Solved Browser redirect problem with IE and Firefox

Status
Not open for further replies.

j2z

Posts: 39   +0
This has me stumped. When loading HTTP pages in IE and firefox the browsers immediately attempt to redirect to http://eatonvillerestaurant.com/wp-content/uploads/2009/035/, then fail to load. With HTTPS sites the pages load, then redirect the same when logging in with username/password.

I downloaded the software identified in the 8 Steps to a thumb drive from a different computer and ran all the steps except updating Java (browser issues won't allow it). I ran Avast first and had one threat, a Win32:maware.gen in c:\system volume info\_restore{.....}\RP1259\A0271457.exe. I deleted this threat before running the subsequent threats. Not sure how much more info to provide, but I've attached the requested logs. The dates are different as I tried running some of the checks again this morning but didn't finish the sequence before leaving for work. Thanks in advance.

Feb 9 update: I've run through the 8 steps again with the same results, but processes seem to be moving very slow (over 2 hours for SuperAntiSpyware). Also maybe of note, Outlook works fine and I haven't noticed any issues with my cable modem or wireless router.
 

Attachments

  • mbam-log-2010-02-08 (07-06-19).txt
    993 bytes · Views: 2
  • SUPERAntiSpyware Scan Log - 02-06-2010 - 00-17-03.log
    29.8 KB · Views: 2
  • hijackthis.log
    10.8 KB · Views: 2
Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Thanks for the reply. I downloaded ComboFix and will run it late tonight but won't be able to post the logs until Wednesday when I get to a working browser. Do I also turn disable my firewall? Unless directed otherwise I'll shut down after getting the logs.
 
Thanks again for looking into this. I prepped for and ran ComboFix as instructed. Almost immediately I got the "Microsoft Windows Recovery Console" window stating I did not have the console installed. After clicking "Yes" I got an error window for not having an internet connection and stating to kindly connect, then an "OK" response gave me "Error: Failed to download required files. Aborting . . . Shall continue scanning for malware." OK at this point gave me "Rootkit!!: ComboFix has detected the presence of rootkit activity and needs to reboot the machine."

After reboot the command window reappeared with no other Windows icons on the screen. Registry backup ran, followed by the recovery console error window again asking for an active internet connection to download/install the recovery console. Next - ‘AUTO-RC.cmd’ is not recognized as an internal or external command, operable program or batch file. At this point the process stalled. There is no ComboFix.txt file on the hard drive, but I did re-run HJT and have attached that log.

This really seems whacked . . . what next? Was I supposed to do something besides hit OK when ComboFix wanted to grab the recovery console? Did I give up to soon when it appeared to stall at the "AUTO-RC.cmd" text.
 

Attachments

  • hijackthis_2010-02-10.log
    10.3 KB · Views: 0
Hopefully I didn't jump ahead too much, but I checked the "How to Use ComboFix" page and from instructions there manually installed the Windows Recovery Console. That ran successfully so I rebooted, started the full ComboFix process, and this time it ran complete and generated the log. It still found a Rootkit issue and rebooted. The ComboFix and HJT logs are attached. Let me know what you think.
 

Attachments

  • ComboFix_2010-02-10.txt
    20.9 KB · Views: 5
  • hijackthis_2010-02-10.log
    7.6 KB · Views: 1
How is redirection issue?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
 
I just tried the uninstall and got an incompatible OS error, followed by an antivirus software detection window. Should I try my browser first?
 
ComboFix is uninstalled and I restarted. I have no internet connection, including for my Outlook e-mail. I'll look at manually reconnecting. Any other thoughts?
 
1. Click Start>Run (Start>"Start search" in Vista).

2. Type in (or copy and paste):

cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

and press Enter.

3. Notepad will open.

4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.
 
Pinging google.com [74.125.95.105] with 32 bytes of data:

Reply from 74.125.95.105: bytes=32 time=43ms TTL=54
Reply from 74.125.95.105: bytes=32 time=43ms TTL=54
Reply from 74.125.95.105: bytes=32 time=43ms TTL=54
Reply from 74.125.95.105: bytes=32 time=43ms TTL=54

Ping statistics for 74.125.95.105:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 43ms, Average = 43ms


Command prompt also opened and stayed open.
 
The above means, you DO have internet connection.
What kind of indication do you have, that internet doesn't work?
 
I cannot retrive mail from Outlook.

Error: A timeout occurred while communicating with the server. (Account: 'pop.central.cox.net', POP3 Server: 'pop.central.cox.net', Error Number: 0x800ccc19).

In Firefox: blank pages with any URL I try.

In IE: "The page cannot be displayed."


IE
 
Turn off computer. Disconnect router, and modem from power source for 30 seconds.
Power them back on.
Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew


Restart computer.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.


If that doesn't work...
Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista)
Restart computer, and check again.

If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.
 
Dial-A-Fix is running now. Nothing up to this point has restored my connection. DAF has been on the "stopping Cryptsvc" step for a while now so I'll let it run overnight then post in the morning. Are there any spyware/AV/malware/firewall settings that were changed for ComboFix that could be causing this grief? Thanks for the continued help.
 
I don't see anything in Combofix log, which could have caused problems.
At what point your browsers stopped working?
 
The browsers stopped working after ComboFix. When I had the redirect issue I was still able to retrieve e-mail through Outlook but as I mentioned that is not functioning now.

While running DAF I had to run the "Repair permissions" tool. After restarting it stalled at "stopping Cryptsvc" and stayed there all night. I rebooted this morning and ran it againg, and it again stalled at the same point. I've attached a log for it and a new HJT log. I'm starting to get bad feelings about this!
 

Attachments

  • dial-a-fix_2010-02-11.log
    3.3 KB · Views: 0
  • hijackthis_2010-02-11.txt
    9.3 KB · Views: 0
Just found out from the kids that the Xbox live account is not finding the DNS. Are my issues on the modem/router side now, and if so what should be the order of steps? Should I disconnect the router and wire directly from modem to computer then start the modem setup process and work my way back to the router?
 
I think, your computer may be still infected, which causes your browsers problems.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post GMER log.
 
I just spent 30 minutes on the phone with our cable ISP and they did a remote reset of my modem . . . so now I'm back online and replying from home! I'm still concerned about viruses and settings because it is taking a real long time to get logged in and connected. Should I still run GMER?
 
Good news :)
Please, run GMER.
We'll couple more scan to make sure your computer is totally clean....
 
When I run GMER it appears to complete its scan and I can click Save or Copy. Problem is my machine then locks and I cannot paste the log, close GMER, or open any other application. I did this after my last post yesterday and after rebooting lost my browser and e-mail connectivity again. Turns out ZoneAlarm was blocking all attempts to connect so I uninstalled it and let Windows Firewall run.

Back in business again but the GMER scan is still outstanding and things are generally running slow. Should I try GMER again or some other utility, and should I remove some of the others I ran originally (like SuperAntiSpyware) or permanently disable them? Like you said it would be good to confirm the computer is completely clean. Thanks.
 
Please download The Avenger by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select Extract All...
- Follow the prompts and extract the avenger folder to your desktop

Double click on avenger.exe.
Click OK in pop-up window.

Avenger window will open.

Click on Execute button.
Click OK in two consecutive pop-up windows.

Your computer will re-boot now.

Upon re-boot, Notepad window will open.
Select all text, copy it, and paste it into next reply.

NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.
 
Here's the Avenger log.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.
 
Status
Not open for further replies.
Back