference.

Hope this helps.

Cheers, Eric

 

Hi Major - I'm a lapsed geek, but finding that I'll have to dust off my skills if I want to control this stuff gumming up my machine.

I have run HT, but let me look at the thread you referenced to see what I can learn here. If I find myself out of my depth, I'll hail again.

Cheers, Eric

 

Should I run HT for each user that I have on the system?

 

Well, I've decided to concentrate on the Admin user for now. Seems sensible to get that domain cleaned up.

Ran HT and got some progress. I passed the output through the analysis tool on http://hijackthis.de/index.php?langselect=english.

I deleted a bunch of stuff in HT and I now can get to this forum web page directly from my home PC for the 1st time - before I was forced to do all logging from my work PC. (I have the list of deleted entries captured offline if you want to see it)

As well, from IE6, I can now go to both the Trendmicro and Norton/Symantic web pages (this time directly from the "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal" thread) to begin the scan.

Trouble occurs after this though - here are the symptoms:

Trendmicro -> I selected my country (Canada and afterwards, USA), then GO. The next page popped up, but where the scan tool should appear, I just got a blank box with the x in the top left corner. In an earlier attempt to get this site up, I added it to my trusted sites - and security is set to LOW. ActiveX is enabled in this setting.

Norton/Symantic -> hit the link "Test your computer's exposure". Get blank page initially, then when I hit refresh, the scan page pops up. This is repeatable. I did the security scan, and it does some of the scanning, but is unable to do Antivirus Product Check & Virus Protection Update Check because of ActiveX isn't enabled. Now I don't use any Norton products, this was a strange notification. The ActiveX reason also prevented me from doing the virus scan. Again, I have this site in my Trusted zone. (In my zeal, have I removed something important???)

Is ActiveX the problem on both of these sites?

Do you want to see my latest HT output?

cheers, Eric

 

Yes - the instructions for de-installing MS Java and installing Sun Java is at the bottom of the 1st README. I'll do that and report back.

Cheers, Eric

 

MS Java gone, Sun Java reigns!!

Alas - no difference in behavior for Trendmicro and Norton/Symantic.

I'm not an expert in security - is there anything that overides the settings in IE?

Cheers, Eric

ps - I re-run HJT and attached the log.

 

Firefox is my browser of choice. I'm running 0.9.3 now.

In Safe Mode with Networking, I have just tried the Trendmicro site.

Java started up (with the Java logo), the scan UI was nearly completely rendered, then suddenly I was redirected to "http://www.trendmicro.com/404.asp?404;http://www.trendmicro.com/housecall/install.asp" (That is Page not Found.)

I think your suspicion is right - there is a smart little piece of software that knows the usual spots.

I also tried the Norton site - unfortunately it doesn't recognize Firefox as Netscape 4.5 or better.

 

BTW - I attempted both Trend/Symantic from safe mode - so its into some core system files.

I will run AVG to see if anything arises. After that, I'll do an HJT in Safe Mode, Safe Mode with networking and in normal mode and compare them.

My family is watching the tube, too - this has been going on way too long. Thanks so much for your help here.

Cheers, Eric

 

Major - Went to bed and slept on it. In the AM, I saw that AVG found nothing(of course).

I don't know my way around Windows too well having spent most of my career in UNIX. I was trying understand, how in safe mode with networking when I was on the Trendmicro scan page, the redirect to the 404 message occured. The rendering of the Java scan tool was almost complete - what process would be able to detect that that tool then intervene.

BTW, I don't know whether this is related or something different but also this morning, on my wife's login WinPatrol kept pestering me with a report that her IE homepage was being overwritten (apparently to a MS site, but I'm suspicious). This happened several times while there was no user activity. I kept it at bay by hitting No on WinPatrol to reject the overwriting. When I get back this evening, I look into this more carefully and post my HJT output.

Thanks, again for your assistance.

 

Eric,
Could I be so bold as to recommend you try AVAST! Home Edition

http://www.majorgeeks.com/download1968.html

My brother was having issues this past weekend and I had him scan with this over AVG and it found several viruses that AVG didn't report at all.

This is freeware but requires a FREE registration on their site to recieve the FREE key. With out the key ,it's operable for 60 days.

 

Kodo - be bold! Thanks for the tip. I have no problems trying new things. Eventually, I'm sure we'll uncover the source of my problem.

(Either that or I plan my strategy to re-format then re-install the OS from the ground up. Hey, I'd be able to partition my disk the way I wanted - those folks from Dell seem to have only 1 way with the pre-installed systems.)

 

if you DO decide to eventually go that route, then I suggest this nifty piece called nLite

http://www.majorgeeks.com/download4324.html

it will allow you to make a slip stream CD for WindowsXP. That means you can incorporate SP2 into a "build" and save it as an ISO and burn it to a CD. The cd will be bootable and you can install xp sp2 in one shot. Check it out.

 

Since it happens with both browsers, and you have checked everything else, I would look at Zone Alarm very closely.

Everytime I've seen something like this, it's usually firewall related (minus the homepage being reset, which is "hijacking.")

 

Looks like I have a few things on my plate tonight. My kids will continue to be deprived from their "nuturing" MSN.

Why I haven't mentioned this earlier, I don't know. Sorry if it has led anyone astray.

A symptom that led me into tracking this down then go online for help was the fact that known programs were popping up in ZA to request access to the Internet. When I pressed "no" - all internet activity would stop. Occasionally, I was foolhardy enough to hit "yes" - and I had continued Intenet access.

 

yes, the definately check that IE and other browser have internet access in ZA.

 

Well, I have loaded, updated and run Avast. Found something called Trojan-gen in Program Files/common file/install.exe during boot-up scan. Deleted that by mistake (instead of fixing it). Don't know if thats important.

After the scan by Avast, I rebooted, then found that I again lost the internet connection. Upon reboot, I have been able to re-establish it. Something is still screwy. I'm still unsuccessful with Trendmicro and Norton.

I also inspected my ZA - here are the entries:
IE: Access - Trusted + Internet; Server - ? + ?
Version 6.00.2900.2180 (xpsp2_sp2_rtm.04083-2178)
Firefox: Acces - Trusted + Internt; Server - ? + ?
Version 0.9

I'm not sure what I need to be looking at other than these? I have scanned the other entries, but I could be missing something.

As well, I have uploaded my latest HJT.

Any suggestions?

Cheers, Eric

 

Hi Major - unfortunately I still do have the symptoms.

After all my work,
- I still can't run Trendmicro/Symnatic scans from either Firefox/IE.
- Firefox/IE temporarily were blocked from Internet access - I had to reboot to regain access. Simply logging off and back in wasn't enough. This happens probably 1 out of 10 times.

I'll look at the O9 item that you quoted.

Is there another tact that I should be pursuing? Both IE and Firefox won't run either of those scans - what is the common thread between those two. Is it in some common point with the Java? Are there other detection tools that might help me glimpse what might be happening?

Cheers, Eric

ps - I did de-install the MS JVM and installed Sun's. I am going to upgrade my Firefox to 1.0 from 0.9.3. Hopefully that helps.

 

Pretty sure TrendMicro scan doens't work with FireFox. I just tried (FF 1.0 PR) it and it wouldn't load for me. The page says it requires IE 4+ or Netscape 4+.

Try removing your free surfer pop up blocking software too and see if that helps.

 

Hi guys - thanks for the input.

I installed Sun Java on the weekend at the time I removed MS Java. I also cleaned out my HOSTS file - it is bare-bones now with only 127.0.0.1 localhosts entry. (I'll restore to the full suite of blocked sites as soon as I fixed this problem).

Kodo - I found the same thing with Norton. It seems Firefox is not recognized as a NetScape progeny and thus wouldn't work anyway. I guess we'll have to take that out of the equation.

I'll try disabling free-surfer with IE and report my results.

Cheers, Eric

 

Netscape is Gecko engine. FireFox is Mozilla.

Let us know how it goes.

 

Kudos to Kodo!! That was a good call on Free Surfer. Exited FS, and I just started the scan on Trendmicro - its racing through as I type. I'll follow suit with Norton.

Check back with you guys soon.

Cheers, Eric

 

Successfully ran Trendmicro - it found "WORM FRIENDGRT.B" and was unable to clean it. Whatever this is re-created "Install.exe" which I had delete when running Avast. I elected to delete it.

Now I got a name.

Unfortunately Internet access went out again. So I rebooted in Safe Networking mode (as I'm in right now). A funny re-direct to what I believe is a fictitious web page from Zone Alarm. First clue was it said "don't panic" - so I didn't follow any of the instructions. As well, there was no address in the address bar.

I have attached the source text output of the web page (it wouldn't let me save it as an complete web page).

I had to reboot again - so now I'm going to run Norton. Maybe it find something that will be more effective.

Cheers, Eric

 

After I successfully ran Trendmicro, I managed to get the Symantec virus scan going last night. I was probably about 90% complete, then something intervened and redirected my browser to site not available message. So that didn't complete.

As well, even after the successful virus scan by Trendmicro, my access to the Internet via IE and Firefox was spotty. I had to reboot a few times to re-establish access.

However, on Trendmicro's site, they have a description of this guy. See http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRIENDGRT.B It has manual instructions to remove it and also links to a package for automatically cleaning this. I will try to run it tonight when I return.

Cheers, Eric