Inactive Google redirecting, system slow, 6 steps completed

Status
Not open for further replies.

skitige

Posts: 32   +0
Hello,

I'm having redirect problems with Google, also sometimes getting new IE window opening at random. I've ran Malewarebytes, Spybot and Ad-Aware.

Occasionally Ad-Aware will pop up saying it block a svchost.exe from connecting to a malicious website.

Attached are the log files from the 6 steps.

Thanks for any help you can provide.
 

Attachments

  • mbam-log-2010-07-16.txt
    906 bytes · Views: 3
  • gmer_7-15-10.log
    6.6 KB · Views: 3
  • Attach.txt
    15.7 KB · Views: 0
  • DDS.txt
    15.8 KB · Views: 3
Is there any reason, you ran DDS from safe mode?

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
No particular reason DDS was ran in safe mode. I was in safe mode to run a virus scan and Ad-aware scan, then just started going through the steps.

Here is the MBRCheck:
MBRCheck, version 1.1.1

(c) 2010, AD
\\.\C: --> \\.\PhysicalDrive1
\\.\E: --> \\.\PhysicalDrive2
\\.\F: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive1 Windows 2008 MBR code detected
931 GB \\.\PhysicalDrive2 Windows 2008 MBR code detected
153 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...
 
DDS reran with windows in normal mode. Here are the logs.
 

Attachments

  • Attach_no-safemode.txt
    8.4 KB · Views: 0
  • DDS_no-safemode.txt
    17.6 KB · Views: 0
Thanks :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
How is redirection?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
 
Which browser is getting redirected?

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=======================================================================

Are you running two security suites, McAfee and Norton at the same time?

=======================================================================

Is ROADRUNNER-SOUTHEAST your ISP?

=======================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    [2007/09/10 08:22:47 | 000,000,000 | ---D | M](C:\Windows\System32\?ð???ð?ð?ð?ð?ð?ð) -- C:\Windows\System32\ð둠瞘ðððððð
    [2007/09/10 08:22:47 | 000,000,000 | ---D | C](C:\Windows\System32\?ð???ð?ð?ð?ð?ð?ð) -- C:\Windows\System32\ð둠瞘ðððððð
    
    :Services
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" =-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4167883074-2711385395-2302512757-1000]
    "EnableNotifications" =dword:00000001
    
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Internet Explorer is the browser that is getting redirected.
Currently I think I am only running Norton. I used to use McCafee
Yes, ROADRUNNER-SOUTHEAST is my ISP.
 

Attachments

  • OTL_Fix_07182010_215327.txt
    10.9 KB · Views: 0
  • OTL_2nd-run.Txt
    102.2 KB · Views: 3
Just installed Firefox, it is being redirected as well.

Tried to run the McAfee clean up but received an error:

MCAFEE CLEANUP
July 19, 2010 20:26:10
INFO Cleanup will be scheduled and run.
INFO Product mpfpcu to be removed from system.
INFO Product mpfp to be removed from system.
INFO Product mps to be removed from system.
INFO Product shred to be removed from system.
INFO Product mpscu to be removed from system.
INFO Product mskcu to be removed from system.
INFO Product msk to be removed from system.
INFO Product emproxy to be removed from system.
INFO Product mas to be removed from system.
INFO Product fwdriver to be removed from system.
INFO Product hw to be removed from system.
INFO Product mbk to be removed from system.
INFO Product mcproxy to be removed from system.
INFO Product mhn to be removed from system.
INFO Product mqccu to be removed from system.
INFO Product mqc to be removed from system.
INFO Product shrd to be removed from system.
INFO Product nmc to be removed from system.
INFO Product redir to be removed from system.
INFO Product mna to be removed from system.
INFO Product mwl to be removed from system.
INFO Product msad to be removed from system.
INFO Product mobk to be removed from system.
INFO Product vs to be removed from system.
INFO Product msc to be removed from system.
INFO Product mcpr to be removed from system.
INFO Product mcsvchost to be removed from system.
ERROR Internal Error
INFO Task Scheduler service started.
WINERR IPersistFile::Save() failed. Error: 0x80041315
FAIL Error while running cleanup using Task Scheduler.
 
That's fine. We can remove McAfee leftovers manually in a bit.
First I'd like get rid of that redirection.

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"



Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections
 
Download Kenco.exe to your desktop
  • Close all windows and run the program.
  • It wont take long to run.
  • Kenco will reboot the system if it finds anything.
  • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
 
Here is the Kenco log, the system did not reboot.

Kenco by jpshortstuff (31.12.09.1)
Log created at 22:51 on 20/07/2010 (Scott)

========== Task Unlocker ==========

========== KencoScan ==========
C:\Users\Scott\AppData\Local\Temp -> Unable to open file [5]!

========== C:\Windows\Tasks ==========
Ad-Aware Update (Weekly).job -> [02:56 14/07/2010] 370 bytes
Final Media Player Update Checker.job -> [00:22 29/06/2010] 386 bytes
Google Software Updater.job -> [12:46 16/08/2009] 868 bytes
GoogleUpdateTaskMachineCore1cb0dad25e8d78f.job -> [23:39 16/06/2010] 882 bytes
McAfee Cleanup.job -> [00:26 20/07/2010] 778 bytes

-=E.O.F=-
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code:
    :dir
    C:\Users\Scott\AppData\Local\Temp /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    DRV - [2009/03/25 11:06:30 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
    DRV - [2009/03/25 11:06:28 | 000,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2009/03/25 11:06:28 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2009/03/25 11:06:28 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/03/25 11:05:54 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Here are the OTL fix and scan results.
 

Attachments

  • OTL_Fix_07202010_232832.txt
    6.9 KB · Views: 1
  • OTL_Scan_07202010.Txt
    115.1 KB · Views: 2
Status
Not open for further replies.
Back