Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

google browser redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: google browser redirection

Unread postby Wingman » September 19th, 2009, 7:07 pm

Hi ard,
Another good job... we're almost done. :)
As far as the System Restore points... will take care of them when we do some final cleanup.

Please read these instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Please finish / save any work and close all open windows. We are going to clean up temporary files and there may be some open program(s) using temp files.

Step 1.
TFC (Temp File Cleaner)
  1. Please download TFC.exe...by Old Timer. Save it to your desktop.
    Print these instructions. Save any unsaved work. TFC will close ALL open programs... including your browser!
  2. Double click on TFC.exe to run it. Click the Start button to begin the cleanup.
    TFC will begin cleaning up the "temp" files... depending on number of temp files, it could be a few seconds or minutes.
  3. If prompted to reboot... click Yes.
! Important ! If TFC prompts you to reboot, please do so immediately, before proceeding to any other steps or other use of your computer.

Step 2.
ESET NOD32 Online Scan
Note: You - will - need to use Internet Explorer for this scan!
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Image )
Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"... a window will open... it may appear nothing is happening... please be patient.
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  5. Click "Start"... ESET scanner will begin to download the virus signatures database.
    When the signatures have been downloaded, the scan will start automatically.
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!

MSConfig
(System Configuration Utility) is a troubleshooting utility used to diagnose and fix system configuration issues. In the Summary section Microsoft says:
"The System Configuration utility helps you find problems with your Windows XP configuration. It does not manage the programs that run when Windows starts."
Although it works as a basic startup manager, MSConfig should not be used routinely to disable auto-start programs. It is a temporary solution and not a good practice for the following reasons:
  • MSConfig allows malware related items to hide in your registry which you may not see or affect your computer until switched back to normal startup mode. This could then result in reinfection of the computer.
  • MSConfig does not list all applications loaded in all possible startup locations (some entry points are hidden and unknown to the user).
  • When uninstalling programs while disabled with MSConfig, they may not be uninstalled properly and manually editing the registry will be required to remove everything.
  • MSConfig will often leave orphaned entries when software is uninstalled. When used to switch back to normal startup mode, these orphan entries can result in boot up errors.
  • MSConfig only allows you to disable entries. To completely remove an entry from its' list you have to edit the registry, or use a third-party tool like MSConfig Cleanup Utility or a startup manager.
You should not use MSConfig to disable startup applications related to services. Doing so alters the registry and there are services that are essential for hardware and booting your system. When you uncheck a service in MSConfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer. You should only disable services using the Services Management Console (services.msc) where you can not disable services that may be vital to boot your system.

Black Viper's warning: Why can't I use MSConfig to change my services?

Note: Changing the default settings for services can be risky and might prevent key services from running correctly. Only change the status of a service if it is necessary.

A better alternative is to use a startup manager like:
Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. ESET scan results
  3. Computer still behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Re: google browser redirection

Unread postby ard » September 20th, 2009, 9:42 am

wingman -

thanks for your continued help


1. Any problem executing the instructions?

NO

2. ESET scan results


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=4b9a8eacab125d4daca4405eb9a12d78
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-20 12:46:10
# local_time=2009-09-20 08:46:10 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 761053750000
# scanned=128232
# found=1
# cleaned=0
# scan_time=3714
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP119\A0034255.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I




3. Computer still behaving?

A - since i installed AVIRA the iexplorer response time is much slower. some screens timeout and need to be tried a second time before they are displayed. the message is the standard WEBPAGE CAN NOT BE DISPLAYED followed by 3 choices of what to try

B - task manager shows that a program called jqs.exe has a super-large amount of IO activity - more than avguard.exe which is second. i also have a jusched.exe i never had before. are these java and why are they running?

C - My pc used to take 4 to 5 minutes to start, to many tasks. when i tried to install norton 360 the helpdesk guy used msconfig to shorten the time and reduce used ram. i left it this way. are you recommending that i go back to the standard startup and use one of the mentioned programs to solve the problem? now or when we are done?


THANKS -
AL
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: google browser redirection

Unread postby Wingman » September 20th, 2009, 1:08 pm

Hi ard,

FYI... the entry ESET found is an old System Restore Point entry... this will be removed very shortly.

To respond to your statements regarding how the computer is behaving:
A - Avira - There are various settings within Avira, that you can adjust, that may improve response time... I have used Avira before as well as Avast and didn't notice any slow down in IE response time.
In Avira, I believe if you disable it's Auto Update (sched.exe) from running... you can't perform updates, even manually... so this should not be "turned off. I suggest leaving the Auto Update feature on... and adjust the time and/or frequency of updates, if possible. There's always the option to install a different AV prouct as well.
You can try resetting Internet Explorer's settings back to the way they were when first installed, this sometimes helps in slow IE response situations. See Step 2.

B - jqs.exe and jusched.exe both belong to the newer versions of JAVA. jqs.exe is the Java Quick Starter, supposedly enables Java to start more rapidly.
jusched.exe is the JAVA Update module... polls the Sun Micro site for updates to JAVA. There are several methods of removing these from starting when you boot the computer... here's two:
1. You can use one of the Startup Managers listed before and (later) uncheck these entries or
2. Use the JAVA Control Panel entry: see instructions below.
Disabling the auto update, will require you to manually check for updates... this can be done through the Java Control Panel applet... Update tab.

C - Yes, I am recommending you reset all entries using MSConfig... then using one of the startup managers, I listed, choose which entries you want to disallow from starting when you boot up your machine. But please wait until I give the All Clean and we cleanup some stuff before installing any other software.

Step 1.
Disable Java Quick Start and Scheduler
  1. Press Start > All Programs > Select Control Panel
  2. Locate and double-click the Image Java icon.
  3. Click the "Update" tab... UNCHECK the "Check for Updates Automatically" box.
  4. Press the Never Check button.. at the update prompt. Then press the Apply button.
  5. Now click the "Advanced" tab... Expand the "Miscellaneous" entry by clicking on the + (plus sign).
    Please UNCHECK both:
    • Place Java icon in system tray
    • Java Quick Starter
  6. Press the Apply button... then press the OK button. Close Control Panel.
  7. Reboot your machine... jqs.exe and jusched.exe should no longer appear in Task Manager now.

Step 2.
Reset Internet Explorer Settings
Warning:
When you reset Internet Explorer settings, all add-ons and customizations are deleted, and you basically start with a fresh version of Internet Explorer.

  1. Exit all programs, including Internet Explorer (if it is running).
  2. Click Start > then click Run.
  3. Copy and paste the following command in the Open box, and then press ENTER:
    inetcpl.cpl
    The Internet Options dialog box appears.
  4. Click the Advanced tab.
  5. Under "Reset Internet Explorer settings", click Reset. Then click Reset again.
    When Internet Explorer finishes resetting the settings,
  6. Click Close in the "Reset Internet Explorer Settings" dialog box. Start Internet Explorer again.


Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Did you disable Java items?
  3. Did you reset Internet Explorer?
  4. Computer still behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: google browser redirection

Unread postby ard » September 20th, 2009, 7:55 pm

wingman -


1. Any problem executing the instructions?

no

2. Did you disable Java items?

i followed the directions - jqs.exe was stopped - however not jusched.exe

according to the config util in the startup tab jusched.exe runs from
COMMAND c:\program files\java\bin\
LOCATION HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

i used config util to stop it - just for now

3. Did you reset Internet Explorer?

yes - things are different - i'll have to work on it. the response seems faster - not much usage yet.

4. Computer still behaving?

things seem good - why do i have 7 svchost.exe's running

thanks
- al
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: google browser redirection

Unread postby Wingman » September 21st, 2009, 10:29 am

Hi ard,
OK... Please enable the jusched.exe in MSConfig and we'll fix it with HJT.
SVCHOST.EXE
The many occurrences of svchost.exe in Task manager is normal. There are a variety of processes that run under the "umbrella" of svchost. Think of svchost as a car, it can contain many passengers or just one. There are multiple system processes running under each occurrence of svchost. Looking at my system right now, I have 8 occurrences of svchost.exe in Task Manager. This is a normal occurrence and there is no need to be concerned about it. For more information on svchost... look here

Step 1.
Fix HijackThis entries
  1. Run HijackThis
    Located in C:\Program Files\Trend Micro\hijackthis.exe
    • If you are on the Main Menu page... Click "Do a system scan only"
    • If you are on the "scan & fix stuff" page... Press the Scan...button.
  2. When the scan finishes...Place a check mark next to the following entries (if they are still present):
      *Only check those items listed below *
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  3. After checking these items... CLOSE ALL open windows except HijackThis
  4. Click the Fix Checked ...button...to remove the entries you checked.
  5. Choose YES...when prompted to fix the selected items.
    Once it has fixed them, close HijackThis and reboot your computer normally.
  6. Run HijackThis again...
    • If you are on the "scan & fix stuff" page... Press the Main Menu...button.
    • On the Main Menu...click on the "Do a system scan and save a Log file"...button.
  7. When the scan is finished... Notepad will open with a saved log file called "hijackthis.log"
  8. Paste the contents of hijackthis.log file in your next reply.

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. New HJT log
  3. Computer still behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: google browser redirection

Unread postby ard » September 22nd, 2009, 6:50 am

wingman -

1. Any problem executing the instructions?

no

2. New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:18 AM, on 9/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\admin\Application Data\mjusbsp\st00000\mjsetup.exe
C:\Documents and Settings\admin\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\trend micro\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\admin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

--
End of file - 3323 bytes

3. Computer still behaving?

seems ok

thanks -
al
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: google browser redirection

Unread postby Wingman » September 22nd, 2009, 12:59 pm

Hi ard,
Congratulations... you system is clean :cheers:
At this time, there is no evidence of active malware on your system. There are some things, that need to be done, however.

Please read this post carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.
Please note response request at the end of the post, thanks.

Step 1.
ComboFix - Cleanup
Let's take care of cleaning up some of the processes we used and create a new System Restore point, while removing all the old ones.
  1. Click Start...select Run from the menu.
  2. Copy and paste the following into the text entry box:
    Combofix /u
  3. Click the OK button. (See image below as reference.)
Image

Step 2.
OTC
Let's perform some additional housekeeping and cleanup some of the tools we used.
Please download OTC.exe... by OldTimer. Save it to your desktop.
  1. Double click on OTC.exe.
    If you recieve the "Open File - Security Warning" prompt, press "Run".
  2. Click on CleanUp!.
  3. Click "Yes" to the Begin cleanup process? prompt.
  4. Click "Yes" ... when prompted to reboot the computer to remove files.
Your computer should restart automatically. If it doesn't, please do so manually.


MSConfig
As we previously discussed, you should enable all the entries you've disable using MSConfig and use one of the Startup Managers, listed below.
For additional protection, as well as managing startup items:
  • WinPatrol - Win 98 -thru- Windows 7 (including x64 systems)
Note: If you decide to use WinPatrol, DO NOT enable Spybot's TeaTimer process.


Now that your system is clean... Please follow these simple guidelines in order to help keep your computer clean and secure:

You can keep and use the TFC (Temp File Cleaner) to clean left over temp files from your sessions.
You can use the ERUNT registry backup/restore utility, to backup your registry, in addition to XP's built in System Restore feature.

Update your Antivirus programs and other security products regularly.
Avoid new threats that could infect your system. You can also check if any application updates are needed for your PC.
Secunia Software Inspector - Copyright © Secunia.
F-secure Health Check - Copyright © F-Secure Corporation.


Visit Microsoft often
Keep on top of critical updates , as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home


You can try...some free programs, that will help improve your computer's security.
These kinds of protection programs (adware, spyware, etc...) tend to overlap in coverages.
Many feel that having a "layered" protection scheme, is beneficial. Each individual has to decide what works best for their situation.
There are many available...here are a few you can look into, if you want. :)

Malwarebytes' Anti-Malware
You already have this program... it can be used on a regular basis, as a stand alone scanner. Just check for updates before any scans, as this product is updated frequently.
Download it from Malewarebytes © Malwarebytes Corporation.
Tutorials are available for installing and running, Malwarebytes' Anti-Malware.
Powerful, easy to use and free. For real-time protection you will have to purchase the product.

Spybot Search and Destroy
You already have this program installed as well... keep it updated and as an additional level of protection, you can use the immunize feature to update your HOSTS file, to prevent access to unwanted web sites.
Download it from © Safer Networking Ltd. Just choose a mirror and off you go.
A Spybot tutorial can be found Here.

WinPatrol
I mentioned this in the MSConfig segment, this is a very nice utility program and will provide an additional level of protection.
Download it from Copyright © BillP Studios
Information about how WinPatrol works, is available Here.
(The free version of WinPatrol...does not provide any real-time protection.)

Firetrust SiteHound
You can find information and download it from © Firetrust Ltd


No 3rd Party Firewall
Looking over your log, I don't see any evidence of a third party firewall installed. If you do have one installed, please let me know.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world.
Firewalls protect against hackers and malicious intruders.
If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall that monitors traffic in both directions... from one of these excellent vendors:
  1. Comodo (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
  2. ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
  3. Ashampoo
  4. Agnitum
  5. Sunbelt/Kerio ... (30 day free trial)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections.
This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall.
This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.



Read, stay informed.
Please check out these articles:
Tony Klein's "How did I get infected in the first place?"
How to prevent Malware:© miekiemoes - Microsoft MVP - Consumer Security .


Unless you have any questions regarding the above post or the recommendations put forward, please let me know you have read this post and completed the ComboFix uninstall and the OTC steps. At which point I will have this topic closed as resolved.

Stay Safe! 8)
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: google browser redirection

Unread postby ard » September 24th, 2009, 11:02 am

wingman -

thanks for all your help

al
ard
Regular Member
 
Posts: 41
Joined: August 25th, 2009, 7:12 am

Re: google browser redirection

Unread postby Wingman » September 24th, 2009, 11:27 am

Your welcomed, glad we could help. :)
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14115
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: google browser redirection

Unread postby Gary R » September 27th, 2009, 2:40 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 87 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware