TechSpot

Google randomly redirecting...logs attached

Resolved
By mcIrishgurl
Mar 14, 2011
  1. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    eset log and combofix

    here's the eset log....when trying to download combo fix a window popped up stating that my os was incompatible and i needed xp or windows 7. my os is windows xp home, so not sure why it popped up with that. then an abort message box popped up and said interference detected, perform a rootkit scan. i just closed both boxes and didn't do anything further until you advise.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=fd63c632005a6c469dc163ae646a705c
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-19 07:27:43
    # local_time=2011-03-19 02:27:43 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 23095592 23095592 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16777189 100 75 2012447 13511990 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=92658
    # found=0
    # cleaned=0
    # scan_time=4273
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Are you sure the version of Windows XP you have is a legitimate one?

    See if you can run this:
    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Paste Report.txt back here
     
  3. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    yes i have the original mfg disk for windows xp home that came with my pc.....it is a legitimate registered disc. i clicked on ur link for the sdfix, however, when it takes me to the webpage, i don't see where there is the link to do the actual download....it shows this....Download SDFix and save it to your Desktop. the SDFix is in blue. when i click on it, it takes me to here....Firefox can't find the server at downloads.andymanchesta.com. i tried it with both ie and firefox, no luck.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- guess they pulled the program and no longer host the site. It's an older program that I don't use much.

    I checked back over the parts of logs I have and we need to check for a bootkit> maybe that's what's causing the problem:

    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Windows XP has a built-in tool to extract files)
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    ================================
    Results should be one of the following:
    • OK (DOS/Win32 Boot code found)
      - MBR boot code is clean.
    • Unknown boot code
      - MBR boot code is modified. This practically corresponds to either
      an active bootkit infection, or a custom boot manager installed (such
      as GRUB).
    • Controlled by rootkit!
      - a bootkit with self-hiding capabilities is detected.
    ==============================================
    When I see which it is in the log, I will write what is needed to try and fix what is found- if needed.
     
  5. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    bootkit log

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  6. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    just checking in with you bobbye to see what's next :)
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    That log was okay.

    Please give me an update on the system.
     
  8. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    well, we really didn't get to do much together yet if you look back on the previous posts because of the problems with certain links that didn't work that you asked me to download some things from....but my redirecting issue certainly still exists.... :(so i'm just kinda waiting for further instructions from you.... :)
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    With the exception of the SDFi link, as the program has apparently been pulled, the other links I gave you were okay. I don't have a clue where the added registry program in DDS came from.

    The Bootcode is fine. The online virus scan was clean.

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    mcirish.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    3. Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    *************************************
    Once you've gotten one of them to run, immediately run

    mcirish.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.
     
  10. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    not sure if the rkill ran completely because of what the log said, but here it is....then following will be the exehelper log....trying to do combofix now and will post again shortly....

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/21/2011 at 20:11:17.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\Documents and Settings\Dawn\My Documents\rkill.scr
    C:\WINDOWS\system32\grpconv.exe


    Rkill completed on 03/21/2011 at 20:11:53.



    exeHelper by Raktor
    Build 20100414
    Run at 20:13:33 on 03/21/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  11. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    hi bobbye....tried running that combofix again like you said after the rkill and exe helper, but still wouldn't execute (not in safe mode or with renaming).....as it did with other earlier attempt, got a pop up window error-win32 only saying incompatible os. combofix will work for workstations with windows 2000 and xp up. then another pop up window opens titled abort, which says interference detected please perform a rootkit scan. not sure why it won't work, as you had helped me last may or june with similar redirecting issue and had me run the combofix and it ran fine then. i have the same os i do now as then, windows home xp.

    i said in the previous post, not sure if that rkill ran completely....but i'm thinking you will know by reading the log....
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    At this point, I have to recommend you do a reformat/reinstall.

    It appears that you have some 'non-standard' entries in the OS. Example:
    RKill stopped: C:\WINDOWS\system32\grpconv.exe
    This doesn't even belong on the OS you have.

    I think this-and possibly other entries like it-are the reasons the scans aren't working and tell you they won't work on the OS.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
  13. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    bobbye.....which do you recommend that i perform of the two options that the link discusses, repair/reinstall or fresh install?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think the fresh install would be more to your benefit. Be sure to backup whatever you want to save first.

    I hope it will install only what is appropriate for the OS you have. I don't know where the file in question has come from. I'm sorry we couldn't work this through, but the messages were consistent about the 'not for this OS' when you tried to run the scans.
     
  15. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    ok...finally back bobbye....i did a fresh reinstall and it seems no redirection at this time....is there anything i need to do further or you wish to check to ensure it's all ok especially since that mysterious \WINDOWS\system32\grpconv.exe appeared prior to the reinstall?

    also which do you recommend to keep on pc, superspyware blaster or malwarebytes?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can search on the system for C:\WINDOWS\system32\grpconv.exe
    Right click on Taskbar> Explore> My Computer> Double click Local Drive(C)> Windows> System 32> Look for grpconv.exe on right screen> right click Delete.

    If you don't see the file> once in Windows Explorer>
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.
    • Uncheck (untick) Hide extensions of known file types.
    • Uncheck (untick) Hide protected operating system files (Recommended).
    • Click Yes when prompted.
    • Click OK.
    • Pick up the directions above beginning with 'Windows'.
    Reset Hidden/System Files & Folders
    ==========================================
    Both Spysweeper and Malwarebytes are okay to keep on system, but Mbam will require you to purchase the program to keep it on the system.
    ==========================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast Free Version
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
  17. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    i found grpconv.exe but when i delete, it deletes for a few seconds then reappears....as for the other things u suggested, i have pretty much done that except for the restore point, until you advise what to do for grpconv.exe . should i try to delete it's master file grpconv instead?
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    How do you mean 'master file'?
     
  19. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    please excuse my lack of proper technical terminology...lol...when i click on the folder system 32 and it opens to all its contents, amongst it all is an icon with grpconv beneath it. the grpconv.exe only shows once i elect to show hidden files and such.
     
  20. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    just checking in to see what's next bobbye...thanks.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My internet was down- again.

    Just do a right click on the .exe file.

    Then you are through.
     
  22. mcIrishgurl

    mcIrishgurl TS Enthusiast Topic Starter Posts: 134

    hi bobbye....i already tried right clicking but as i said in an earlier post, when i click delete, it deletes the icon for grpconv.exe for a moment, then the icon reappears which suggests to me that it really didn't delete. that is why i asked if i should try to delete the icon grpconv instead. if i don't need it and it serves no purpose for my version of xp (home), i don't care if it gets deleted.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, you clean and finished.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.