[Resolved] "XP Security" infection removed Firefox and IE being redirected.

[Hoov]

We are making progress. Uninstall Chrome, reboot and then reinstall it. Also I would like you to zip up your hosts file and attach it to your next reply. It is located in C:\Windows\System32\drivers\etc . The name of the file is Hosts with no extension. Don't try and give it one.

[ShaneJack]

Uninstalled Chrome and rebooted.  Something turned off my firewall when I rebooted, so I immediately turned it back on.  Reinstalled Chrome.  Still not connecting.

When I get these redirects, about 20% of the time I'm noticing that IE says it's unable to display the page, which suggests to me that the hosts file may be blocking that one.  The rest of the time it takes me to some never-heard-of search engine with similar results displayed, a malware removal or antivirus program's page (Stopzilla, etc.) or something completely random and unrelated.

[Hoov]

Your hosts file is good.

On the computer with no problem, run the ipconfig statement just like you did on the problem computer. Post the log it generates.

[ShaneJack]

Here's the log from the good computer:

Windows IP Configuration



        Host Name . . . . . . . . . . . . : hal

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Linksys NC100 Fast Ethernet Adapter

        Physical Address. . . . . . . . . : 00-04-5A-63-E5-B6

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.10

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : Tuesday, April 13, 2010 01:02:13

        Lease Expires . . . . . . . . . . : Wednesday, April 14, 2010 01:02:13

[Hoov]

I would like you to run a little test. Keep it as short as possible, because your security will not but fully running.

Go to the run command and type in msconfig and then hit enter. When the window opens, select selective startup, and then uncheck the Load Startup entries below that. Then click apply and then OK and reboot the computer. When the computer starts up again, run chrome and IE. Check to see how they connect, and if they are getting redirected in the searches. Once you can tell how they are running, run msconfig again and then select normal startup, then apply and then OK and reboot. Come back here and let me know.

[ShaneJack]

Just to be sure that I understand what you mean:

Under "Selective Startup" there are five items (all checked).

Process SYSTEM.INI File.
Process WIN.INI File.
Load System Services
Load Startup Items
Use Original BOOT.INI  and (grayed out) Use Modified BOOT.INI

Is it that you want me to uncheck all of those, or just "Load Startup Items" or something else?

Thanks.

[Hoov]

just "Load Startup Items"  The others should  be left checked. Basically this will start your computer with just windows and a minimum of other software.

[ShaneJack]

No discernible difference.  Chrome still not connecting and IE and Firefox getting redirected.  IE had a popup appear that went to a random site before I even did any searches.

[Hoov]

Go to C:\Windows\System32\drivers\etc and zip up the file named hosts and attach it to your next response.

[ShaneJack]

Here's my current hosts file:

[Hoov]

I would like you to start Firefox in Firefox safe mode using the instructions below, and then do a search with Google, Bing, and Yahoo and let me know when you are still being redirected.

1.  Close down Firefox completely: At the top of the Firefox window, click the File menu, and select the Exit menu item.

2.  In Windows, click Start, open the All Programs list, and navigate to the Mozilla Firefox folder. In the Mozilla Firefox folder, select Mozilla Firefox (Safe Mode).

3.  Firefox should start up with a Firefox Safe Mode dialog.

4. Click Continue In Safe Mode. This starts Firefox in its Safe Mode. While you are in Safe Mode, your extensions and themes will be disabled, and any toolbar customizations will be reverted back to their defaults. These changes are not permanent - when you leave Safe Mode and start Firefox up normally, your extensions, themes, and settings will return to the state they were in before you entered Safe Mode.

[ShaneJack]

Still getting redirected, even in safe mode.  :(

[Hoov]

With all three search engines?

[ShaneJack]

I guess that's not entirely accurate.  Bing and Yahoo get redirected within the same page on every fourth link or so.  Google had a popup appear that redirected to another search site, but still let me navigate to whatever site I had clicked on (at least for the twenty or so links that I clicked).  Is there something that could cause different behavior based on the different search engine?

On another note, there's been an update to XP that I've been ignoring for the past few days.  Should I update it or will it interfere with what we are doing?

Thanks.

[Hoov]

Please download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.[/color])
  
• Under "Configuration and Preferences", click the Preferences button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
  
• Back on the main screen, under "Scan for Harmful Software[/i]" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan.
  
• Click "Next" to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes".
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Please perform a BitDefender Online Virus and Malware Scan here:
http://www.bitdefender.com/scan8/ie.html
    * Click on I Agree.
    * An ActiveX warning box will appear, click on Install.
    * Under Select What You Want To Check For Viruses.
    * Please Check My Computer and Click Ok
    * Now Click On Click Here To Scan
    * Next, Click on Click here to export the scan report
    * Save it to your Desktop.
    * In your next reply, please include the BitDefender log and a fresh HijackThis log.