Solved Browser Redirect with Safe Mode Hang

[kwlyon]

I'm having the "browser random redirect problem" combined with the "it boots ok in normal mode, but won't boot in safe mode" problem.

This situation is actually an improvement: after all MS updates were install a couple of days ago, booting this pc got only the BSOD until I used recovery console and removed the bad update (KB977165). Actually, I understand that the fact that this update causes the BSOD is a sign that there's a deeply buried virus somewhere.

The PC with the problem is a freind's Dell Inspiron 1300 laptop running XP home edition with all updates applied (except the one mentioned above). No windows disks are available for this pc; I used my own xp pro to get to the recovery console.

I get random sites using google or bing; IE or Firefox. I installed the MVPS HOSTS File and that reduced, but didn't eliminate the problem. I've serveral malware finders, which found and elminiated some things, but the problem is still there.

So now, I've done all 8 steps of your 8-step program:

1. The pc has Windows Firewall & MS Security Essentials.
2. I ran CCleaner cleaner and registry cleaner on both users on this pc. (it sure took a long time to wipe free space, and I sure was sad to see all the hotfix uninstall files disappear, being as how they had just been so useful in recovering from the BSOD problem).
3. I disabled windows firewall & security essentials; there is no p2p that I could see.
4. I ran malwarebytes quick scan, which found nothing.
5. I ran superantispyware, which found nothing.
6. I deleted all Java & installed most recent version.
7. I ran hijackthis.
8. I attached the logs to this message.

The random browser hijack is still there....

I;'ve run out of things to try and would sure appreciate some help. What next, please?

Ken

 

[kwlyon]

While waiting for reply, I did some more research and found that the symptoms seemed to match the TDSS rootkit, so I downloaded TDSSkiller from kaperski.com, extracted tdsskiller.exe to the desktop (someone said this was important), ran it, it said it found TDSS and killed it. I rebooted and both problems seem have gone away: I used both ie and firefox and saw no hijacking. I rebooted in safe mode, and it booted ok.

I note that some others have reported problems with TDSSkiller itself: note that I ran TDSSkiller on a pc that had already been cleaned with several other cleaners (malwarebytes, superantispyware, adaware, spybot search & destroy). I had disconnected the pc from the network and disabled firewall & virus checker.

 

[Broni]

Please, post TDSSKiller log.

I can see, you don't have any antivirus program running.
You have some McAfee leftovers, though.
Please, run McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

Download and install one of these:

- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

- free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use Comodo firewall..
If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

After installation, update the program and run full scan.

 

[kwlyon]

Broni...
Thanks for the quick response. I think the problem is gone, but I'll follow your instructions anyway, just in case.

Per your instructions, I attach the tdsskiller log. It found a problem with atapi & fixed it.

You note that I had no antivirus running. The reason is that the 8-step program said to disable firewall & antivirus. I have since re-enabled the windows firewall and microsoft security essentials.

Per your instructions, I ran the Mcafee removal tool. Now, I no longer see mcafee in the startup tab of msconfig or in the services list. Apparently all traces of that guy are gone. Great!

You say to install another virus checker. I assume that there is some reason to believe that ms security essentials isn't good enough. So I disabled security essentials, installed avira, specifying the most stringent options. Updated, and ran scan. It found some suspect files and cleaned them. I attach the log file. Apparently the suspect files were in system restore checkpoints, which, I guess, is to be expected.

Am I right in thinking that this pc is ready to go back into service?
Ken

 

[Broni]

I assume that there is some reason to believe that ms security essentials isn't good enough. So I disabled security essentials, installed avira

I simply didn't see MSE (my fault), but Avira is an excellent choice anyway.

Now, we need to make sure, nothing is lurking behind the scenes...

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[kwlyon]

OK, good.
Uninstalled all a/v programs except mse, turned mse back on.
Then disabled mse.
Put combofix on the desktop & ran it.
It installed recovery console.
It produced a log file, which I've attached.
Ran hijackthis & attach log.

See anything interesting?
Ken

 

[Broni]

Combofix removed quite few baddies...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\avgntflt.sys
c:\windows\system32\40B8D78EFC.sys


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[captaincranky]

Just out of curiosity, exactly how many anti-virus programs are installed on the machine? HJT show parts of AVG, Macafee, and M$ Security Essentials. Does anybody think this could cause some problems on its own?

 

[kwlyon]

captaincranky asked how many a/v programs are installed. Right now, just one, mse.

Ken

 

[kwlyon]

Broni...
I ran combofix with the script you provided, attached log
ran hijackthis, attached log.
Ken

 

[Broni]

Combofix log is clean now.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[kwlyon]

Broni...
Uninstalled combofix.
Ran tempfilecleaner.
Kaspersky web site says that the online scan isn't available, so I downloaded & installed kaspersky internet security 2010 and ran that scan. It said nothing found.
Ran hijackthis.
Ken

 

[captaincranky]

kwlyon, it appears that your system was heavily infected. As I mentioned in my previous post you had, at one time or another, several different AV "solutions" installed on your computer. What I'm really curious about is whether you believe the infections were present, before M$E was installed, or if you think M$E failed to prevent them?

Or perhaps a combination of behaviors. I installed M$E, then I began to download from XXX torrent. This because I'm also curious to know if you believe that another AV program wouldn't have prevented them either.

In short, what's your take on M$E?

 

[kwlyon]

captaincranky asks "what's your take on M$E."

When I first saw this laptop, it had a couple of antivirus programs on it (I forget which ones) and it was infected anyway. I used malwarebytes and it apparently removed the problem. Then, I removed the previous antivirus programs and installed MSE.

I now believe that I hadn't actually removed all the problems.

The reason you saw traces of so many anti virus programs was that I did scans with several different antimalware programs in an attempt to find the most recent bad guy. I installed them for scanning purposes, with no plans to have them all running at the same time....

Bottom line on MSE: I've been using it on my 3 pc's since it came out, and have had no problems. I think the problem on my friend's laptop was there before MSE. Too bad MSE didn't find it, but neither did several other respectable programs...

Ken

 

[captaincranky]

Thanks for the response, good info

 

[Broni]

Please, uninstall Kaspersky Internet Security.
You can't run two AV programs at the same time. MSE and Windows firewall will work just fine.

=========================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
- O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
- O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
- O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
- O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
- O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
- O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
- O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
- O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
- O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
- O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
- O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
- O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

 

[kwlyon]

Uninstalled kaspersky, re-enabled MSE.
Ran hijackthis, checked & fixed the items you suggest.
Booted, ran hijackthis & attached log.
It seems to boot lots faster now!
Ken

 

[Broni]

Very good


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[Travis86]

Browser redirecting with KB977165 problem

Kwlyon-- I am having the same problems you were having!!!

My firefox browser has been redirecting to different sites, and I had the reboot cycle problem after installing the KB977165 update. I uninstalled the update from the recovery console like you did and got successfully back into windows, but the redirecting problems remain...

AND I cannot get into the windows update site to check for or download updates!! My browser just says "Problem loading page...The connection was reset". This occurs in both firefox and IE (I'm running XP btw). My automatic updates yellow shield will pop up to try and redownload the KB977165 update, but then it disappears!! I'm assuming of course its some kind of malware or rootkit.

Though, I have run several malware removal programs and removed 6 or 7 trojans and rootkits...including the Alureon trojan which I've read is directly related to this problem.

Please help, somebody..this is soo frustrating!!! Thank you in advance!

 

[kwlyon]

Travis...
I'm not the expert here, I just followed instructions. I think that the was this forum works is that you start up a new thread with your problem and someone will generally pitch in to help you.

Ken

 

[Broni]

Exactly.
How is your computer doing, kwylon?

 

[kwlyon]

I returned it to my friend, and haven't heard a peep. I'm assuming that no news is good news! Thanks again for the help.
Ken

 

[Broni]

You're very welcome
I'll mark this thread as resolved.