TechSpot

Web-prayers.com (address) blank pop-up windows when I click web search results

By Stuporman
Dec 5, 2007
  1. Hi,

    Starting a few days ago, whenever I've clicked on the linked results of a web search (I'm using IE 6.0), I've been having new blank browser windows open with address (for example - clicking google's linked search results) "web-prayers.com/search.php?qq=google." As far as I can tell, the result is the same if I click the linked results for any web search. If I right click and open a linked result in a new window, the proper linked page opens.

    I've just spent a few hours running all of the required scans, installing a firewall, etc. mentioned on your instructions page. I accidentally had Panda Antiroot Kit delete the two problems it found - I'm pretty sure they were both registry entries and that one was called something like "block firewall" and the other something like "block antivirus."

    Attached are my log files from Hijackthis, AVG and Combofix.

    Please let me know. Thanks.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I have not reviewed your logs.

    But see if this works for you: For web-prayers:
    Open IE7> Tools> disable the add-on "E404mgr class"> Apply> OK
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    To whomever deletes or moves posts: Please leave some indication of what has been done. When I get feedback with a link, I expect to see what I am being linked to.

    Someone appears to have removed or moved the following:
    From S_RIDDLE:
    "Would that be the same fix for IE6 ???I AM HAVING THE SAME PROBLEB,STARTED 12/2"

    For IE6> tools> Manage Add-ons> look for "E404mgr class"> highlight> Disable> Apply> OK.

    I don't have time to go chasing posts and it is not fair to expect me to.
     
  4. momok

    momok TS Rookie Posts: 2,272

    Hi,

    The reason why that post was deleted was because the user had a similar problem. He has been notified via PM to start a new thread detailing the specifics of his problem. The forum rules indicate that each user is entitled to his own thread for his own problem.

    Judging by the case here, Stuporman's system is likely to be infected; so is S_RIDDLE if he encounters the same symptoms. I would encourage you to ask him to start a new thread if he sends you a PM requesting for help instead.

    I apologise for any misunderstanding and inconvenience caused.

    Regards,
    momok
     
  5. Stuporman

    Stuporman TS Rookie Topic Starter

    No such add-on in my IE 6

    Hi,

    I've looked through the add-ons for my IE 6 and can't find "E404mgr class." I've attached 4 screenshots of the list of add-ons (labeled 1-4 in order from top to bottom of the list, beginning on the left, then on the right). Please let me know if any of the items on the list look suspicious.

    Does anyone have any idea what this might be? Am I safe just using Firefox in the meantime - should I format my hard drive?

    Thanks again.
     
  6. plasma dragon00

    plasma dragon00 TS Rookie Posts: 192

    im not sure how to fix the problem but yes firefox should be safe in the meantime, because most browser hijacks/whatever are directed towards internet explorer, not firefox. kind of like how windows pc's get viruses and its almost impossible for a mac or such to get one. because most people use ie/windows.

    i dont think you would need to format your hard drive yet. formatting is often the last resort to get rid of something, and since this thread has barely even started, i dont think it would be wise (personally) to format your hard drive. i'll look at those add ons screen shots, but in the meantime, id say yes, use firefox :)

    its a better browser than IE anyway. faster, safer, more extensions, themes... if you want a good forefox theme, use the theme called Vista Aero

    its what i use. also, if you use firefox and decide to stay with it, just ask me for some good addons, ill link you to every one i use, or at least those that are helpful lol.

    EDIT: those screenshots look good to me. if anything though, i would say get rid of those dictionary.com ones, but that would be up to your decision.
     
  7. plasma dragon00

    plasma dragon00 TS Rookie Posts: 192

    i think i may have found the problems, but im currently looking further into this. id say wait to hear from one of the Special Forces here or someone who knows for sure what exactly is bad and not, but from my googling it, it seems that the problems could lie here in hjt:

    Code:
    O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://152.1.131.130/activex/AMC.cab
    O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://bardcam.colorado.edu/activex/AMC.cab
    
    also, if someone could look into what this is? im not sure if its bad or not, but it couldnt hurt to check.

    Code:
    O24 - Desktop Component 0: (no name) - (no file)
    
    almost seems like it could be useless, but im not sure. im not very experienced with hjt logs, but if i see something unusual, ill google it because i have a lot on my pc and i know what it is.

    good luck, (and may god be with you lol :p :p )

    ~plasma
     
  8. Stuporman

    Stuporman TS Rookie Topic Starter

    Thanks, Plasma - I am going to keep on using Firefox in the meantime.

    But get rid of the dictionary.com helper? Are you saying that because you think it poses some threat? I'm a student and need to look up words all the time - if the Oxford English Dictionary had a toolbar, I'd gladly install that, but, till then, dictionary.com is my go-to.

    Thanks again for your help.
     
  9. momok

    momok TS Rookie Posts: 2,272

    Hi,

    1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    2. Save this as CFScript on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of Stuporman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  10. Stuporman

    Stuporman TS Rookie Topic Starter

    After change in Combothis

    Hi Momok,

    Sorry I didn't reply sooner - for some reason, I didn't get any e-mail notification about your new response to my post.

    I've just made the change you mentioned in Combothis, run the 3 scans and generate 3 new log files (attached).

    Thanks for your help. Please let me know how to proceed.
     
  11. momok

    momok TS Rookie Posts: 2,272

    Hi,

    1. Have HijackThis fix the following entries:
      O21 - SSODL: E404Helper - {c674a3a8-5adb-439e-b906-ee7515eeb98b} - e404d.dll (file missing)
      O24 - Desktop Component 0: (no name) - (no file)

    2. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    3. Save this as CFScript on the desktop.
    4. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of Stuporman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
     
  12. Stuporman

    Stuporman TS Rookie Topic Starter

    One more try...

    Here are the logs after this most recent round of alterations to combofix and scans.

    Thanks.
     
  13. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs look almost clean, except for a little issue. Are you experiencing any problems?

    Go to start > run and type msconfig. Press the enter key.
    Search for the following entries. Uncheck them to stop them from starting up.

    WinSys2

    If SpyBot prompts you, select allow. Reboot your system and run a ComboFix scan and post that log back here.

    Regards,
    momok =)
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    momok, just make a comment if a post is deleted on an active thread. Yes, there are reasons to do it, but I still get feedback from the original! If note had been made, I could have addressed it in new location.

    I see you found the "C:\WINDOWS\system32\e404d.dll"- directions I was going by referred to the add-on itself. Must be another entry for it.

    Stuporman, the first two screen shots for add-ons don't show the file, so It may have been there. A TIP for you: in the Add-on section, the dialog box has 2 settings>> 'add-ons currently on the system' and 'add-ons previously on the system'. You have way too many add-ons currently running. Disable all but those you need. Firefox will give a message "Firefox has blocked a plug-in for safety>> Options". When you click on Options, you will find what you need and can enable it at that time.

    From a safety point of view, it's not a good idea to carry around add-ons you aren't using or don't need. Many require the Active X Object and the fewer of these running, the better.
     
  15. Stuporman

    Stuporman TS Rookie Topic Starter

    Winsys2.exe.vir is in a quarantine folder.

    Hi again momok,

    I couldn't find Winsys2 in msconfig under any of the tabs (I take it that's where you expected me to find it). A search of the C: drive found the file in c:\qoobox\Quarantine\C\Windows\system32. Please let me know if there's anything I should do with msconfig or this file.

    In response to your question, though, all seems normal with my system now - the original problem (web-prayers.com pop-ups) has gone away.

    Thanks!

    Bobbye -

    Thanks for the advice on the add-ons - I've just gone through and cleaned up IE a bit, although I'm using Firefox now (I think permanently). I'll be sure not to have too many add-ons active if I can avoid it.

    Thanks again to both of you.

    -Stuporman
     
  16. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs look clean now.

    1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine) You may delete the entire ComboFix QooBox folder too.

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    momok =)

    This thread is for the use of Stuporman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Stuporman

    Stuporman TS Rookie Topic Starter

    Problem with System Restore

    Hi momok,

    I'm having trouble turning off (and on again) system restore - every time I get into system properties and try to go to the "System Restore" tab, the system properties window freezes and I get an error message: "Run a DLL as an App has encountered a problem and needs to close..."

    If you have ideas as to what I should do about this, please let me know.

    I will follow the other steps you suggested, though. Thanks again.
     
  18. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Could you try the steps listed in HERE?

    If it doesn't work, then you should probably reinstall System Restore via the steps as listed in HERE.

    Regards,
    momok =)
     
  19. Stuporman

    Stuporman TS Rookie Topic Starter

    All set

    That did it, Momok. I think I'm all set.

    Thanks again for all of your help!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.