Solved IE browser redirects and popups after following TechSpot steps

[drewaarom]

Hello all,

I'm trying to rid my grandma's computer of a bad trojan infection. I've just about got it, but IE is still plagued by some kind of hijacker. I have followed all of the steps here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and am attaching the requested files.

The symptoms in IE: when clicking a hyperlink on a page that I have navigated to, instead of opening the correct hyperlinked page, it opens some other page; when I attempt to close that page, a popup opens saying some nonsense. I don't remember what exactly the popup text is, but if necessary, I can write down the popup message and submit in a subsequent post.

Any help will be much appreciated.

Thanks,
Drew

 

[Bobbye]

Drew, I'm reviewing the logs now. In the meantime, please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Bobbye]

Okay, let's handle this first. There are 3 Domains in the Trusted Zone. I'd like you to take all 3 out of the Trusted Zone. There is lower security in this Zone and that can cause the system to be vulnerable. Nothing needs to be in this Zone:

Open Internet Options> either in the Control Panel or Tools in IE:

• Click on the Security tab
• Click on Trusted Sites then Sites
• Highlight each of the following in the Website box:
  [o] google.com\www> Remove
  [o] live.com> Remove
  [o] techspot.com\www> Remove
• Click on OK> Apply> OK.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I'll have you run the HijackThis scan again later. There is an entire section missing> where the homepage, search page and other entries should be.

 

[drewaarom]

Thanks for your reply, Bobbye.

I've done as you instructed:

Ran Combofix and ran the virus scan.

The log files are attached.

I haven't gotten any more redirects/popups since I scanned, but I haven't restarted the computer yet either, and it's after a restart that the problems usually start creeping up. I won't do anything else until I hear from you, but I will restart and let you know if I'm still having the problem.

Best,
Drew

 

[Bobbye]

These logs look very good! The entries I had set up for removal from the original logs were handled in Combofix and the Eset scan is clean. There is just one folder left over for AVG data and I'll have you delete that.

But you need to reboot the computer now so we can make sure nothing is lurking. After you reboot, run this scan so I can check for any left over bad entries:

Choose v 2.0.4:
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Note: If you get any popup message when you reboot let me know what it says. And if popups recur, describe as best you can.

 

[drewaarom]

Thanks so much, Bobbye.

That little ComboFix tool is impressive. It seems to have solved the problem. I've rebooted several times now, browsed to many internet sites, and have yet to experience any unwanted redirects or popups. So I think we're in good shape.

Both my grandma and I send you many thanks.

I've attached the HijackThis log file.

One question is that I noticed that the security settings in IE for the Internet Zone are set to "custom", rather than default. I know that I had set them to default before; so something has changed that. I was wondering if one of the scan/fix tools had done that or if one of the invaders had. Should I set it back to default? Do you have any recommendations for IE security settings?

I was also wondering if you have any general recommendations for security measures I can take to help keep my grandma's computer clean. I'm looking for a balance between strong security and minimal maintenance on her part. (I don't live nearby, and it was just luck that I happened to visit after she contracted this problem.) I explained to her the dangers of clicking any hyperlinks in emails, particularly unsolicited emails from unknown sources. We think that's probably how she got this problem. (She had AVG installed when this happened, although it doesn't seem to have prevented the infection. Though I don't know if she kept it updated or how she may have responded to any alerts that came up in the first stages of the infection. I uninstalled AVG.)

Right now I have installed on her computer: Avira, Malwarebytes, Spybot S&D, but I very much doubt she'll be running the scans regularly. I also doubt she'll be able to deal with the more aggressive features of Spybot (like Tea Timer and SDresident). At home I browse with Firefox with NoScript set to deny all by default, but I don't think she can handle this either, as it will require more or less constant input from her to allow the sites she wants to visit. I hate Norton because it's so invasive, expensive, and seems to create a host of problems of its own, although I know many people who have been adequately protected by it for years.

Anyways.... interested to hear your thoughts. Thanks for reading, and thanks again for your help.

Best,
Drew

 

[Bobbye]

Yes, Combofix is impressive- and it's also powerful. But it should only be run if directed by a malware helper and then only with guidance.

Let's remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
====================================
Your questions and tips for safer surfing:Tell you gram that all of the blue words have links she can click on to find the program or information.

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
     [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
     [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
     [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

See next post for added tips.

 

[Bobbye]

Additional safe surfing tips:

• 
  [4]Reset Cookies to prevent Tracking Cookies:
  [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
  [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
  
  I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
  AdBlock Plus
  Easy List
  
  [5]Do regular Maintenance
• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  
  [6] Practice Safe Email Handling
  [o] Don't open email from anyone you don't know.
  [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
  [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Enjoy your computing experience! It's as good as you make it!

 

[drewaarom]

Thanks again, Bobbye,

I uninstalled ComboFix and cleaned up as per your instructions.

I have one last item of concern:

Windows Automatic Updates have been enabled on my grandma's computer for a long time, and they've been installing. But I visited the Windows Update site anyways, and there noticed that SP3 had not been installed. (She has Win XP Home SP2.) It had already been downloaded, but when I tried to install, I got past the EULA agreement, and it took about five seconds to tell me that the update failed. I tried several things - deleting SoftwareDistribution folder from Windows Recovery Console; registering several winupdate dlls, emptying IE & Win temp folders - but nothing worked. Same error message every time: "A problem on your computer is preventing updates from being downloaded or installed".

I'm no longer at her house; so my diagnostic and fixit abilities are very limited.

But I was wondering if you had any advice to solve this problem, and if you think it's related to the malware infection - I'm guessing yes.

Thanks,
Drew

 

[Bobbye]

You're very welcome. Glad to help.