Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google.com and Google search inaccessible in IE8 and FF


  • Please log in to reply
13 replies to this topic

#1 craigar52

craigar52

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 29 June 2012 - 02:22 PM

It was suggested by one of the volunteer malware removal helpers that I post on this forum. The problem that still exists is that both IE8 and FF13 are blocking www.google.com and any search through Google. In both cases a custom 404 page with "nginx" is displayed. Everything else related to browsing seems to work fine. I can do searches through AOL, Yahoo etc. I believe the problem is still malware related because I can run combofix and the problem is gone until the next restart of the computer.
Here is a link to my previous post with everything we have tried over the last couple weeks:

My link

I would appreciate it if you choose to reply, that you read all the previous steps we have taken so we don't spend a lot of time doing the same things over and over again.

Thank you in advance for any help.

Craig

Edited by craigar52, 29 June 2012 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:28 PM

Posted 29 June 2012 - 02:34 PM

This is usually a hosts hijack,Combofix should have fixed it.Something is reinfecting your hosts file on reboot ?

Press Windows+R key and type

notepad c:\windows\system32\drivers\etc\hosts

click ok

Post the contents here

#3 NpaMA

NpaMA

  • Members
  • 635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Memphis, TN
  • Local time:07:28 PM

Posted 30 June 2012 - 12:01 AM

You are either still infected or your hosts file has been hijacked as mentioned above. Try running the following commands in command prompt:

ipconfig /flushdns
ipconfig /release
ipconfig /renew

Clear your cookies/history/cache in FireFox and Internet Explorer, try loading the websites.

If that fails, download and run a MiniToolbox. Instructions can be found here.

#4 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 30 June 2012 - 11:47 AM

Sorry guys, I forgot to "follow" this post and didn't get the notifications. I have done that now.

Here is the hosts file after rebooting to bring the problem back:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost



I flushed the DNS and released/renewed the IP address. No change to the problem.

Here are the results from the mini-toolbox:
MiniToolBox by Farbar Version: 25-06-2012
Ran by J. David Goldin (administrator) on 30-06-2012 at 12:41:46
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 1057
"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : dave-xp

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-19-DB-5E-0E-7B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Saturday, June 30, 2012 12:36:17 PM

Lease Expires . . . . . . . . . . : Sunday, July 01, 2012 12:36:17 PM

Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.


Pinging google.com [87.236.195.139] with 32 bytes of data:



Reply from 87.236.195.139: bytes=32 time=142ms TTL=48

Reply from 87.236.195.139: bytes=32 time=149ms TTL=48



Ping statistics for 87.236.195.139:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 142ms, Maximum = 149ms, Average = 145ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:



Reply from 98.139.183.24: bytes=32 time=69ms TTL=46

Reply from 98.139.183.24: bytes=32 time=71ms TTL=46



Ping statistics for 98.139.183.24:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 69ms, Maximum = 71ms, Average = 70ms

Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 19 db 5e 0e 7b ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/18/2012 01:15:52 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (06/17/2012 07:54:43 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (06/17/2012 02:33:47 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (06/14/2012 01:20:34 PM) (Source: Application Error) (User: )
Description: Faulting application pev.3xe, version 0.0.0.0, faulting module pev.3xe, version 0.0.0.0, fault address 0x0008d1c0.
Processing media-specific event for [pev.3xe!ws!]

Error: (06/12/2012 02:52:14 PM) (Source: Application Error) (User: )
Description: Faulting application gmer.exe, version 1.0.15.15641, faulting module gmer.exe, version 1.0.15.15641, fault address 0x0000c6ff.
Processing media-specific event for [gmer.exe!ws!]

Error: (05/31/2012 07:54:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (05/31/2012 04:16:47 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (05/17/2012 02:53:22 PM) (Source: Application Error) (User: )
Description: Faulting application activetick.exe, version 1.41.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [activetick.exe!ws!]

Error: (01/25/2012 03:47:21 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (01/25/2012 03:47:13 PM) (Source: Application Error) (User: )
Description: Faulting application replayvideo.exe, version 5.4.2.0, faulting module replayvideo.exe, version 5.4.2.0, fault address 0x00040bcf.
Processing media-specific event for [replayvideo.exe!ws!]


System errors:
=============
Error: (06/25/2012 07:44:18 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 0019DB5E0E7B has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (06/25/2012 00:43:53 PM) (Source: DCOM) (User: DAVE-XP)
Description: The server {4FB6BB00-3347-11D0-B40A-00AA005FF586} did not register with DCOM within the required timeout.

Error: (06/25/2012 00:39:06 PM) (Source: DCOM) (User: DAVE-XP)
Description: The server {4FB6BB00-3347-11D0-B40A-00AA005FF586} did not register with DCOM within the required timeout.

Error: (06/25/2012 07:44:32 AM) (Source: 0) (User: )
Description: 192.168.1.200:15:58:26:41:62

Error: (06/24/2012 04:12:56 PM) (Source: System Error) (User: )
Description: Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 02050008, parameter4 85f98980.

Error: (06/24/2012 11:19:22 AM) (Source: System Error) (User: )
Description: Error code 000000f4, parameter1 00000003, parameter2 86506da0, parameter3 86506f14, parameter4 805c863c.

Error: (06/22/2012 05:35:24 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/22/2012 05:35:13 PM) (Source: DCOM) (User: DAVE-XP)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (06/22/2012 05:27:33 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
AmdK8
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
WS2IFSL

Error: (06/22/2012 05:27:33 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (06/18/2012 01:15:52 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (06/17/2012 07:54:43 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (06/17/2012 02:33:47 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (06/14/2012 01:20:34 PM) (Source: Application Error)(User: )
Description: pev.3xe0.0.0.0pev.3xe0.0.0.00008d1c0

Error: (06/12/2012 02:52:14 PM) (Source: Application Error)(User: )
Description: gmer.exe1.0.15.15641gmer.exe1.0.15.156410000c6ff

Error: (05/31/2012 07:54:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (05/31/2012 04:16:47 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (05/17/2012 02:53:22 PM) (Source: Application Error)(User: )
Description: activetick.exe1.41.0.0unknown0.0.0.000000000

Error: (01/25/2012 03:47:21 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d

Error: (01/25/2012 03:47:13 PM) (Source: Application Error)(User: )
Description: replayvideo.exe5.4.2.0replayvideo.exe5.4.2.000040bcf


========================= Memory info: ===================================

Percentage of memory in use: 61%
Total physical RAM: 958.48 MB
Available physical RAM: 371.94 MB
Total Pagefile: 2311.56 MB
Available Pagefile: 1814.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:372.61 GB) (Free:317.34 GB) NTFS

========================= Users: ========================================

User accounts for \\DAVE-XP

Administrator Guest HelpAssistant
J. David Goldin LogMeInRemoteUser SUPPORT_388945a0


**** End of log ****

Edited by craigar52, 30 June 2012 - 11:50 AM.


#5 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:28 AM

Posted 30 June 2012 - 11:57 AM

Download and install Windows Repair.

Note: If asked to perform a restore point, please do.
  • Open Windows Repair.
  • Go to Start repairs.
  • Put a checkmark:
    • Repair Winsock & DNS Cache
    • Repair Host file
  • Then click on Start.

Posted Image

Edited by ElFasso, 30 June 2012 - 11:58 AM.


#6 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 30 June 2012 - 12:39 PM

ElFasso,

The link does not work in IE8 or FF13. I tried it from another computer at this location and also from another location.

Here is the error when clicking the link:

Internet Explorer cannot display the webpage

What you can try:
It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.

Retype the address.

Go back to the previous page.

Most likely causes:
•You are not connected to the Internet.
•The website is encountering problems.
•There might be a typing error in the address.

#7 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 30 June 2012 - 12:41 PM

ElFasso,

Here the Firefox message for same file download:

The connection has timed out







The server at www.tweaking.com is taking too long to respond.





The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer's network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

#8 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:28 AM

Posted 30 June 2012 - 12:48 PM

The website for the downloading this program is offline...

I'll search for a safe mirror.

#9 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:28 AM

Posted 30 June 2012 - 12:53 PM

Safe mirror for Windows Repair: http://www.softpedia.com/get/Tweak/System-Tweak/Tweaking-com-Windows-Repair.shtml

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:28 PM

Posted 30 June 2012 - 01:07 PM

Press Windows+R key and type

notepad c:\windows\system32\drivers\etc\hosts

click ok

Press CTRL+A key,this should select the entire notepad contents

Do you find unwanted entries at the bottom of the notepad?

Also,lets start with firefox

Uninstall firefox,make sure to checkmark remove my personal data option

Reinstall it and see if you're able to browse in firefox

Edited by narenxp, 30 June 2012 - 01:11 PM.


#11 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 30 June 2012 - 01:20 PM

narenxp - I posted my hosts file above. There is nothing unusual that I can see. I will consider uninstalling FF after I try ElFassos Windows Repair.

Here is the hosts file psted earrlier:


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

#12 NpaMA

NpaMA

  • Members
  • 635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Memphis, TN
  • Local time:07:28 PM

Posted 30 June 2012 - 11:48 PM

Your FireFox has a proxy server configured.

Open Minitoolbox again and check the following things:
*Flush DNS
*Reset IE Proxy Settings
*Reset FF Proxy Settings

Press "Go".

Any change?

#13 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 05 July 2012 - 02:46 PM

Thank you to those that responded with suggestions, but after 3 weeks of dealing with the after affects of a malware infection, I bit the bullet and reformatted the drive and reinstalled Windows.

This post can be closed.

Thank you.

Craig

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:28 PM

Posted 05 July 2012 - 09:05 PM

Thank you for the update.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users