Internet Explorer redirect

[Zedx148]

Problem:
Internet Explorer has started redirecting. Google Chrome has stopped working. Markany Content Safer 3.00 appeared by the clock on the lower right of my screen when I disabled Avast and Spybot to run DDS, I tried to close but didn't recognize the language. (I don't know if this was installed previously or if it's a problem.)

History:
"Auto-Protect Results" popped up and I thought it may have been from my expired Norton Anti-virus, but now I don't think it was. I clicked fix and reboot. That may have been the beginning. Defese Center (Scareware) finished downloading onto my computer before I was able to stop it. I used Malwarebytes to remove.

I have gone through the 8 steps and included the requested logs. I appreciate any help.

 

[Zedx148]

I've followed the 8 step process, should I run combofix and hyjack this? My only problem during the 8 step process was that I couldn't get onto the windows update page.

Any help would be appreciated. Thank you.

 

[Bobbye]

Don't worry about the Windows Update. Everyone is having a problem with it! It can be malware or it can be their site-or both.

I took a quick look at the logs and you will need to run Combofix:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===========================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

You don't need to run HijackThis now. We do that at the end.

Please run the Norton Removal Tool
You have 2 Live Update entries running that can cause a problem. Reboot the computer when through.

I'm signing off now so no rush on those scans. I did notice that there are quite a few errors in the Event Log and the hard drive looks strange foe Windows XP:
C: is FIXED (FAT32) - 38 GiB total, 12.564 GiB free.

 

[Zedx148]

Thanks for your help Bobbye.

I've included the requested files. It took me about three tries to get Combofix to run. It looks like Eset picked up on several trojans. I also had trouble getting the Nortan removal tool to work so I uninstalled the live update through add/remove programs manually.

This is all new to me, I just know enough to be dangerous.

Thanks again for helping me out with this!

 

[Bobbye]

EDIT:
Please red and consider my suggestion in Reply #6 before doing the following.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\travis zach\application data\{48400212-C408-452B-BC19-B313B542016D}
c:\windows\SoftwareDistribution.old
c:\windows\Hwaqofaja.bin
c:\windows\Epijodadode.dat
c:\windows\wt

Folder::
c:\documents and settings\LocalService\UserData
c:\program files\folder.htt

DDS::
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\nzsearch\nzsearchenh.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf???
mRun: [MAAgent] c:\program files\markany\contentsafer\MAAgent.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ckesibecidu] rundll32.exe "c:\windows\enuyamukohiyima.dll",Startup
uPolicies-explorer: EditLevel = 0 (0x0);dPolicies
-explorer:EditLevell = 0 (0x0)
mASetupp: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "cprograra~outloooo~1\setup5exexe" /APP:OE /CALLER:IE50 /user /instalmASetup
up: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "progragraoutlooloo~1\setupexeexe" /aoe:oe /callie:ie50 /user /install - "progragraoutlooloo~1\setupexeexe" /APP:OE /CALLER:IE50 /user /instamASetup
tup: {7790769C-0471-11d2-AF11-00C04FA35D02} - prograogroutlootloo~1\setuexe.exe" /APP:WAB /CALLER:WIN9X /user /instmASetup
etup: {7790769C-0471-11d2-AF11-00C04FA35D02} -prograrogoutlooutloo~1\setexe0.exe" wabp:wab /caller:win9x /user /install -prograrogoutlooutloo~1\setexe0.exe" /APP:WAB /CALLER:IE50 /user /insmASetup
Setup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\sysupdcrluexerl.exe -e -u c:\windows\sverisignpub1gcrlb1.crl

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WiCurrentVersionersion\Run]
"LTMSG"="-
[HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\wicurrentversionersion\run-]
"KAZAA"= -
[HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D  }]

RegLock::
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\F494F8BD7F228D8EFFEAAEF53A8D4504]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please go to Scheduled TaskComboFix txttrol Panel and reove the following:
c:\program files\Symantec\LiveUpdate\NDETECT.EXE

You can also remove a scheduled task by selecting it and then pressing
DLiveUpdate

move this from the Trusted Zone: Trusted Zone: aol.com\free

Please go to Add/Remove Programs and uninstall all Java except v6u20. The old, outdated versions are vulnerabilities .

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  ${Memory}
  :Services
  
  :Reg
  
  :Files  
  C:\WINDOWS\SYSTEM32\dvdphare.dll	
  C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe	
  C:\Program Files\Microsoft AntiSpyware\Quarantine\640A3210-8E46-424C-955E-EFD602\21253FF1-0678-4FC2-9F14-4F67A3	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I am concerned about one of the malware infections on files. Some files were quarantined by Combofix, but you still shows a file active: the malware is Win32/PSW.Papras.BO trojan[/]b. It can steal login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself.

Although we are removing everything that is found, that does not mean that your information didn't get out. Your passwords should be changed immediately and any online financial transactions should be monitored.

It is the type of infection that should make you seriously consider doing a reformat/reinstall and then setting up all new passwords and/or secure information.

 

[Zedx148]

Hello Bobbye,

Thanks for the help and I appreciate the advice. I've changed my passwords, understand the risk and I'd like to continue down this path. I'm enjoying the journey and the education.

Combofix ran smoothly and I've included tha log.
I removed the symantec folder.
Removed aol.com\free.
Uninstalled extra Java updates.
OTM was stopped by DrWatson. I had to do a reset and then it seemed to run through. I've included that log as well.

Thanks again!

 

[Bobbye]

Oh my goodness, you get the prize for the oldest file I've seen in a log>> 1980!
1980-01-01 07:00 23357 c:\program files\folder.htt

Folder.htt is a HyperText Template file containing HTML code that individually or globally customizes the display of folder contents when Internet Explorer 4.0x (IE) is installed.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\SpiralFrog\Spiralfrog.exe
c:\program files\Common Files\Symantec Shared\ccApp.exe
c:\program files\Common Files\Symantec Shared\ccRegVfy.exe
c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
c:\program files\folder.htt
Folder::
c:\documents and settings\Erin\Local Settings\Application Data\SpiralfrogClient
c:\documents and settings\Erin\Local Settings\Application Data\ApplicationHistory

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"= -
"SpiralFrog"= -
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KAZAA"= -
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"ccApp"= -
"ccRegVfy"= -
"NPROTECT"= -

RegLock::
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\F494F8BD7F228D8EFFEAAEF53A8D4504]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
On March 19, 2009, SpiralFrog terminated operations due to loan recalls. It was also tagged as a possible infected site.

You also have these data files from 2003. I can't identify them so didn't include in script:
2003-01-28 01:03 32
c:\windows\SYSTEM\{F41043DF-1434-4A63-B04F-CDCA05BF14D1}.dat
c:\windows\SYSTEM\{D33367EE-3AD8-42DA-8B26-B193FD4F6168}.dat
c:\windows\SYSTEM\{F9206F68-68C7-4B49-8FD2-DD7EC03E5CBD}.dat
c:\windows\SYSTEM\{87BA5BA7-1502-433C-90F4-7264D95C320B}.dat
c:\windows\SYSTEM\{A0154442-AA99-4CD1-A01A-F9BB732085A2}.dat
c:\windows\SYSTEM\{378A70F0-EE5F-497D-B752-7C4A37E0667C}.dat

How is the system running now? Any change/improvement?

 

[Zedx148]

YESSS!!!!! Oops, sorry about the caps violation, I just got excited to learn that I have won a prize. I hope its a vacation, I could use a vacation...........or a new computer.

I've had this computer since 2000. It came originally with ME. Boy that operating system was a gem. I wonder if the files you mentioned were part of that transition between ME and XP? I'd be ok with getting rid of them and anything else if you think it would help things run smoother.

I became aware of the whole spiralfrog thing a few days ago. I got rid of the program on my other computer but was waiting for the green light from you per our agreement not to make changes without counsel.

I haven't had any redirects in a while, I did have some instances (intermittent) where the task bars on the top and bottom of IE8 wouldn't appear (last weekend/Monday/Tuesday). That was a couple days ago. Seems to have cleared up. Things are running better on my end. Thanks again!........a car would be nice.

 

[Bobbye]

A car, huh? I'll have to think hard about that one! And I will forgive the caps- this one time.

All you still using the HP Office jet All-In_One installed in 2002? Let me know and if not, I'll include those entries along with the .dat files from 2002.

Edit: Forgot this one: Contents of the 'Scheduled Tasks' folder
Open the Scheduled Tasks and remove the following from 2003: and delete the file.
c:\windows\Tasks\Uninstall Expiration Reminder.job:
- c:\windows\System32\OOBE\oobebaln.exe

 

[Zedx148]

Yes, I'm still running the trusty HP v40.

 

[Bobbye]

All my peripherals have been from HP- and I get basic models! They are outstanding in performance, don't you think? Okay here's the last script: There are entries without dates- none of those are removed:

Custom CFScript[/B

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\SYSTEM32\1E7B262D60.dll
c:\windows\SYSTEM\{F41043DF-1434-4A63-B04F-CDCA05BF14D1}.dat
c:\windows\SYSTEM\{D33367EE-3AD8-42DA-8B26-B193FD4F6168}.dat
c:\windows\SYSTEM\{F9206F68-68C7-4B49-8FD2-DD7EC03E5CBD}.dat
c:\windows\SYSTEM\{87BA5BA7-1502-433C-90F4-7264D95C320B}.dat
c:\windows\SYSTEM\{A0154442-AA99-4CD1-A01A-F9BB732085A2}.dat
c:\windows\SYSTEM\{378A70F0-EE5F-497D-B752-7C4A37E0667C}.dat

Folder::
c:\windows\DRM\Cache\Indiv01.tmp
c:\windows\wt
Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . You don't need to leave the log.
====================
Empty the Java cache:
Control Panel> Java> Temporary internet files> Settings> Click on Delete>> I don't keep any files in this cache so have no disc space alloted> Apply> OK.
=====================
If all is resolved Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you need more help.

 

[Zedx148]

Yeah, HP seems to make great peripherals. I had the pleasure to work at their Corvallis, OR campus in '02'ish. I was a carpenter and they were upgrading an external cooling system for a new wafer(?) that they were about to produce. I got to enter some clean rooms and meet some of their engineers in the office. It seemed like we had pleanty of time to visit. They were testing some pads that resembled the ipad back then. Pretty interesting.

I don't think she ran this good when I got her! Thanks for all of your help Bobbye!

I guess I just neet to collect my prize and we're good!!

 

[Zedx148]

Bobbye,

............so I was applying my newfound knowledge to my other computer with no unusual symptoms and I found "win32/agent trojan" while scanning with Eset.

I followed the 8 steps first, kept the logs and skipped combofix. Should I have Eset fix the problem or would you like to take a peek at the other logs?

Thanks again.

 

[Bobbye]

You did good! I am so glad you felt confidant to go ahead and run the scans. But I'd like you to start a separate thread for this computer. Maybe just call it 'Eset found Trojan' and remind me that there weren't actually any symptoms, but you ran the scan and found the Trojan. You can leave those logs on the new thread, okay? Hold on Combofix until I see the logs.

It's the nature of the malware beast to mean you likely have another infected file or 2, so let me check- I am hesitant just to say remove the one entry.