Google redirects in Firefox

[toot033]

I was directed to this site by a friend and hopefully you can help me. My redirection problem started under my wife's login and I have noticed it under mine now. I started yesterday with a complete scan with Spy hunter and it located and removed a Zlob trojan. We felt confident that this removed the problem but to our dismay it did not. I have rerun Spy hunter, Mal ware, Spy bot, AVG, ATF, Super anti spy ware and nothing is detected and the issue is still present. I have currently followed your 8 step instructions and will attach the logs.
I do have one question, should I let Hijack this fix all the items it found?
Thank you in advance for any all help with this problem!

 

[Tmagic650]

Fix this Hijackthis entry:
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html"...

Run the ESET ON-Line Scanner:
Scanner

Report what you find

 

[toot033]

Corrected the option you mentioned and ran the scanner. It came clean but I can t find the log to post it.

 

[Tmagic650]

Still redirecting? Delete AVG and scan with free Avast. Select doing a scan on reboot

 

[Bobbye]

Welcome to TechSpot, toot203. Perhaps I can help with the malware.

should I let Hijack this fix all the items it found?

Most of what you see in the HJT log is okay. We review the logs and will tell you which to check for removal.

Please reopen HijackThis to 'do systems scan only'. Check each of the following if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn;*.local

Close all Windows except HijackThis anc click on "Fix Checked."

Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Let's see if SDFix picks up anything. It may be the proxy entry that caused the problem.

 

[toot033]

I completed Hijack this and removed the items you recommended. I ran the SDFX and it came up clean. A previous tech said to uninstall AVG and run avast. Should I still do that?
It is still redirecting

 

[Bobbye]

A previous tech said to uninstall AVG and run avast. Should I still do that?

Should you? No. Not unless you want to. IF you're okay with AVG and keep it updated, okay to keep.
But........
Could you have a better antivirus program? Yes. But I would recommend Avira over Avast. It is also free:
Avira Free
But
I don't usually suggest making a change when you know you have malware and the system is already unstable> better to wait until clean, then make the change if you want.

About the redirecting: this has become a catch-all phrase. Almost all malware infections can cause this. But I had one person who was putting a URL in the search box instead of the Address Bar and wasn't getting the site.

So tell me:
1. Are you being directed to the same type of sites- consistently?
2. What type of sites are they?
3. Have you tried to access the sites using IE? What happens? If not, please try it.

Please run this online scan:

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I rechecked you logs and noticed adware had come from a coupon printer: CPNPRT2.CID. It's called Smart Source Coupon Printing. this process is referred to as a Trojan Agent and many have stated it was difficult to remove it. Prevx labels it "Malicious Software"

Please leave the Eset log in your next reply.

Reset Cookies
The account for paulette_kruege needs to get control of the Tracking Cookies: If the two of you are using Firefox, I recommend this be done for both accounts> it will also block the ads:
For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

 

[toot033]

I think it is redirecting to the same site. I have take a screen shot of this from Firefox. It usually says it cant find the site and in the search bar it has that weird name. com. I tried IE and after~ 2 searches i get the same with the message can't find DNS on the Google error page in IE.
I have addressed the security issues with my wife, added the 2nd option of the pop up blocker ( already had add blocker plus) and will work on the coupon printer one. Currently I can do ~ 4 - 5 searches and then it goes all funky, while she cant do any.
Again thank you for all your patience and help and hopefully it can get rectified!

 

[Bobbye]

Okay, the image you left is not of a redirect. It is "an error loading the webpage". That is difference and usually due to a server problem. But I found the following on the Mozilla forum. Please read through it, see what applies to your situation and see if a fix is recommended:
http://kb.mozillazine.org/Error_loading_any_website

Which version of Firefox are you using> there are 2 currently running: v3.0.16 and v3.5.5.

For the entry in Eset: This may come up 'file not found' which is okay. The entry is from the SDFix quarantine.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\Kristopher Krueger\Desktop\Utilities\SDFix.exe	
  C:\SDFix\apps\Process.exe	Win32/PrcView application 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------

Please let me know how you're doing after checking the Mozilla page.

 

[toot033]

I read that article and the issues there do not seem to apply. I'm using the following version of Firefox 3.5.6. When I ran the move it program it wiped my desktop and after I forced a reboot, nothing was in the folder you mentioned.
looking more and more into this I wonder if this may not be a conflict with some tool bars. When we upgraded AVG it threw in a search bar in the top, but I hid it ( can't figure out how to uninstall it). I opened it back up and all my searches in t Google portion are showing up there as well. Could this be an issue where they are fighting each other?
It keeps wanting to make it my default search engine as well.
If that is the case I'm going to deep 6 AVG and try the Avast that you recommended! ( not to keen on being forced and can't unistall it)
Please let me know if that might be the case or if you know how to uninstall a toolbar ( I've checked the extensions and it does not show up; I can only hide it!)

 

[Bobbye]

I'll take the issues one at a time:

1.About Firefox: I've been using Firefox since it was released in final form- going on 5 years. Most thing have gone well with it. I have v3.0.17 not. I did the v3.5.5 update and got a compatibility notice for one of my add-ons. It is one I cannot afford to lose. but in spite of stopping before the new install completed, it removed the add-on and all the contents.

2. I spent two days trying to figure out how to recover this and ended up d/l and installing the 'old' version, at that time v3.0.16. It installed right over the later version and I didn't lose anything. I guess what I'm trying to say is that, even with Firefox, new isn't always better!

So I offer you the choice of going back to an earlier version to see if that will resolve the problem.

3. As for the antivirus program: there is a deep divide between some of us: Some say throw away what you now have and install the program of their choice, usually Avira or Avast. This use to be done if it was AVG, but some included any other AV.

I do not. If you currently have a functioning AV program- whether paid or free-I do not have you change it at the beginning of cleaning. I will instead suggest a more through AV program at the end that you might want to consider. I do not believe in putting something new on an already unstable system.

4. About Toolbars: If you do a right click in the Toolbar section, you will see a list of the Toolbar and those being used are checked. You can remove the check if you don't want the Toolbar. In fact, some program have Toolbars or Searchbars already pre checked on the download site and many don't catch it. AVG might be routing you to the AskBar which is not desirable.

Here's a shortcut that should help from Microsoft:

Toolbar Removal for Windows XP

1. Start> Run> cmd> Type appwiz.cpl > ENTER.
2. In the Currently installed programs list, click Web or search tool bar to remove, and then click Remove.
3. Follow the on-screen instructions to uninstall and complete the toolbar removal.

:
The thing is that most of the Toolbars are 'built in' to a program. In Firefox, you might see the Toolbar listed as an add-on: Open Tools> Add-ons> if it's there, you should be able to disable or uninstall it.

Whew! That was pretty wordy! Did I cover it all?

 

[toot033]

Thank you for all your help. I've been out of town and have not had a chance to really work on this. The problem still exsists. I have uninstalled AVG and reinstalled with out adding the tool bar to see if they were competing with each other ( I.e I have google as default and AVG want to use yahoo) but it did not work.

 

[Bobbye]

Okay, but 2 weeks have passed. It would be best if you rescanned with the original 3 programs.Update Mbam and SAS first. Don't run Eset yet. I forgot to delete the name of the malware files I had you remove in OTMoveIT.

 

[toot033]

Thank you again for all your help and PATIENCE! Malware found a redirect item that it fixed!
Here are the logs that you requested

 

[Bobbye]

Malware found a redirect item that it fixed!

One of the reason we ask to see the logs, is to make sure removals have been done. Unfiortunately, when you ran Malwarebytes, it DID find the redirect, but this wasn't checked:

Make sure that everything is checked, and click Remove Selected.

So the entry shows: No Action Taken. You should update Mbam, be sure that Remove Selected is checked.

This section in the HijackThis log bothered me:[/code]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

 These are okay:[b]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896[/b]

But come the Comcast settings:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100[/b]

So the contradiction needs to be resolved: This is what the Comcast clients found resolved the confllict. Apparently, Comcast is getting a black eye from many users, and the 'fix' for these entries is as follows:
For other Comcast client, which was echoed by many other clients:

This is a simple fix. You have a proxy checked (Comcast is famous for this)in your Internet Explorer:
[b[ Go to Tools->Internet Options> Click on"Connections" and then "LAN Settings".
Under "Proxy Server", there is a box checked. Address: actsvr.comcastonline.com Port 8100
Comcast clients felt that this was a a clear Comcast hack that they probably did when when they
installed new service.

ust uncheck the box and clear out the "Address" and "Port". Then, click on "Ok".

Reboot thee computer and run the program below:

Rescan with HijackThis and leave new log in next reply.
Then rescan with Eset and attach new Eset log.

 

[toot033]

Hm.. that is odd because when I ran the Malware I had that selected and it did remove something.
More importantly I'm not having the re direct issue!!!!
Should I be worried about the IE issues? I'm using firefox.
I have re scanned with Malware as well and it came up clean
Thanks again for all your help!!

 

[Bobbye]

From the Mbam log:

Files Infected:
C:\WINDOWS\system32\powercfge.dll (Redir.NewServerSearch) -> No action taken.

So the above entry is no longer is Mbam?

In the 2 weeks since this thread started, I got more information about this particular redirect. If you're not getting redirected, we've solved that.

For IE, are you referring to the Comcast entries I questioned? If so, if you start having connection problems, contact Comcast and ask them what entries should remain.

Please update and rescan with Eset online once more. I need to check the status of the entry I gave you to remove. Attach the new log to your next reply. If that was handled, I''ll have you remove the cleaning tools and old restore points. We're almost through!

 

[toot033]

I cant seem to find where ESET is putting the logs. I re ran malware an it came clean and I checked the directory that that item was in and it no longer there.

 

[Bobbye]

Let's just be sure you're clean, okay?

Do a search in All Files and folders in your computer for Eset log.