# IE8 Redirect Problem



## DLangley (Oct 11, 2009)

Hi, I have just recently updated IE6 to IE8 and now I have the browser redirecting to various sights when I either search on Google or use my favorites to go to a site. I have searched the web for possible solutions and happened upon some postings here. I downloaded HighjackThis and have generated a log file. Could someone assist in anylizing please?


----------



## NeonFx (Oct 22, 2008)

Hello there  Welcome to the *Tech Support Guy* forums.
My name is *NeonFx*. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:


The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

*Step 1*

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans check the following:

Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.

Please *attach* the log in your next post. To do so click on the blue *"Reply"* button or *"Go Advanced"* and click on the "*Manage Attachments*" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Mediafire and post the sharing link.

*Step 2*

Download *RootRepeal* from one of the following locations and save it to your desktop:
*Link 1*
*Link 2*
*Link 3*​

Double click







to start the program
Click on the *Report* tab at the bottom of the program window
Click the







button
In the *Select Scan* dialog, check:


[*]*Drivers*
[*]*Files*
[*]*Processes*
[*]*SSDT*
[*]*Stealth Objects*
[*]*Hidden Services*
[*]*Shadow SSDT*

Click the *OK* button
In the next dialog, select *all drives* showing
Click *OK* to start the scan _Note: The scan can take some time. *DO NOT* run any other programs while the scan is running_​
When the scan is complete, click the







button and save the report to your Desktop as *RootRepeal.txt*
Go to *File*, then *Exit* to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. *If the report is very long*, it will not be complete if you post it, so please *attach* it to your reply instead.


----------



## DLangley (Oct 11, 2009)

Hi Neonfx,

I appreciate your willingness to help. I got your message *after* researching quite a bit on the web. I downloaded and installed ProcessExplorer, Malwarebytes, HijackThis, and RootRepeal. I performed a HijackThis scan and log before doing anything. Then after trying to install and run Mlawarebytes I discoverd the mbam.exe file was inexplicably missing (virus killed it?) anyway I finally downloaded it to another machine, changed names, and copied it to a portable HDD and was able to install and run Malwarebytes.

It took several scans to achieve what appears to be a clean scan. However, I will defer to your assessment of that. ProcessExplorer still shows nakavena.dll residing in svchost threads. The other "infections" are not showing up.

After getting your message I ran OTS and have included it's log. I previously tried RootRepeal and it would start a scan but as soon as it started scanning files my machine would reboot on its own. I tried it both before and after the Malwarebytes scans and also after downloading it from the link you provided. It still causes a reboot when starting to read files. Am I doing something wrong or have a setting wrong?

Anyway, I apologise for jumping the gun and initiating scans but...

Thanks again for your assistance.


----------



## NeonFx (Oct 22, 2008)

I'll review the logs when I get a chance later. I apologize for the delay.

Could you run the following for me? It is a rootkit scanner like RootRepeal that seems to have luck where RootRepeal can't cut it.

Download *SysProt Antirootkit* to your desktop from *HERE*. (It's at the very bottom, under "Attachments")


Unzip it into a folder on your desktop.
Double-click Sysprot.exe
Click on the Log tab.
In the Write to log box select all items.
Click on the *Create Log* button on the bottom right.
After a few seconds a new Window should appear.
Make sure *Scan all drives* is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
A log file named *SysProtLog.txt* will be saved automatically in the same folder. Open the text file and copy/paste the log here.


----------



## DLangley (Oct 11, 2009)

Hi NeonFX

Sorry, I thought I had posted the log last night. It appears the log is too long to post. So I have attached it.


----------



## NeonFx (Oct 22, 2008)

Sorry about the delay. Are you still experiencing redirection problems?

Please do the following:

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the following



> [Unregister Dlls]
> [Registry - Safe List]
> < Trusted Sites Domains [HKEY_USERS\S-1-5-21-2189160949-2322048608-2084946252-500\] > -> HKEY_USERS\S-1-5-21-2189160949-2322048608-2084946252-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
> YN -> windowsupdate_microsoft.com [http] -> Trusted sites
> ...



Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.txt* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

*STEP 2*

Run *OTS* again. Click on the "Scan All Users" checkbox and then click on the *Quick Scan* button at the top. Copy and Paste the results of this scan in your next reply.


----------



## DLangley (Oct 11, 2009)

It seems the redirect issue is not occuring as often if at all. I was experiencing a few preograms not responding, loading slow or not at all yesterday and ended up shutting down by holding in the power button. When I rebooted, McAfee had picked off a few more instances of infection. The system seemed more responsive and when I checked ProcessExplorer I could not find any more references to nakavena or the other dll's.

I will do the fix below but I have one question before I do that. I noticed at the end there is a reference to one of my programs, SilhouetteFX, will this script effect this application? I had updated it around the time this issue showed up; it's an important application for my work so I want to make sure it's ok.

Thanks again for the help and all your time and effort.


----------



## NeonFx (Oct 22, 2008)

Hi there 

Yeah, the OTS fix should clear up any leftover traces even if your infection is now gone. Antiviruses are catching up.

The fix I gave you should not affect your program. What that line does is remove the Alternate Data Stream attached to the folder. It could be legitimate though so I will remove it to minimize the possibility of altering anything in your program. See HERE for more information about why I had that in there. It is still possible that it is a legitimate component of your program though.

Use this script instead:



> [Unregister Dlls]
> [Registry - Safe List]
> < Trusted Sites Domains [HKEY_USERS\S-1-5-21-2189160949-2322048608-2084946252-500\] > -> HKEY_USERS\S-1-5-21-2189160949-2322048608-2084946252-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
> YN -> windowsupdate_microsoft.com [http] -> Trusted sites
> ...


----------



## DLangley (Oct 11, 2009)

Ok I ran OTS Fix, it apparently ran then I got an error message (which I neglected to write down, sorry) I think it was runtime. I rebooted and ran the OTS Scan. During the scan McAfee issued an alert and quarantined Vundo.gen.ab 3 times. I have posted the logs as attachements.

I have not yet deleted any of the files that either Malwarebytes or McAfee quarantined when I first started scanning. Should I have Malwarebytes and McAfee remove the quaranteened files?

Thanks again


----------



## DLangley (Oct 11, 2009)

It looked like the logs didn't post as attachemnts. So, here is another attempt


----------



## NeonFx (Oct 22, 2008)

Hmm, this one is being stubborn. It's creating copies of itself as we're getting rid of the old ones. Try not signing into the other accounts on the computer until we get this fixed.

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the following



> [Kill All Processes]
> [Unregister Dlls]
> [Registry - Safe List]
> < Trusted Sites Domains [HKEY_USERS\S-1-5-21-2189160949-2322048608-2084946252-500\] > -> HKEY_USERS\S-1-5-21-2189160949-2322048608-2084946252-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
> ...



Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.txt* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

If you see any Errors, please try to write them down so that I know what's going on.

*STEP 2*

Run *OTS* again, click on the *Scan All Users* option, and click on the *Quick Scan* button at the top. Copy and Paste the results of this scan in your next reply.

*STEP 3*

You delete everything that is in MBAM's and McAfee's quarantines if you know how. They're harmless there though, and you will probably have to do it again later anyway.


----------



## DLangley (Oct 11, 2009)

I ran OTS fix; no errors, I rebooted and ran OTS, All Users, Quick Scan. The scan ran without problems and McAfee did not alert as it did last time. I have attached the logs.

Thanks


----------



## NeonFx (Oct 22, 2008)

I've been struggling trying to find out why my fixes were not working properly, and I just found out why: Some of the lines in the OTS fix were being cut off.

I believe I have fixed the problem by using a Code box instead of a Quote box. You do seem to be clean now though.

Please do the following:

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the following


```
[Kill Explorer]
[Registry - Safe List]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{7a61318e-22f8-4678-b669-9f8a66a502cb}" [HKLM] -> Reg Error: Key error. [govebegit]
YN -> "{9f905939-574b-41ee-bcf7-9a97d45611e0}" [HKLM] -> Reg Error: Key error. [mofudayor]
YN -> "{621e54f5-989a-4cc0-bf26-95e676ee728f}" [HKLM] -> Reg Error: Key error. [tazilonah]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> "{621e54f5-989a-4cc0-bf26-95e676ee728f}" [HKLM] -> Reg Error: Key error. [tokatiluy]
YN -> "{7a61318e-22f8-4678-b669-9f8a66a502cb}" [HKLM] -> Reg Error: Key error. [jugezatag]
YN -> "{9f905939-574b-41ee-bcf7-9a97d45611e0}" [HKLM] -> Reg Error: Key error. [jugezatag]
[Custom Items]
:clearrestorepoints
:end
[Start Explorer]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.txt* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

*STEP 2*

We're going to need to run an online scanner to be absolutely sure you're clean. The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

*STEP 3*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:


Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.

*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.


Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
Click the *Save report...* button.









Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply


----------



## DLangley (Oct 11, 2009)

Ok, scans complete and logs attached.


----------



## NeonFx (Oct 22, 2008)

Excellent. Is the computer running alright?


----------



## DLangley (Oct 11, 2009)

It seems to be running fine. I deleted all the quarantined files just now and I plan to reboot ad see how she responds.

Thanks ever so much for all your help on this.


----------



## NeonFx (Oct 22, 2008)

Alright  If all's good now, Let's cleanup.

*STEP 1*
To clean up OldTimer's tools, along with a few others, do the following:


Run OTS.exe by double clicking on it
Click on the *"CleanUp"* button on the top.
You will be asked if you wish to reboot your system, select *"Yes"*

*STEP 2*

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the *Shift* key, and select *"Delete"* by clicking on it. This will delete the files without sending them to the RecycleBin.

*All Clean*

Congratulations!,







, *your system is now clean*. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

*Microsoft Windows Update*
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to *Start > All Programs > Windows Update*
To update Office
Open up any Office program.
Go to *Help > Check for Updates*

*Download and Install a HOSTS File*
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download *BlockList Pro's HOSTS Manager* HERE


*Double click* the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled *Options and Tools*,
Click *Disable DNS Service*. This is important
In the Left Pane, click *Download*
It will load 80,000 lines or more. When it finishes, also in the left pane, click *Replace*, and then click *Save*

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

*Install WinPatrol*
Download it HERE
You can find information about how WinPatrol works HERE

*Other Software Updates*
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for *Java* and *Adobe* as these are subject to many security vulnerabilities.

*Setting up Automatic Updates*
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

*Read further information* HERE on how to prevent Malware infections and keep yourself clean.


----------



## DLangley (Oct 11, 2009)

Huge problem, system won't start. I tried last known config, various safe modes and it won't start. I tried booting from disc and it says no disc found. I did try to add the windows update app that keeps all microsoft programs up to date but it failed so I ignored that and shut down. The last thing I did was shut down and Windows was installing updates (there were 12 of them).


----------



## NeonFx (Oct 22, 2008)

I really dislike Update Tuesday....

Your computer was clean of any infections before this happened so the culprit is most probably the updates. This sounds more like a job for our Windows techs as we're leaning more onto a side of tech support I am less familiar with.

You should create a new topic HERE and state your problem. Say that you installed the latest updates and that your computer will not boot.

I'm sorry I can't be of more help.


----------



## DLangley (Oct 11, 2009)

Thanks, I discovered my system wasn't seeing the Hard Drives. I went into the bios and reset the default settings. I rebooted and windows launched properly. The only side effect is my Raid array doesn't show. So, I may need to seek help for that; if need be I will post a new topic.

Thanks again.


----------



## NeonFx (Oct 22, 2008)

Yeah, I really wish they would do further testing before sending all those updates out to find out where the errors lie. 

I'm glad to hear you figured it out, and am also glad to have been of service  You have a good one.


----------

