Solved IE8 redirect, help needed

[CAH]

Ie8 is being redirected, mainly on sponsor sites, copy and paste url in sponsor add and correct website is displayed. Sometines refresh will bring up correct website. I have attached the 8-step logs. thanks for any help.

 

[Broni]

Welcome aboard

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[CAH]

log files attached

Thanks Broni for taking your time to help me. I have attached the two log files

 

[Broni]

Both logs look fine...

You have some Norton's leftovers.
Please, run Norton Removal Tool: http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

======================================================================

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[CAH]

Requested files have been posted

Broni, had to attach the files due to the following error:

The text that you have entered is too long (118464 characters). Please shorten it to 20000 characters long.

Hope this is okay with you, if not I can do two replies.

thanks

 

[Broni]

511.00 Mb Total Physical Memory

Your computer would greatly benefit from adding another 512MB of RAM.

=========================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - File not found [Auto | Stopped] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
  O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe File not found
  O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
  O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - Reg Error: Key error. File not found
  [2008/06/10 08:27:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CD73F890
  @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0888F409
  @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8331D35A
  @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[CAH]

More logs, and many thanks

Attached are the two logs, thanks for staying with me on Sunday night.

 

[Broni]

You're welcome

How is redirection?

 

[CAH]

Trying to explain

Will try to tell you what it is doing now:
1. When I click on a sponsor top or side add, it takes me back to my home browser (bing) page or to the yahoo site or http://results.msn.com/ which shows to be page.com.com. This can change to one of the other sites listed above when you try it again.
2. If I look at properties on the sponsor's add, then do a copy on the Address (URL) and paste in ie url box, a yahoo page comes up.

example:

Sponsored sitesElectronic Parts·www.AlliedElec.com
Wide Selection, Same Day Shipping. Order Online Today!

Address (URL) = http://673931.r.msn.com/?ld=4vVHgDN...z0Jhw3d7VDqOHxgmYWv2KbcylQoUXK0nq_7D8vhPfLvTw

This open's the website http://www.yahoo.com/

3. Clicking on one of the search results can produce "Internet Explorer cannot display the webpage". If your just do a refresh (click on the ie arrows) the correct wesite comes up. Around 19 out of 20 come up correct on first click.


Before we started I did uninstall ie8 and reinstalled, but still had redirect problems.
Can make Google my default browser if you would like, but had redirect problems with google at the start of this.

Hope you can understand this, if not please ask me to try to explain it different.
Thanks for your patience.

 

[CAH]

The complete Address (URL) did not display will try again:

http://673931.r.msn.com/?ld=4vxtHpS...z3dlGQNhac-CN47_YMXuM750q0p5DrLrwcGMV-Nf9znwA

Hope the above is correct, it might be to many characters with no spaces thus can not be displayed

 

[Broni]

I'm not sure, if we're dealing here with real redirection per se.

Let's try couple of things....

Close IE.
Go Start>All Programs>Accessories>System Tools, and click on Internet Explorer (no add-ons). Same thing?

Do you have another browser installed to see, if same thing happens?
If you don't, please download and install Firefox: http://www.mozilla.com/en-US/firefox/personal.html
See, if same happens.

 

[CAH]

attached file for address url

Tried to attached a txt file with the address url, but now when I click on the paper clip I go to a google search website. Will reboot and recheck

 

[Broni]

Did you read my previous reply?

 

[CAH]

just got it

Rebooted and got your msg, will try ie and no add ons.

 

[CAH]

ie8 with no add ons

Still have redirect problems with sponsor adds. With the address (url) bad and also the text at the top of the properties beside the ie logo bad I do not see how the correct website can come up.

 

[Broni]

Are you getting any redirection, when using search engines, like Google, Yahoo, etc.?

I want you to get Firefox and see, if same thing happens.

 

[CAH]

Redirect with foxfire

I had foxfire and it also has the redirect problem. I use google not bing for searches, When I click on the sponsor sites it just goes to a blank google search page. More of the search results fail to display on the first click and have do a refresh. Right click on a search results and I do not have a properties choice to show the Address (url).

 

[Broni]

Download Kenco.exe to your desktop

• Close all windows and run the program.
• It wont take long to run.
• Kenco will reboot the system if it finds anything.
• Post the log it gives you ( it will be saved in the same place as Kenco.exe).

 

[CAH]

kenco log

Kenco by jpshortstuff (31.12.09.1)
Log created at 21:54 on 29/08/2010 (Charles)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========

-=E.O.F=-

 

[Broni]

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections

 

[CAH]

ie and foxfire

Still redirect problem with both ie and foxfire

 

[Broni]

It's hard to believe, as all scans come up clean.

Please, describe redirection one more time for me.

 

[CAH]

ie8 and bing search

Using ie8 with bing as my search
Search results looks okay
Clicking on a result will give me the correct website most of the time,
Click on one of the sponsor adds at the top or on the side will cause a redirect to the yahoo website or back to my home page website. I have seen results where the url is http://results.msn.com/ and the page has a display title of "page.com.com" showing search results on the subject I orginial searched on.
If I cut and paste the url that is in the display add into the ie location where you normal put http://www....., the site comes up correctly.
Looking at the properties on the adds, the Address and the title beside the ie world logo is long and if you cut and paste it from the address into the ie url box it does go to the redirect location.

Just an fyi
Can not attach files using the paper clip above now. When I click on the paper clip I go to a google search website. http://www.google.com/

 

[Broni]

In IE, go Tools>Internet options>Advanced tab, click on "Reset" tab.
Restart IE. See, if it helped.

 

[CAH]

Did the reset, now I can do attachments, many thanks
I have attached two files both the same just different formats
It shows a screen shot of the properties for the Target add on the side.
Hope this helps to show how bad the Address is, note, it is a lot longer than two lines.