Solved Browser continues to redirect to "blockedsitesonline.com". (Google Redirect?)

[Darrelkun]

Hello everyone,

Yesterday my Uncle came to me out of frustration with his computer. It runs kind of slow and both Firefox and IE continuously redirect webpages (at random, but frequently) to some website called blockedsitesonline.com. Not only that, but the computer runs incredibly slow, especially the browsers. All of these signs have me thinking it's a virus/trojan/hijack of some sort, but every program I've ran thus far haven't fixed the issue.

So far I've ran Spybot, Adaware, Avast, and Malware. They've all found a few trojans, spyware, and malware (except for Avast), but deleting them have done nothing thus far.

For the most part it redirects me when I'm clicking a link from google, but it will continuously redirect me while I'm surfing other pages, too. And sometimes when I type the url by hand, it will redirect me. Not sure if it's like the other google redirect problems or not.

I've been searching the forums for a bit now for any possible solutions so I wouldn't have to pester anyone (I don't like to burden more than I have to), but it seems the majority of problems are a "individual case", so I can't exactly follow procedures that aren't directed at this problem.

Right now I'm typing this on my own laptop because I can't get into this website on his computer. But as soon as I can, I will post the HijackThis file that I saved.

Thanks for reading, and I hope I can return his computer to him clean!

 

[Darrelkun]

Sorry to double post! I got the HijackThis text file.

His computer still won't allow the techspot website. :< I had to put it on a flashdrive and move it to my laptop.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Darrelkun]

Okay, sorry about that! Here are the logs from the programs.

Added them as attachments because they seemed really long. :<

 

[Broni]

Which browser is getting redirected?

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Darrelkun]

It does it on both Firefox and Internet Explorer.

When his computer finished with Combofix and restarted, Ad-Watch Live found two things:
catchme.cfxxe and handle.cfxxe were both trying to start up the settings area in the registry. Do I grant them access or deny?

Here's the log, and for the first time since starting this adventure, it's let me attach something to the forums. ^^ I've had to save it to a flash drive and upload it on my laptop. Maybe it's clean now?

 

[Broni]

How is redirection issue?

======================================================================

catchme.cfxxe and handle.cfxxe were both trying to start up the settings area in the registry. Do I grant them access or deny?

Yes, they're both Combofix files. From now on, until we're done with cleaning, disregard any of your security programs warnings.

====================================================================

You're running two AV programs, Avast and AVG8. One of them has to go.
I suggest, AVG goes.
If so, use AVG Remover: http://www.avg.com/us-en/download-tools

==================================================================

I strongly suggest, you uninstall Registry Patrol. Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

==================================================================

Combofix log looks good
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Darrelkun]

I uninstalled AVG. But I can't figure out how to uninstall Registry Patrol (I wanted it gone anyway since I heard it's not a good program ><; ) and Combofix /Uninstall doesn't work for me. ; ;

Edit: Oh! And the redirection issue seems to have cleared up.^^

 

[Broni]

We'll get rid of Registry Patrol manually in the next step.

Delete Combofix manually....
Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete Combofix from your desktop

Continue with OTL.

 

[Darrelkun]

Sorry to be really dense. ; ; By delete, do you mean right click -> delete?

 

[Broni]

Yes.............

 

[Darrelkun]

Okay thank you. ; ; Sorry to be so computer illiterate.

The forum keeps telling me that the texts are too long to copy/paste. (It wants 20k characters or less, and I have 44,759 characters.) I'm going to attach, I'm sorry.

Thank you so much for your help this far by the way. I really appreciate it and I wish I knew half as much as you hard workers!

 

[Broni]

You're very welcome

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2010/07/17 11:00:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Registry Patrol
  [2010/07/17 11:00:11 | 000,000,000 | ---D | C] -- C:\Program Files\Registry Patrol
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
  O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll -  File not found
  O33 - MountPoints2\{5d077444-6a6b-11df-ab5a-001fc645cb2d}\Shell - "" = AutoRun
  O33 - MountPoints2\{5d077444-6a6b-11df-ab5a-001fc645cb2d}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{5d077444-6a6b-11df-ab5a-001fc645cb2d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{9ed09e90-91a0-11dd-a958-806d6172696f}\Shell - "" = AutoRun
  O33 - MountPoints2\{9ed09e90-91a0-11dd-a958-806d6172696f}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{9ed09e90-91a0-11dd-a958-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- [2010/05/26 12:12:09 | 001,011,112 | R--- | M] (Qwest Communications International Inc.)
  [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Darrelkun]

I was wondering, is outlook a bad program to use to check emails? If so, I could tell him to check his email through firefox. I have a feeling that might have been where he got whatever it is he got.

 

[Broni]

Email program really doesn't matter.
It's all about right security programs and first of all, computer habits.

Last scan...

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[Darrelkun]

Okay! sorry that took so long. The first time it stalled at 76% for four hours. I had to restart it. :< Thank you for being patient with me. I hope you had a good night's rest.

 

[Broni]

I hope you had a good night's rest.

I can't complain

Now, all infected items are listed in all kind of your mailboxes, so before we do anything, I need to know, if you have any important pieces of mail in following places:

- C:\backup.pst
- C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Outlook\archive.pst
- D:\Windows\Application Data\Identities\{093466A0-D7C3-11D3-A831-F5C771445E0A}\Microsoft\Outlook Express\Inbox.dbx
- D:\Windows\Application Data\Identities\{093466A0-D7C3-11D3-A831-F5C771445E0A}\Microsoft\Outlook Express\Deleted Items.dbx
- D:\Windows\Desktop\backup.pst
- D:\Windows\outlook.pst

BTW, I assume, you can see, where the most of your infections came from....hmmmm

 

[Darrelkun]

Yeah, that I can. ^^;

I'm not exactly sure if he has any super important emails. He says he needs some of the letters to keep track of people he's trying to sell his restaurant equipment to, so I hope none of them are the infected ones.

What exactly do the infected files mean? That we need to just get rid of them? The entire Outlook program?

He got this problem after getting some spam from craigslist.

Sorry to be no help. D:! Thank you for helping me find the problem. ;w;

 

[Broni]

What exactly do the infected files mean? That we need to just get rid of them? The entire Outlook program?

No, not the program.
Some mail pieces have either malicious attachment(s), or a malicious link(s) in them.
If he wants to keep some mail, it has to be very carefully examined, by not clicking on unknown links within the mail and every single attachment has to be scanned with AV program before opening.
I guess, we can leave it up to you and him.
I pretty much told you what to do.

Other, than that....

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[Darrelkun]

Thank you so very much!

Firefox and Internet Explorer are running at normal speed now and are no longer redirecting me!

I don't think I can ever thank you enough. My uncle will be extremely happy to have his computer returned to him. I hope I can one day clean a computer on my own, and if I ever get that good, I'll be sure to return and help others in return.

Have a nice day, and thanks so much!

 

[Broni]

Cool

Good luck and stay safe

 

[Darrelkun]

Okay, we're having problems. :/

His computer completely deleted XP, is only running 98 in safe mode, and half of his devices aren't working (like his mouse and sometimes keyboard). AVG also came back. :/

I followed the steps for the deleting and recreating system restore points, but it seems it just deleted it and didn't set a new one. Or something. ; ; Need more help after all, I'm sorry.

 

[Broni]

Well, I won't be able to help, unless you'll tell me what exactly happened, which led to all this.
Last time, I checked, the computer was in perfect shape.

 

[Darrelkun]

I don't know 100% what happened, because when I restarted it to turn on the System Restore, the computer was fine. So I unplugged it and took it back to his place and plugged it in. Then when he got home he called me and told me what was going on.

When he got on it, it went to Windows 98, Safe Mode, and AVG scanned saying there were no errors. That's all I know.

I'm really sorry if this isn't enough information. I have no access to the computer at this moment but tomorrow I'll be grabbing it. Should I wait and post more information when I get a hold of his computer and bring it back to my house? Should I maybe just reformat? I'm sorry to be such a problem for you! ; ;

Edit: He finally told me there was a Start Menu to pick from: Safe Mode and Normal. I told him to run in Normal. He clicked normal and AVG popped up saying no viruses were found, and is now checking Drive C for errors. Now it went into Safe Mode on its own, with the Add New Hardware Wizard for USB positive device. It shut everything else off, and can't cancel it or go back.

 

[Broni]

No, no problem. Things happen

Should I wait and post more information when I get a hold of his computer and bring it back to my house?

That would be the best way.