Google redirecting, system slow, 6 steps completed

Inactive
By skitige
Jul 17, 2010
Topic Status:
Not open for further replies.
  1. Hello,

    I'm having redirect problems with Google, also sometimes getting new IE window opening at random. I've ran Malewarebytes, Spybot and Ad-Aware.

    Occasionally Ad-Aware will pop up saying it block a svchost.exe from connecting to a malicious website.

    Attached are the log files from the 6 steps.

    Thanks for any help you can provide.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Is there any reason, you ran DDS from safe mode?

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
  3. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    No particular reason DDS was ran in safe mode. I was in safe mode to run a virus scan and Ad-aware scan, then just started going through the steps.

    Here is the MBRCheck:
    MBRCheck, version 1.1.1

    (c) 2010, AD
    \\.\C: --> \\.\PhysicalDrive1
    \\.\E: --> \\.\PhysicalDrive2
    \\.\F: --> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive1 Windows 2008 MBR code detected
    931 GB \\.\PhysicalDrive2 Windows 2008 MBR code detected
    153 GB \\.\PhysicalDrive0 Windows XP MBR code detected

    Done! Press ENTER to exit...
  4. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    DDS reran with windows in normal mode. Here are the logs.

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Thanks :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  6. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Here is the Combofix report.

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    How is redirection?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.
  8. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Combofix uninstalled.

    Still getting redirected sometimes.
  9. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Which browser is getting redirected?

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  10. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Here are the two OTL logs.

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    You didn't say:
     
  12. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    =======================================================================

    Are you running two security suites, McAfee and Norton at the same time?

    =======================================================================

    Is ROADRUNNER-SOUTHEAST your ISP?

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2007/09/10 08:22:47 | 000,000,000 | ---D | M](C:\Windows\System32\?ð???ð?ð?ð?ð?ð?ð) -- C:\Windows\System32\ð둠瞘ðððððð
      [2007/09/10 08:22:47 | 000,000,000 | ---D | C](C:\Windows\System32\?ð???ð?ð?ð?ð?ð?ð) -- C:\Windows\System32\ð둠瞘ðððððð
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4167883074-2711385395-2302512757-1000]
      "EnableNotifications" =dword:00000001
      
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  13. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Internet Explorer is the browser that is getting redirected.
    Currently I think I am only running Norton. I used to use McCafee
    Yes, ROADRUNNER-SOUTHEAST is my ISP.

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 46,169   +251

  15. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Just installed Firefox, it is being redirected as well.

    Tried to run the McAfee clean up but received an error:

    MCAFEE CLEANUP
    July 19, 2010 20:26:10
    INFO Cleanup will be scheduled and run.
    INFO Product mpfpcu to be removed from system.
    INFO Product mpfp to be removed from system.
    INFO Product mps to be removed from system.
    INFO Product shred to be removed from system.
    INFO Product mpscu to be removed from system.
    INFO Product mskcu to be removed from system.
    INFO Product msk to be removed from system.
    INFO Product emproxy to be removed from system.
    INFO Product mas to be removed from system.
    INFO Product fwdriver to be removed from system.
    INFO Product hw to be removed from system.
    INFO Product mbk to be removed from system.
    INFO Product mcproxy to be removed from system.
    INFO Product mhn to be removed from system.
    INFO Product mqccu to be removed from system.
    INFO Product mqc to be removed from system.
    INFO Product shrd to be removed from system.
    INFO Product nmc to be removed from system.
    INFO Product redir to be removed from system.
    INFO Product mna to be removed from system.
    INFO Product mwl to be removed from system.
    INFO Product msad to be removed from system.
    INFO Product mobk to be removed from system.
    INFO Product vs to be removed from system.
    INFO Product msc to be removed from system.
    INFO Product mcpr to be removed from system.
    INFO Product mcsvchost to be removed from system.
    ERROR Internal Error
    INFO Task Scheduler service started.
    WINERR IPersistFile::Save() failed. Error: 0x80041315
    FAIL Error while running cleanup using Task Scheduler.
  16. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    That's fine. We can remove McAfee leftovers manually in a bit.
    First I'd like get rid of that redirection.

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"



    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    Restart computer and check for redirections
  17. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    redirects are still occuring.
  18. Broni

    Broni Malware Annihilator Posts: 46,169   +251

     
  19. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    I see a checkmark, however still being redirected.
  20. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
  21. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Here is the Kenco log, the system did not reboot.

    Kenco by jpshortstuff (31.12.09.1)
    Log created at 22:51 on 20/07/2010 (Scott)

    ========== Task Unlocker ==========

    ========== KencoScan ==========
    C:\Users\Scott\AppData\Local\Temp -> Unable to open file [5]!

    ========== C:\Windows\Tasks ==========
    Ad-Aware Update (Weekly).job -> [02:56 14/07/2010] 370 bytes
    Final Media Player Update Checker.job -> [00:22 29/06/2010] 386 bytes
    Google Software Updater.job -> [12:46 16/08/2009] 868 bytes
    GoogleUpdateTaskMachineCore1cb0dad25e8d78f.job -> [23:39 16/06/2010] 882 bytes
    McAfee Cleanup.job -> [00:26 20/07/2010] 778 bytes

    -=E.O.F=-
  22. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :dir
      C:\Users\Scott\AppData\Local\Temp /s
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  23. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Here are the SystemLook results.

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - [2009/03/25 11:06:30 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
      DRV - [2009/03/25 11:06:28 | 000,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
      DRV - [2009/03/25 11:06:28 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
      DRV - [2009/03/25 11:06:28 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
      DRV - [2009/03/25 11:05:54 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  25. skitige

    skitige Newcomer, in training Topic Starter Posts: 32

    Here are the OTL fix and scan results.

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.