One More Browser Redirect problem in IE and FireFox

Status
Not open for further replies.

SLabuta

Posts: 13   +0
Well I have it too. It started with McAfee logging a Generic.dx!jfw (trojan) error and then later a HTML/FakeAV (Trojan) in Process winupdate86.exe. My computer became almost unusable. TaskMgr would not run and I could no longer get to the Control Panel. Any internet searches were redirected most to some fake Malware fix program.

I have ran the 8 step process and my PC seems OK except that Google and Yahoo search engine links are redirected. I''ve attached my last scans and the first from the Malwarebytes program which showed the trouble. Anyone find a solution yet?

Thanks,
Steve
 
Fixed!

Yea! I've been trying all of the other posts suggestions with none of them working. But running Malwarebytes Anti-Malware with the latest updates (Database version 3416) found one more bad registry entry. I allowed the program to remove it and now all is well!

I've attached the last log so you can see the registry entry that was removed.

Steve
 

Attachments

  • mbam-log-2009-12-23 (13-00-17).txt
    995 bytes · Views: 14
Bobbye,

I'd like to keep going to make sure this computer is clean. I've run the Norton Uninstaller. I was using Norton until about two years ago. I'm now running McAfee.

I've updated and reran all 8 steps. McAfee always comes back clean. I've attached the log files. Malwarebytes did find a registry entry again, so maybe something is still lurking. Also the McAfee software seems to load later than it used to. Or maybe the entire boot process is slower.

Also, do you recommend always blocking 3rd party cookies. I know that the computers at work are setup that way and this one is not.

Thanks for helping me out,
Steve
 
Here's my Tracking Cookie fix: I'll include for the 3 browsers in case you try any out:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

You are aware of Parental Control being Enabled?

The logs look good. I'd like you to run an online scan to make sure we haven't missed anything:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
If the Eset log is clean,(attach) I'll have you remove the cleaning tools and old restore points.
 
Problem comes back

Bobbye,

Well I'm confused. The issue of the browser search results redirecting to an infected web site came back. It maybe only after a boot or maybe a logoff and on. It does not seem to occur everytime. The ESET scan did find one thing. It's the infected pdf file that I get redirected to. The redirection was back when I booted the PC back up this morning.

I've attached the last scans I did today when I had a chance to play with the computer. Again McAfee always comes up clean. I then ran the ESET scan. Then the Malwarebytes scan detects the same registry issue. The SUPERAntiSpyware just shows some cookies.

I have not yet changed the cookies settings yet for all users, but I will.

Thanks for the advice, but what's next?
Steve
 
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Then run
TFC (Temp File Cleaner)

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Follow with update and new scan with the Eset online scanner. DO NOT check for removal. (Delete the earlier log)

Leave Combofix report and Eset log on next reply.
 
Bobbye,

Here's the ComboFix log. I then ran the TFC utility. It deleted about 300 Mb of temp stuff. The ESET scan came back clean, I didn't see any way to get a log from it this time.

Steve
 
One More Wierd thing just happened. I had downloaded ComboFix a couple of days ago. I thought it may have been updated so I'd thought I should download it again. This time my McAfee software said that the ComboFix file I just tried to download had a virus and deleted it.

Here's the message in the McAfee Log:

One or more items were detected on your computer.

Detection name: Artemis!43FE48DDCFFF (Trojan). Artemis!43FE48DDCFFF (Trojan)

File: C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GU6DIAT8\ComboFix[1].exe

Process: C:\Program Files\Internet Explorer\iexplorer.exe

Process Description: Internet Explorer.


Not sure if it's a false positive or not.
 
I have someone else with this same entry in Eset. It ended up the consensus saying it was a False Positive. But in his case, all his own security programs were coming up clean. Yours aren't.

I would rather you attach the McAfee logs rather than give me excerpt from it. Bleepingcomputer has this to say about the Artemis! Trojan:

Artemis is a relatively new heuristic detection method by McAfee. I suspect this to be a false detection.To make sure, we would need to get a sample of the files being flagged. The next the the alerts occur, navigate to the C:\WINDOWS\temp folder and copy the files onto your desktop (or any other folder).

We can then try to sent the file to more scanners to a second opinion.
 
Bobbye,

Well, maybe good news. I ran with the latest ComboFix and it found something. See the log. So far my computer has had no issues and MalwareBytes has not reported anything even after several boots and log-offs and ons.

I've also reran Eset and my McAfee scanners and they both came back clean.

I've attached the logs just in case. I also attached the McAfee On Access Scan log for my previous post. I didn't know where it was before.

Do you see any other issues?

Thanks for all of your help so far.
Steve
 
Steve, I'm going to ask kritius about the Eset entries. They have "Combofix" is them. There have been a couple of problems with the program lately. I'll be back.
 
Mystery solved! Went right over my head!
One More Wierd thing just happened. I had downloaded ComboFix a couple of days ago. I thought it may have been updated so I'd thought I should download it again. This time my McAfee software said that the ComboFix file I just tried to download had a virus and deleted it.

The directions for Combofix say:

  • [1] With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.>>>>> Step 1
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    [2] Run Combo-Fix.exe and follow the prompts.>>> Step 2

There are actually 2 parts to getting a program: first the download, usually "save to the desktop." This is called the "set-up." The you double click on the set-up to "run" the program.

Instead of doing this, you are running the program from the site.

Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

Then follow the directions to download, then run:
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Save the renamed file you downloaded to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts. Dopuble click on the set-up to run
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Same as everyone else- can not access gmail or google search engine.

I have completed the above steps. Here is my log and I still can not access gmail or use the google search engine. Thanks in advance for your help.

-J
 
jazie61,lease start your own thread. Combofix is not in the prelinary removal.

Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

Please follow the steps HERE.

When finished, attach all 3 logs to your thread.

This thread is for the use of member SLabuta only. If you have a malware problem, please follow the steps in the Preliminary Virus and Malware Removal thread first.

Start as new thread to post your problem and attach your logs.
 
Ok, Uninstalled and reran. I've attached the results.

Just to be clear, since my McAfee software thinks that the Combo-Fix.exe is infected, I have to disable the McAfee software and then download. I don't think it matters but I thought I should mention it.

Steve
 
You didn't run Combofix correctly and McAfee didn't like that! I don't understand why I don't see "McAfee disabled" at the top of the Combofix log with the other security programs.
 
Well, I'm confused then. I am running ComboFix just as you have written. I repeated the Uninstall then ran again and attached the log. I have always rebooted after I have run it. This time I noticed that I could not run any programs until I rebooted. I would get a pop-up box saying "Illeagal operation attempted on a registry key that has been marked for deletion."

Is this normal?

I am going to try running ComboFix with McAfee on next to see if that generates any errors. I don't think I'll be able to since it always thinks it has a virus in it.
 
Just as I thought. If I try and run the downloaded Combo-Fix.exe my McAfee software does not let it run and deletes it. I've attached the McAfee On Access Scan log.
 
If I try and run the downloaded Combo-Fix.exe my McAfee software does not let it run

Directions for Combofix:
Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

Have you gotten the Combofix program in the download box and renamed it, then downloaded it and saved it to your desktop> THEN> double clicked on the setup file you save to run it?

It sounds like you aren't understanding this.
 
Yes, that is the only way I have run ComboFix. Look at the first section of the log file and it shows where it is running from.

It is the copy from the temp IE directory to the desktop that fails if McAfee is on. IE first copies to a temp directory then does a final move when the entire file is local.
That last move fails.

Steve
 
I am not sure what the ComboFix.txt file should have in it. It does seem to run fine when McAfee is turned off. The first time you had me run it, it found a "rootkit" and rebooted then completed.

I have even reinstalled McAfee just to see if ComboFix would find it but it's still not mentioned in the ConboFix.txt file. I have a version of McAfee that is included with my AT&T DSL.

The good thing is that the computer seems fine.

Steve
 
If the problem has resolved, you can remove the cleaning tools and old restore points:

Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
Remove all of the tools we used and the files and folders they created
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Let me know if you need help in the future.
 
Status
Not open for further replies.
Back