also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

[Solved] Browser redirect + poor performance + error on exit explorer

Discussion in 'Virus and Malware Removal' started by beogil, Mar 18, 2010.

Thread Status:
Not open for further replies.
Page 1 of 2

  1. beogil Newcomer, in training

    Hi and thanks,

    Started this process once about a week ago, but only got to step 5. (Dad of 3 and busy life :) Started over last night at step 1. Will post original results, and new results in the posts to follow.

    Symptoms
    • Poor perfomance. Laggy opening apps, esp. explorer
    • Explorer redirects occasionally. Sometimes from google search. Sometimes on its own. It just did it again this morning after step 5. Step required reboot. Opened explorer to read next step... home page is msn, and it redirected.
    • All redirects are actually a new explorer window that pops up. (original window stays open at correct location). Redirects are random pages... nots of 'winners click here' type stuff.
    • Up until today, when closed explorer, an error dialog box would pop up. (Wrote it down but lost it) Something like a call error reading memory at a certain location.
    • After any reboot, computer ALWAYS says it needs to reboot again. I have let it do it a few times thinking it was installing updates, but it will loop through reboots 6 or 7 times. Gave up after that... will click cancel now.
    • Get lots of "internet explorer cannot display page". Will have to reload page several times to get it to load. In step 6, could NOT use the link to the java update. It said "internet explorer cannot display page" no may how times I reloaded. Ended up typing java link in directly

    When I updated java, these are the outdated versions I removed: 5.1, 5.4, 6.1, 6.2, 6.3, 6.5, and 6.7. Updated to 6.18.

    On the next post, I will post the first mbam log and superantispyware log. (It did find some things)

    The following post will have all the results + hijack this from today.

    Thanks again for your help. I am headed to work... not sure how this works, so let me know if I need to be at the computer for an extended time. its 6:30am here... will be back tonight about 5:00

    Thanks,
    Tim
    beogil, Mar 18, 2010
    #1

  2. Bobbye Helper on the Fringe

    Good Morning dad of 3! I think I remember you. Please wait until you have all 3 logs ready and then include them in your next reply.

    I'm sure you already know there can be many reasons for poor performance, slow computer, etc. What we'll do is check for malware, hopefully find and make sure it's removed. We'll see how the system is then and go from there.

    Edit: Add this:
    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe then under Select log to query, select:
    • Application
      [*] System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.
    (Courtesy rev-Olie)

    Reboot before you do this- hoping to check for any error that corresponds to having to reboot again.
    Bobbye, Mar 18, 2010
    #2

  3. beogil Newcomer, in training

    logs from first mbam and antispy

    here are the logs from the first time... only got to step 5. (Actually, I had tried mbam a twice before that... then realized I had a problem and found this page. I am including those two original mbam logs as well.)

    thx

    Attached Files:

    beogil, Mar 18, 2010
    #3

  4. beogil Newcomer, in training

    sorry... most recent logs

    sorry... had already uploaded the previous message, then saw your reply... uploading the most recent and complete now...

    Attached Files:

    beogil, Mar 18, 2010
    #4

  5. beogil Newcomer, in training

    event view log

    Log: 'Application' Date/Time: 18/03/2010 3:00:38 AM
    Type: error Category: 0
    Event: 1024 Source: MsiInstaller
    Product: Microsoft Office Access Runtime (English) 2007 - Update 'Microsoft Office 2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

    Log: 'Application' Date/Time: 18/03/2010 3:00:38 AM
    Type: error Category: 0
    Event: 10005 Source: MsiInstaller
    Product: Microsoft Office Access Runtime (English) 2007 -- Error 2711. An internal error has occurred. (OfficeWebComponents11 )

    Log: 'Application' Date/Time: 17/03/2010 7:41:33 PM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 17/03/2010 7:40:46 PM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 17/03/2010 1:02:14 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 16/03/2010 3:10:30 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 16/03/2010 3:00:39 AM
    Type: error Category: 0
    Event: 1024 Source: MsiInstaller
    Product: Microsoft Office Access Runtime (English) 2007 - Update 'Microsoft Office 2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

    Log: 'Application' Date/Time: 16/03/2010 3:00:39 AM
    Type: error Category: 0
    Event: 10005 Source: MsiInstaller
    Product: Microsoft Office Access Runtime (English) 2007 -- Error 2711. An internal error has occurred. (OfficeWebComponents11 )

    Log: 'Application' Date/Time: 16/03/2010 1:39:56 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 10:43:14 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 10:43:08 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 10:43:03 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 7:42:03 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 7:38:19 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 5:24:49 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    Log: 'Application' Date/Time: 15/03/2010 5:24:44 AM
    Type: error Category: 0
    Event: 11706 Source: MsiInstaller
    Product: Microsoft Office 2000 SR-1 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Premium. The Windows installer cannot continue.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 18/03/2010 6:48:23 AM
    Type: error Category: 0
    Event: 49 Source: Ftdisk
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    Log: 'System' Date/Time: 18/03/2010 6:48:23 AM
    Type: error Category: 0
    Event: 45 Source: Ftdisk
    The system could not sucessfully load the crash dump driver.

    Log: 'System' Date/Time: 18/03/2010 5:55:00 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:59 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.

    Log: 'System' Date/Time: 18/03/2010 5:54:58 AM
    Type: error Category: 0
    Event: 7023 Source: Service Control Manager
    The Application Management service terminated with the following error: The specified module could not be found.
    beogil, Mar 18, 2010
    #5

  6. beogil Newcomer, in training

    I had to truncate the last message... said it was too long. I deleted the oldest of the events (from two days ago)

    thx again
    beogil, Mar 18, 2010
    #6

  7. beogil Newcomer, in training

    sorry for so many posts... as I was looking over that even log, remembered another symptom I am having. When I go to certain websites (always google maps for instance), it starts to try to install a service pack or something related to microsoft office. I have no idea what it is talking about, so cancel out, then the page works fine....

    thx
    beogil, Mar 18, 2010
    #7

  8. beogil Newcomer, in training

    headed to work... will check back on this post and my emails.
    thx
    beogil, Mar 18, 2010
    #8

  9. Bobbye Helper on the Fringe

    Okay, since you left the logs, I looked for anything significant. What I found is that your system isn't secure and has an affinity for Trojans! You get rid of one, then get another! This means 2 things: you need to improve the system security and it's likely that all of the malware hasn't been cleaned:

    You go from Vundo to Trojab FakeAlert, which drops Trojan Hiloti. They get removed then you get either Vundo back again- or it's wasn't fully removed, then Trojan Fraudpack-so- skip the Event Viewer for now and let's work on the malware first:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Leave the Combofix report and Eset log in your next reply and we'll determine what's next.

    In the meantime, I notice you're using QuickBooks. A file in QB was found to have malware. IF you can find this file, do a right click and scan with the antivirus:
    C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\LPNG.DLL

    The log says 'Header'. I'm not sure if it means the Vundo was found in the header of the file.

    EDIT: I see you were posting the events while I was working on the logs. Please take MS Office off of Startup. That's about all I can get from those events.
    Bobbye, Mar 18, 2010
    #9

  10. beogil Newcomer, in training

    I will get right to that when I get back to the computer... it will be late afternoon. Thanks so much for your help, Bobbye! I look forward to getting this thing fixed.

    again, I will be checking posts/email, so if anything else comes up, jsut let me know.

    thx
    beogil, Mar 18, 2010
    #10

  11. Bobbye Helper on the Fringe

    No problem! Just leave it whenever you're ready.
    Bobbye, Mar 18, 2010
    #11

  12. beogil Newcomer, in training

    wow... this is not going well! :) Sorry it has taken me so long, but I have been trying without success to do your steps.

    combofix - downloaded and renamed to Combofix(.exe) At some point it must have renamed itself Combofix(.exe).exe, because after some trouble, I looked at it and noticed that. When I double clicked to run it, the first time it showed a progress bar, then about 30 seconds after that disappeared, a disclaimer message came up, and I accepted, then nothing. Waited a minute or two and tried again... this time the progress bar, but no disclaimer... then nothing. Tried a few times and the same. Tried clicking in the progress bar to gt it to freeze. Command window with blue background came up and said this ""SWSC" is not recognized as an internal or external command, operable program or batch file"... then nothing. Opened taskmanager to see if the task was running in the background... nothing. So tried again. Nothing... however, I was noticing that each time, after the progress bar, the desktop would 'reset' itself. AND the taskmanger would shut down on its own. Moved on.

    Eset - had fits getting it to load in explorer. It tried to install active x app several times. Kept accepting, and seemed stuck in a loop. Sometimes the pop up scanner would be blank. Finally got it to open with the actual scanner, but then got this message - "can not get update. Is proxy configured?" I looked at the proxy, but didn't know what to set it to. Sometimes the window came up with "Internet explorer cannot access page" message. Moved on.

    Could not find the quickbooks file in the directory.

    Was able to remove msoffice from startup... SUCCESS!! (well, 1 out of 4) :)

    I will start back with combofix (redownload, etc) and go through the steps again until I hear back from you in hopes that it finally takes. (Between fixing dinner for the kids)

    Thanks again for your help.
    beogil, Mar 18, 2010
    #12

  13. beogil Newcomer, in training

    one other thing... my network connection is doing SOMETHING while I couldn't get any of this to work. In the 1 hour my connection has been up, its 'received' over 30meg. Most of it while trying to access the scanner.

    thx
    beogil, Mar 18, 2010
    #13

  14. beogil Newcomer, in training

    hey... success... i started over, and downloaded combofix from the other link on that page... renamed it with a dash this time, and tried it. This time I waited a lot longer... about 3 minutes, then the command window finally popped up and ran. I have the log file... I am going to try the other one, then upload both.

    Explorer seems especially laggy now.

    brb
    beogil, Mar 18, 2010
    #14

  15. beogil Newcomer, in training

    ok... tried eset again. This time it started to download (after several explorer could nto download page errors) and got all the way to 100% on the virus definition update.... then gave "unexpected error 2002" in the scanner explorer window.

    I started over, and this time it said it had run before, and it started the virus update at 50%, but kept giving me a proxy error and didn't go further. Can't seem to get past it. It did leave a log, but it doesn't seem complete. I don't think I will get it to work, so I am uploading both the combofix log and the eset log.

    Thanks!

    Attached Files:

    beogil, Mar 18, 2010
    #15

  16. beogil Newcomer, in training

    persistence pays off... kept trying eset, and after an hour it finally finished the download and ran. Its still running on the other computer... going very slowly. I'll check on it in the morning, and upload the log file. So far it has only found one infection "Win32/Olmarik.UI trojan"
    beogil, Mar 19, 2010
    #16

  17. beogil Newcomer, in training

    eset finished its scan. the log file is attached. there was also a new folder created... c:\Qoobox (?) it has another log file in it (combofix quarantine files.txt) Let me know if you want me to upload that too.

    will check back in the am.


    Thanks!!!

    Attached Files:

    • log.txt
      File size:
      2.4 KB
      Views:
      1
    beogil, Mar 19, 2010
    #17

  18. Bobbye Helper on the Fringe

    This is the name of the folder that Combofix puts quarantined files in. So apparently the program ran. There should be a log-
    I need to see it please.

    It looks like there was some problem with the Eset updating. I'll know more after seeing the Combofix report.

    By the way, if you need to add a comment or change something in your post and there is no reply yet, you can use the Edit feature instead of making a new reply.
    Bobbye, Mar 19, 2010
    #18

  19. beogil Newcomer, in training

    Thanks, Bobbye.

    Busy day! Ok, attached are the following:
    • The eset log file
    • the Combofix log file (located in C:/)
    • The Combofix quarantine file (in C:/Qoobox)
    • The Combofix program list (in C:/Qoobox)

    I understand what you are saying... I looked back, and I had left a lot of posts :) I'll be more brief, and use the edit feature.

    By the way... I haven't had anymore redirects since yesterday.

    Looking forward to your next advice.
    Thanks!
    Tim

    Attached Files:

    beogil, Mar 19, 2010
    #19

  20. Bobbye Helper on the Fringe

    Tim, I understand that you're busy and probably doing these scans in between feeding the kids, but you're actually making more work for yourself.

    You don't need to separate the Combofix report. I see everything I need to in the log from the scan. If I write script for any entries in Combofix, then you will be instructed to post the resulting log from that. But I don't need 'qoobox' and add/remove entries broken apart. I also did not request a listing of the Add/Remove programs.

    I went back and read your original post again. You are really not describing a 'redirect'. It's more like you've got adware popping up in another Window.
    • "Poor perfomance." "Laggy opening apps, esp. explorer"> this can be caused by a multitude of things.
    • "Explorer redirects occasionally".Are you referring to Internet Explorer or Windows Explorer. It is not enough to just say 'Explorer.'
    • "Sometimes from google search. Sometimes on its own." If malware is causing a redirect, it is typical to either type a site in the address bar but be 'redirected' to a different site OR type a word(s) in Google search box, choose a site from the hits, but have a different site come up instead.
    • "All redirects are actually a new explorer window that pops up. (original window stays open at correct location)". This is not a redirect. It's more a description of either adware or possibly spyware pop-ups or pop-unders.
    • ".....when closed explorer, (Internet Explorer or Windows Explorer) an error dialog box would pop up. Something like a call error reading memory at a certain location." A referenced memory error can be caused by several things, one of them being as simple as having too many Windows open or programs running at the same time.
    • "After any reboot, computer ALWAYS says it needs to reboot again." The events, all involving Office would indicate a failed installation- for whatever reason.
    • "internet explorer cannot display page". This can be due to a setting problem in Internet Explorer, a server problem from your ISP or a server problem from the site you are trying to access.
    Please do the following:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::

Folder::
c:\windows\Bhaqipokidu.bin
c:\windows\Xnago.dat

Driver::
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    Rescan with HJT once more after doing above. Attach new log. IF clean and problem has been resolved, I'll have you remove the cleaning tools and old restore points.

    Regarding QuickBooks: you have the following entries:
    QBFC3.0>> QuickBooks component used for third party applications (QBFC)
    QuickBooks Premier: Professional Services Edition 2004
    QuickBooks Premier: Professional Services Edition 2007
    QuickBooks Product Listing Service>> QuickBooks Product Listing Service was discontinued with QuickBooks 2007.

    If you are no longer using this program and have any information you need saved, I can set up removal for you- let me know.
    Bobbye, Mar 20, 2010
    #20
Page 1 of 2
Thread Status:
Not open for further replies.