Appears to be a Google hijack

etf · Joined: Aug 12, 2009 Posts: 23

Hi Greyknight17,

Thanks for your perserverance on this. This log appeared pretty long so I have already uploaded to YouSendIt. The link is here: https://www.yousendit.com/download/YkxLWmdvYXlCSnF4dnc9PQ

Unfortunately, Google results are still hijacked. Also MicroSoft updates continue to fail to install (Error Code: 0x80070005 ).

Any next steps still to pursue?

Thanks

etf

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Which browser is affected by the Google redirect problem? Just Internet Explorer?

For the Windows update error, make sure you don't have any firewall that may be blocking it access. Otherwise, try reading this site and see if it helps.

Download Hoster at http://www.greyknight17.com/spy/Hoster.exe and run it. Click on Restore Original Hosts button and press OK. If you used a custom HOSTS file, you will need to restore the file back.

Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

See if you still have the redirect problem.

etf · Joined: Aug 12, 2009 Posts: 23

Argh, I am now losing faith. The link to fix the Windows updates did not work in terms of the easy first couple of fixes. I can keep working through the links, but I have a valid copy of Windows and it still won't work, nor will it work with the MS firewall turned off.

I ran both programs as you directed. Here is the log. HOWEVER, I didn't get an option when I clicked on GooredFix for 1 or 2, it was just an option to fix - I hit that and this is what i got:

GooredFix by jpshortstuff (12.07.09)
Log created at 21:40 on 27/08/2009 (etf967)
Firefox version [Unable to determine]

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:32 07/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [16:23 22/12/2008]

-=E.O.F=-

The redirects from Google continue. I know I shouldn't use IE, but the inertia of laziness has meant that is the only browser I have or use. Given my recent experience with whatever this virus is, I am now wondering if I should just wipe the machine and start over with Ubuntu.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

The decision is yours. Linux is usually a better system to use if you want more stable performance and has a much lesser chance of infection.

If you want to close this issue, I will lock the topic.

etf · Joined: Aug 12, 2009 Posts: 23

Unfortunately I require a windows system at the house, so I am stuck with this one until I get a new computer, and that won't be for several months. If this can be fixed, I would like to get it resolved. But, if we reach a point that you think it is pointless, just let me know.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Do you have the Windows CD for this system? If so, I recommend backing up your data now (if you haven't done so already). I suggest performing a clean install of Windows once you backed up your data.

etf · Joined: Aug 12, 2009 Posts: 23

Unfortunately I do not. This was issued to me as a student, and the only discs supplied were for MSOffice. I graduated several years ago so no more university tech support. I suspect that the OS was on some group license so they didn't issue it on a disc to us.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.

Uninstall Malwarebytes' via the Add/Remove Programs panel. Download Malwarebytes' again and before you save it to your desktop, rename it to MBetf.exe. Do the same thing for ComboFix (rename to CFetf.exe). Restart the computer and then try to install Malwarebytes' (MBetf.exe). If that installs without any problems, don't run it yet (uncheck that option during the install to launch it). Go to C:\Program Files\Malwarebytes' Anti-Malware\ and rename mbam.exe to MBetf.exe. Try running it now. If it works, perform a full scan and remove anything it finds. Post the log file here.

Regardless if Malwarebytes' worked or not, proceed to run ComboFix (CFetf.exe) and post that log here.

etf · Joined: Aug 12, 2009 Posts: 23

Hi greyknight17,

Malware Bytes program still would not run.

I had to run ComboFix four times. Note, each time it froze I had not clicked on the window or otherwise done anything to the machine while it was running.

The first time it froze showing this on the screen:

Deleting Files:

C:\WINDOWS\hixagivuhe.inf

I had to unplug and removed the battery in order to restart.

The second time it froze during the start up when it normally makes a system restore point. Again, I unplugged and removed the battery in order to restart.

The third time it froze showing this on the screen:

Deleting Files:

C:\WINDOWS\hixagivuhe.inf
C:\WINDOWS\osowufakab.inf
C:\WINDOWS\system32\sipaduw.inf
C:\WINDOWS\uzuc.inf

System file is infected!! Attempting to restore

“C:\WINDOWS\system32\scecli.dll”

System file is infected!! Attempting to restore

“C:\WINDOWS\system32\scecli.dll”

So, once more I unplugged, removed the battery and restarted.

The fourth time seemed to be the charm. It worked all the way - the log is at this link:

https://download.yousendit.com/cmcyb2VPdzg4Q1EwTVE9PQ

Thanks!

etf

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Hi, sorry for the very late reply. Is it possible to upload that file again? It should be located at C:\ComboFix\.

Thanks.

etf · Joined: Aug 12, 2009 Posts: 23

https://www.yousendit.com/download/ZW9BZHlvNHZCMTVjR0E9PQ

This should be it.
Thanks,
etf

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

We need two files to be repaired or restored from your Windows CD. As long as the service pack version matches, it should be able to restore the file for you.

c:\windows\system32\scecli.dll
c:\windows\system32\proquota.exe

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done.

Are you still having any redirect problems now?

etf · Joined: Aug 12, 2009 Posts: 23

I ran sfc /scannow and it did not ask for the disc (which I do not have anyway), just appeared to autoclose.

Google still get's hijacked.

Is there anything else to be tried?

thanks,

etf

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

You can try to get the below two files from another computer with similar Service Pack:

c:\windows\system32\scecli.dll
c:\windows\system32\proquota.exe

Rename the two files before replacing them. You will most likely need to do this via the recovery console. Since you don't have the XP CD, you will need to get the recovery console here. Burn that ISO file as an image to a CD and boot up from it. It should allow you to enter the recovery console. Prior to doing this, make sure you get a good copy of the above two files that matches your system's service pack. You can place them on the C: drive. Then after entering the recovery console, you can rename those two bad copies and move the two good copies into the system32 folder.

etf · Joined: Aug 12, 2009 Posts: 23

Sorry, but I am ignorant on this - please translate. If I hit the link, I can save the file to a disc, but can't open it or run it. Don't know what to do with it.
etf

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Right click on that link and choose save as. Save it to your desktop. You will then need to open up your CD burning software (common ones that a lot of users have is Roxio or Nero). Do not just drag and drop this rc.iso file as if it's regular data. There should be an option in the program to allow you to burn from an image file (in this case, the image file is the ISO file). Select that option and then browse for the rc.iso before burning it.

Once that's done, restart the computer and leave the CD in the drive. Boot from that CD so you can get into the recovery console to rename those two files back to the original filenames.

etf · Joined: Aug 12, 2009 Posts: 23

Well, I may be at the end of the rope here. I successfully burned the iso image. When I start up from the disc, it goes to Windows Setup and asks:

1. To set up Windows XP now, press enter
2. To repair a WIndows XP installation using Recovery Console, press R
3. To quite set up without installing Windows XP, press F3

IF I take option 1, then I get back this message:

Setup cannot find End User Licensing Agreement
Setup cannot continue

This is however a legitimate copy of Windows.

If I take option 2, it asks

Which Windows installation would you like to log onto?

And at that prompt, I am stumped.

Am I doing something wrong here?

Thanks,

etf

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

You would not be able to run option 1 since this is only a recovery CD with no Windows setup files in it.

When you select option 2, it should show you your Windows partition there. Select the number shown (usually it's just number 1) and hit ENTER. You will be prompted for the administrator password. If you are using XP Home, just hit the ENTER key for no password.

etf · Joined: Aug 12, 2009 Posts: 23

Evidently I need the remedial walk through as I still don't get it. Also, I have Windows XP Professional, not home.

When I choose the second option for using recovery console, I tried entering 1 at the prompt. This led to anther prompt that loooks something like C:\Windows: and at that, I don't know what commands to enter or what to do. It doesn't show me anthing in an environment where I can click through with the mouse and rename the bad files and put the good files in their place. It just tells me to enter help for a list of commands or exit to leave and start normally.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Did you put the two good files (scecli.dll & proquota.exe) in the C: drive already? You can do this within Windows before using the CD. Once you are in the recovery console, enter the following commands hitting ENTER after each new line:

ren c:\windows\system32\scecli.dll c:\windows\system32\scecli.dll.OLD
ren c:\windows\system32\proquota.exe c:\windows\system32\proquota.exe.OLD
copy c:\scecli.dll c:\windows\system32\scecli.dll
copy c:\proquota.exe c:\windows\system32\proquota.exe
exit

Once this is done, restart the computer and run ComboFix again. Post the log file here.