Computer cleaning

Status
Not open for further replies.

Jabill

Posts: 9   +0
Whenever I do a google search, I get redirected to a different site sometimes when I click a search result or sometimes I get a new firefox browser window with 3 tabs to varying websites. I did my best to follow the 8 step viruses/spyware/malware preliminary removal instructions. See attached required logs. Thanks.
 
Still waiting for help

I still have the same issues as stated in my previous post (Google searches being redirected). I see that from similar threads with similar issues with google searches that combofix was used. I'm tempted to use this, but I know I need help/guidance to use it. I also know that although I may have similar issues that others have with their computers, the causes may not necessarily be the same. I know it's very busy here, but I would be very grateful and am very much in need of some help. Thanks.
 
Welcome to TechSpot, Jabill. My apology for the delay. I am reviewing your logs now.

Please don't run Combofix- I'll be back shortly.

EDIT:
Please reopen HijackThjis to 'do system scan only'. Check the following entries if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop


Close all Windows except HijackThis and clisk on "Fix Checked

Check the status of the Security center. It looks like it's been disabled. There's really not much else showing so far.

Download SDFix HERE and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here

Rescan with HijackThis after sunning SDFix and paste a new log in your next reply.

Attach the SDFix log.
 
sdfix problems

When I finished downloading sdfix, Avira was alerted and gave me a prompt to ignore or quarantine it. I chose ignore and followed the instructions to run sdfix. When it was done, my labtop lost the ability to connect to the internet and to see the contents of or to write a CD-RW disk. The task bar and windows in normal mode looked like they would in safe mode. Avira also was disabled. So I did a system restore, which fixed the first two problems and restored the task bar and windows back to normal blue. Avira still was disabled. So I had to remove and reinstall Avira. Here is the hijack this log and the sdfix report, but I don't know if the sdfix report is useful since I did a system restore. I'm still being redirected from google. Security Center is all green. When I did the hijack this scan before and now, I disabled Avira, which alerted security center that the anti-virus was off. I don't know if that may have something to do with the Security Center being disabled. Other than that, I have no idea on how to check security center status other than the control panel. Thanks for your help on this.
 
SDFix didn't find anything, didn't delete anything. You didn't have to disable any security for the programs you've run so far.

You can remove SDFix like this, if there are still any files from it:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Delete the files saved under the SDFIX folders. Then delete the folders.
You would do this in Windows Explorer.
-------------------------------------------------------------
Original Problems
1. Google search redirects to a different site sometimes when I click a search result.
2. Sometimes I get a new Firefox browser window with 3 tabs to varying websites.

New Problems
1. Laptop lost the ability to connect to the internet.
2. Can't read or write a CD-RW disk.
3. System display appeared to be in Safe Mode when in Normal Mode
4. Avira was disabled (didn't you disable it?)

System Restore resolves all new problems, but original problem remain.

Assessing problems:
1. If you had malware causing a redirect from a Google search, it should redirect on ALL of the searches.
2. Malware can cause Firefox to start together with Windows and probably display malicious sites. But this is on boot
3. What are the URLs for the 3 tabs when Firefox comes up on a search? Are they the same sites every time?

Checking the validity of Firefox:
1. Did you install Firefox from anywhere other than the Mozilla website?
There are some websites that legitimately offer Firefox; but many are not trustworthy
2. Did Firefox come bundled with other software?
Firefox does not come bundled with other software.
3. Do you get an error message when you start Firefox, telling you to use Internet Explorer?
A virus is known to cause this message.
4. Did you have to pay to download and install Firefox?
Mozilla Firefox is free.

Are you sure it is the real Firefox coming up with the 3 tabs?
Misleading pop-up windows: There are two ways to detect this:
The HijackThis log is clean. Go through what I have given above to check on Firefox. See if you have a bad version. Let me know.
 
I downloaded Firefox from Mozilla. When I do google searches in Firefox and IE, I sometimes get redirected to other sites. It doesn't seem to occur as often using IE, but it does happen. Below are a few examples of where I was redirected while doing google searches.

1.sweetinspiration.com/search.php
2. phoenixlights.com
3. telarcrecords.com/search
4. soberrehab.com/result
5. orangecountydrivinglessons.com/result
6. underbyte.com/search
7.qlogix.com/result
8.medicasions.com/result
9. merchcard.com/result
10 online-spywareremover.com (occurred for IE).

On the firefox tab, there is either a 2 symbol or a green globe/bullseye sysmbol before the webpage name. On firefox, occasionally a new tab with an online ad pops up. Recent examples include nexplore-search and luxury features by just luxe. These ads are different, but new tabs do pop up from time to time. Thanks for your help.
 
What add-ons have you installed on Firefox? Open FF> Tools> Add-ons> make a list of what you have. I want to check the icons that go with each.

The strange thing about your problem is that if the browser(s) have been hijacked, you should be getting redirected all of the time- not just occasionally.
 
Here are the list of add ons in Firefox.

1. Adblock plus
2.Better Privacy
3.Ghostery
4. Malware Search
5. No Script
6. Privacy Plus
7. JavaQuick Starter
8.Microsoft.NET Framework Assistant
9.Windows Update
10. Adobe DLM

I also get redirected from Yahoo with the same frequency as with Google, dependent on the web browser. Firefox gets redirected about ten percent more than internet explorer.
 
I check all the sites on the list you left. Looks like they are actually the same site with a different homepage> no company history to be found, same for privacy policy. The only one that look legit is 4. soberrehab.com/result, but the URL has clanged slightly.

All but 2 sites have a 404-Y added to the end of the URL. I got busy one day and tried to get specific info on that. All I could find is that is makes the URL invalid somehow.

I'd like you to run Combofix, followed by an online AV scan to see if we can pick up something specific:

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Looks like the Firefox add-on Ghostery should be blocking some of this. I suggest you download Easy List, the filter for AdBlock Plus.

Suggest you disable this one: 7. JavaQuick Starter:
See this: http://forums.mozillazine.org/viewtopic.php?f=38&t=921325
You don't need it or the same Service jqs for IE.

Same thins for the Adobe DLM. Some programs automatically install these ad-ons which are not needed. You do have some control over that:

Add the web site to the sites which are allowed to install add-ons
step2.gif


The main ideas here is NOT to allow sites to automatically add-on as most are unnecessary.

How are you using #4- Malware search?

Please attach the Combofix report and Eset scan log.
 
Here are the logs. I disabled Javastarter and the Adobe add on for Firefox. I have not figured out how to use the Malware search add on and will probably remove it.
 
I asked about the Malware search because it's one of the tools I use when checking logs- it's why I've requested the HJT log be pasted instead of attached because then I can search right from the post- no copy and paste! It took a while to get use to but for the log searches it's a great help.

The file Eset found is the quarantine for Combofix. We'll remove that shortly- it's not threat to the system.

The Recycle Folder is where the deleted files form the Recycle Bin go. It contains the files for all users. Each user has their own SID and the folder is hidden. You can remove these 2 files as follows:

Empty the Recycle Bin
This folder won't allow deletions if there is anything in the bin.

To use Windows Explorer: Right click on Start> Explore> My Computer> Local Drive (C)> click on Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck hide protected operating system folders- Recommended'> Apply> OK.

Double click on Recycler to open it> find the following 2 file by SID on the right screen: Note> there are 2 different numerical strings

c:\recycler\S-1-5-21-1547161642-1580436667-839522115-1003
c:\recycler\S-1-5-21-1972777594-3078215832-1260417028-1003[/b]

Do a right click> Delete on each of the file on the right screen.
Do not attempt to delete the folder.

Go back and reverse show hidden files.

Empty the Recycle Bin- again.

Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

Run Eset again to make sure everything is gone.

Check the status of this Sevice:
Click on Start> Run> type in services.msc> double click on BITS> Background Intelligent Transfer Service> Set Startup type to Manual.

Are you still getting the redirects? Same type of sites? One browser more than another?
 
Here is the eset log from the new eset scan. I didn't get redirected in firefox or internet explorer using either yahoo or google. I clicked on ten results in each search engine with each web browser. I did not find the files you ask to be deleted in the recycler file. The only file there was this: S-1-5-21-1499227872-3429257176-2160603917-1007. I did not delete it. I set the BITS start up type to manual.
 
Yes! Got it! Don't worry about the Recycler. The files appear to have been removed.

Did you remembr to go back and rehide thos files?

IF the original problem has been resolved and there are no new problems, you can remove the cleaning tools and set new clean restore point:
Remove all of the tools we used and the files and folders they created
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.


You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Let me know if I can be of further help.
 
I did remember to hide the files. I created a new restore point and removed the previous ones. The previous problem seems to be gone. I haven't been redirected from my searches. Thanks a lot for your help.
 
You're welcome. Stay safe!

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide


2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently.
    You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security
  • Spywareblaster:
  • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad
  • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.
 
Status
Not open for further replies.
Back