Internet Explorer redirect

By Zedx148
Jun 18, 2010
Topic Status:
Not open for further replies.
  1. Problem:
    Internet Explorer has started redirecting. Google Chrome has stopped working. Markany Content Safer 3.00 appeared by the clock on the lower right of my screen when I disabled Avast and Spybot to run DDS, I tried to close but didn't recognize the language. (I don't know if this was installed previously or if it's a problem.)

    History:
    "Auto-Protect Results" popped up and I thought it may have been from my expired Norton Anti-virus, but now I don't think it was. I clicked fix and reboot. That may have been the beginning. Defese Center (Scareware) finished downloading onto my computer before I was able to stop it. I used Malwarebytes to remove.

    I have gone through the 8 steps and included the requested logs. I appreciate any help.

    Attached Files:

  2. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    I've followed the 8 step process, should I run combofix and hyjack this? My only problem during the 8 step process was that I couldn't get onto the windows update page.

    Any help would be appreciated. Thank you.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Don't worry about the Windows Update. Everyone is having a problem with it! It can be malware or it can be their site-or both.

    I took a quick look at the logs and you will need to run Combofix:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ===========================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    You don't need to run HijackThis now. We do that at the end.

    Please run the Norton Removal Tool
    You have 2 Live Update entries running that can cause a problem. Reboot the computer when through.

    I'm signing off now so no rush on those scans. I did notice that there are quite a few errors in the Event Log and the hard drive looks strange foe Windows XP:
    C: is FIXED (FAT32) - 38 GiB total, 12.564 GiB free.
  4. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    Thanks for your help Bobbye.

    I've included the requested files. It took me about three tries to get Combofix to run. It looks like Eset picked up on several trojans. I also had trouble getting the Nortan removal tool to work so I uninstalled the live update through add/remove programs manually.

    This is all new to me, I just know enough to be dangerous.

    Thanks again for helping me out with this!

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    EDIT:
    Please red and consider my suggestion in Reply #6 before doing the following.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\travis zach\application data\{48400212-C408-452B-BC19-B313B542016D}
    c:\windows\SoftwareDistribution.old
    c:\windows\Hwaqofaja.bin
    c:\windows\Epijodadode.dat
    c:\windows\wt
    
    Folder::
    c:\documents and settings\LocalService\UserData
    c:\program files\folder.htt
    
    DDS::
    uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\nzsearch\nzsearchenh.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf???
    mRun: [MAAgent] c:\program files\markany\contentsafer\MAAgent.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [Ckesibecidu] rundll32.exe "c:\windows\enuyamukohiyima.dll",Startup
    uPolicies-explorer: EditLevel = 0 (0x0);dPolicies
    -explorer:EditLevell = 0 (0x0)
    mASetupp: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "cprograra~outloooo~1\setup5exexe" /APP:OE /CALLER:IE50 /user /instalmASetup
    up: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "progragraoutlooloo~1\setupexeexe" /aoe:oe /callie:ie50 /user /install - "progragraoutlooloo~1\setupexeexe" /APP:OE /CALLER:IE50 /user /instamASetup
    tup: {7790769C-0471-11d2-AF11-00C04FA35D02} - prograogroutlootloo~1\setuexe.exe" /APP:WAB /CALLER:WIN9X /user /instmASetup
    etup: {7790769C-0471-11d2-AF11-00C04FA35D02} -prograrogoutlooutloo~1\setexe0.exe" wabp:wab /caller:win9x /user /install -prograrogoutlooutloo~1\setexe0.exe" /APP:WAB /CALLER:IE50 /user /insmASetup
    Setup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\sysupdcrluexerl.exe -e -u c:\windows\sverisignpub1gcrlb1.crl
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WiCurrentVersionersion\Run]
    "LTMSG"="-
    [HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\wicurrentversionersion\run-]
    "KAZAA"= -
    [HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    [HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    [HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    [HKEY_LOCAL_MACHINE\sofmicrosoftrosoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D  }]
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\F494F8BD7F228D8EFFEAAEF53A8D4504]
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please go to Scheduled TaskComboFix txttrol Panel and reove the following:
    c:\program files\Symantec\LiveUpdate\NDETECT.EXE

    You can also remove a scheduled task by selecting it and then pressing
    DLiveUpdate

    move this from the Trusted Zone: Trusted Zone: aol.com\free

    Please go to Add/Remove Programs and uninstall all Java except v6u20. The old, outdated versions are vulnerabilities .
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      ${Memory}
      :Services
      
      :Reg
      
      :Files  
      C:\WINDOWS\SYSTEM32\dvdphare.dll	
      C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe	
      C:\Program Files\Microsoft AntiSpyware\Quarantine\640A3210-8E46-424C-955E-EFD602\21253FF1-0678-4FC2-9F14-4F67A3	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    I am concerned about one of the malware infections on files. Some files were quarantined by Combofix, but you still shows a file active: the malware is Win32/PSW.Papras.BO trojan[/]b. It can steal login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself.

    Although we are removing everything that is found, that does not mean that your information didn't get out. Your passwords should be changed immediately and any online financial transactions should be monitored.

    It is the type of infection that should make you seriously consider doing a reformat/reinstall and then setting up all new passwords and/or secure information.
  7. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    Hello Bobbye,

    Thanks for the help and I appreciate the advice. I've changed my passwords, understand the risk and I'd like to continue down this path. I'm enjoying the journey and the education.

    Combofix ran smoothly and I've included tha log.
    I removed the symantec folder.
    Removed aol.com\free.
    Uninstalled extra Java updates.
    OTM was stopped by DrWatson. I had to do a reset and then it seemed to run through. I've included that log as well.

    Thanks again!

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Oh my goodness, you get the prize for the oldest file I've seen in a log>> 1980!
    1980-01-01 07:00 23357 c:\program files\folder.htt
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\SpiralFrog\Spiralfrog.exe
    c:\program files\Common Files\Symantec Shared\ccApp.exe
    c:\program files\Common Files\Symantec Shared\ccRegVfy.exe
    c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    c:\program files\folder.htt
    Folder::
    c:\documents and settings\Erin\Local Settings\Application Data\SpiralfrogClient
    c:\documents and settings\Erin\Local Settings\Application Data\ApplicationHistory
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LTMSG"= -
    "SpiralFrog"= -
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "KAZAA"= -
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "ccApp"= -
    "ccRegVfy"= -
    "NPROTECT"= -
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\F494F8BD7F228D8EFFEAAEF53A8D4504]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    On March 19, 2009, SpiralFrog terminated operations due to loan recalls. It was also tagged as a possible infected site.

    You also have these data files from 2003. I can't identify them so didn't include in script:
    2003-01-28 01:03 32
    c:\windows\SYSTEM\{F41043DF-1434-4A63-B04F-CDCA05BF14D1}.dat
    c:\windows\SYSTEM\{D33367EE-3AD8-42DA-8B26-B193FD4F6168}.dat
    c:\windows\SYSTEM\{F9206F68-68C7-4B49-8FD2-DD7EC03E5CBD}.dat
    c:\windows\SYSTEM\{87BA5BA7-1502-433C-90F4-7264D95C320B}.dat
    c:\windows\SYSTEM\{A0154442-AA99-4CD1-A01A-F9BB732085A2}.dat
    c:\windows\SYSTEM\{378A70F0-EE5F-497D-B752-7C4A37E0667C}.dat

    How is the system running now? Any change/improvement?
  9. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    YESSS!!!!! Oops, sorry about the caps violation, I just got excited to learn that I have won a prize. I hope its a vacation, I could use a vacation...........or a new computer.

    I've had this computer since 2000. It came originally with ME. Boy that operating system was a gem. I wonder if the files you mentioned were part of that transition between ME and XP? I'd be ok with getting rid of them and anything else if you think it would help things run smoother.

    I became aware of the whole spiralfrog thing a few days ago. I got rid of the program on my other computer but was waiting for the green light from you per our agreement not to make changes without counsel.

    I haven't had any redirects in a while, I did have some instances (intermittent) where the task bars on the top and bottom of IE8 wouldn't appear (last weekend/Monday/Tuesday). That was a couple days ago. Seems to have cleared up. Things are running better on my end. Thanks again!........a car would be nice.

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    A car, huh? I'll have to think hard about that one! And I will forgive the caps- this one time.:)

    All you still using the HP Office jet All-In_One installed in 2002? Let me know and if not, I'll include those entries along with the .dat files from 2002.

    Edit: Forgot this one: Contents of the 'Scheduled Tasks' folder
    Open the Scheduled Tasks and remove the following from 2003: and delete the file.
    c:\windows\Tasks\Uninstall Expiration Reminder.job:
    - c:\windows\System32\OOBE\oobebaln.exe
  11. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    Yes, I'm still running the trusty HP v40.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    All my peripherals have been from HP- and I get basic models! They are outstanding in performance, don't you think? Okay here's the last script: There are entries without dates- none of those are removed:

    Custom CFScript[/B

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\SYSTEM32\1E7B262D60.dll
    c:\windows\SYSTEM\{F41043DF-1434-4A63-B04F-CDCA05BF14D1}.dat
    c:\windows\SYSTEM\{D33367EE-3AD8-42DA-8B26-B193FD4F6168}.dat
    c:\windows\SYSTEM\{F9206F68-68C7-4B49-8FD2-DD7EC03E5CBD}.dat
    c:\windows\SYSTEM\{87BA5BA7-1502-433C-90F4-7264D95C320B}.dat
    c:\windows\SYSTEM\{A0154442-AA99-4CD1-A01A-F9BB732085A2}.dat
    c:\windows\SYSTEM\{378A70F0-EE5F-497D-B752-7C4A37E0667C}.dat
    
    Folder::
    c:\windows\DRM\Cache\Indiv01.tmp
    c:\windows\wt
    Registry::
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . You don't need to leave the log.
    ====================
    Empty the Java cache:
    Control Panel> Java> Temporary internet files> Settings> Click on Delete>> I don't keep any files in this cache so have no disc space alloted> Apply> OK.
    =====================
    If all is resolved Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you need more help.
  13. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    Yeah, HP seems to make great peripherals. I had the pleasure to work at their Corvallis, OR campus in '02'ish. I was a carpenter and they were upgrading an external cooling system for a new wafer(?) that they were about to produce. I got to enter some clean rooms and meet some of their engineers in the office. It seemed like we had pleanty of time to visit. They were testing some pads that resembled the ipad back then. Pretty interesting.

    I don't think she ran this good when I got her! Thanks for all of your help Bobbye!

    I guess I just neet to collect my prize and we're good!!
     
  14. Zedx148

    Zedx148 Newcomer, in training Topic Starter

    Bobbye,

    ............so I was applying my newfound knowledge to my other computer with no unusual symptoms and I found "win32/agent trojan" while scanning with Eset.

    I followed the 8 steps first, kept the logs and skipped combofix. Should I have Eset fix the problem or would you like to take a peek at the other logs?

    Thanks again.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You did good! I am so glad you felt confidant to go ahead and run the scans. But I'd like you to start a separate thread for this computer. Maybe just call it 'Eset found Trojan' and remind me that there weren't actually any symptoms, but you ran the scan and found the Trojan. You can leave those logs on the new thread, okay? Hold on Combofix until I see the logs.

    It's the nature of the malware beast to mean you likely have another infected file or 2, so let me check- I am hesitant just to say remove the one entry.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.