Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE 11 in U.S opens Google Nigeria, Win 8.1 Home Premium


  • Please log in to reply
15 replies to this topic

#1 Rwjack2000

Rwjack2000

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 10:08 AM

Hi,

My wife's PC, infrequently used, opens to Google Nigeria when she uses IE 11. She just noticed this starting yesterday  Using "my ip" search shows different IP (185.28.193.95) and location of Czech Republic (which is ominous).  After trying a few searches with IE 11, Google opened a captcha page stating unusual activity was coming from this IP.   Chrome and Firefox open in correct US Google and "my ip" search shows different IP and correct location.  One of the websites she visits requires IE, though she usually uses Chrome.

Win 8.1 Home premium, up to date with all updates and patches.

I have changed every location setting in Windows and IE I could find.  

 

 

 

I have scanned PC with:

Norton AV

Norton Power eraser

Malwarebytes Anti Malware Pro

Bitdefender

Super Antispyware

ADW Cleaner

 

All scans were clean except for cookies, which were removed.

 

I have removed and restored IE 11

deleted all cookies, history, temp files  etc.

 

I don't know what to do next.  I have a Hijack this log which I can upload if needed.

 

Your help will be greaty appreciated.  Thanks.


Edited by Rwjack2000, 03 August 2015 - 10:08 AM.


BC AdBot (Login to Remove)

 


m

#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 August 2015 - 10:17 AM

Hello,

 

please download MiniToolBox by Farbar and save it to your desktop.
 
Run tool as Administrator and make sure that these options are checked :
 
  • Flush DNS
  • Reset IE Proxy Settings
  • Reset FF Proxy Settings
  • List Installed Programs
 
Post log here .
 
Step 2
 
Download TFC by OldTimer and save it to your desktop.
 
Run it as Administrator and click on Start button.
 
If programs need reboot, allow it to do so.
 
NOTE: IF your desktop disappears, don't panic, it's normal.


#3 Dualcomm

Dualcomm

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 03 August 2015 - 10:48 AM

In IE 11, go to settings. If there's a sentence that says "Use proxy" and it's checked, uncheck it. Do you have a VPN or anything like that?



#4 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 11:43 AM

No VPN, proxy not checked.  Since I posted, wife's PC is auto-updating to Win 10, just my luck.  I will have to wait for that to complete and revert to 8.1.  I will then try the suggestions by Firehouse.  Thanks all.  Later



#5 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 August 2015 - 11:48 AM

Alright, no hurry.



#6 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 04:10 PM

OK, followed all of your steps. BTW, looks like Google is back to U.S version,  so success.  Thanks very much.   How do you think that happened?  

 

Here is the MTB  log :MiniToolBox by Farbar  Version: 25-07-2015 01

Ran by aljackso46 (administrator) on 03-08-2015 at 16:54:36
Running from "C:\Users\aljackso46\Desktop"
Microsoft Windows 8.1  (X64)
Model: X200MA Manufacturer: ASUSTeK COMPUTER INC.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
 
=========================== Installed Programs ============================
 
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 16.0.0.245 - Adobe Systems Incorporated)
Amazon Kindle (HKCU\...\Amazon Kindle) (Version:  - Amazon)
Amazon Music (HKCU\...\Amazon Amazon Music) (Version: 3.7.1.698 - Amazon Services LLC)
Amazon Music Importer (HKLM-x32\...\{3BAF1C25-33AA-AB09-0D89-1BAB227E5FB8}) (Version: 3.1.0 - Amazon Services LLC) Hidden
Amazon Music Importer (HKLM-x32\...\com.amazon.music.uploader) (Version: 3.1.0 - Amazon Services LLC)
Apple Application Support (32-bit) (HKLM-x32\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{D7B824DE-DA32-4772-9E5E-39C5158136A7}) (Version: 3.1.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{C4123106-B685-48E6-B9BD-E4F911841EB4}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASUS Backtracker (HKLM-x32\...\{C15C060C-ED1C-49EB-83B3-F7C0FD1CD661}) (Version: 3.0.4 - ASUS)
ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.3.4 - ASUS)
ASUS Screen Saver (HKLM\...\{0FBEEDF8-30FA-4FA3-B31F-C9C7E7E8DFA2}) (Version: 1.0.1 - ASUS)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 2.2.10 - ASUS)
ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 2.01.0021 - ASUS)
ASUS USB Charger Plus (HKLM-x32\...\{A859E3E5-C62F-4BFA-AF1D-2B95E03166AF}) (Version: 3.1.8 - ASUS)
AsusVibe2.0 (HKLM-x32\...\Asus Vibe2.0) (Version: 2.0.12.311 - ASUSTEK)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0031 - ASUS)
B-Folders 4 (HKCU\...\B-Folders 4) (Version:  - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
EaseUS Todo Backup Free 8.5  (HKLM-x32\...\EaseUS Todo Backup_is1) (Version: 8.5 - CHENGDU YIWO Tech Development Co., Ltd)
Epson Event Manager (HKLM-x32\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.30.01 - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - )
EPSON WorkForce 610 Series Printer Uninstall (HKLM\...\EPSON WorkForce 610 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Setup (HKLM-x32\...\{FFFAE01B-466F-4C07-9821-A94FD753BDDA}) (Version: 3.1c - SEIKO EPSON CORPORATION)
Glary Utilities PRO 5.21 (HKLM-x32\...\Glary Utilities 5) (Version: 5.21.0.40 - Glarysoft Ltd)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.125 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.1 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3408 - Intel Corporation)
Intel® Sideband Fabric Device Driver (HKLM-x32\...\C5A8BC6E-723A-4C0F-96E1-C426D1A4BCA9) (Version: 1.0.0.1002 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
iTunes (HKLM\...\{93F2A022-6C37-48B8-B241-FFABD9F60C30}) (Version: 12.1.2.27 - Apple Inc.)
Macrium Reflect Free Edition (HKLM\...\{4A2A71C3-5728-4A9F-89F3-3E58B552494C}) (Version: 6.0.708 - Paramount Software (UK) Ltd.) Hidden
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 6.0 - Paramount Software (UK) Ltd.)
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.10 - Magical Jelly Bean)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4737.1003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 39.0 - Mozilla)
Norton Security Suite (HKLM-x32\...\N360) (Version: 22.5.2.15 - Symantec Corporation)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4737.1003 - Microsoft Corporation) Hidden
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.27040 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.20.815.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7404 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Samsung Kies (HKLM-x32\...\{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.3.14123.5 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.3.14123.5 - Samsung Electronics Co., Ltd.)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.49.0 - SAMSUNG Electronics Co., Ltd.)
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1204 - SUPERAntiSpyware.com)
WebStorage (HKLM-x32\...\WebStorage) (Version: 2.0.3.226 - ASUS Cloud Corporation)
Windows Driver Package - ASUS (ATP) Mouse  (01/07/2014 1.0.0.197) (HKLM\...\2BEE838DC3D664A0CAB23AEA0332BB3877ED0685) (Version: 01/07/2014 1.0.0.197 - ASUS)
WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.42.0 - ASUS)
 
**** End of log ****
 
Couldn't find a way to just attach txt file,so here it is!

Edited by Rwjack2000, 03 August 2015 - 04:14 PM.


#7 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 August 2015 - 04:13 PM

Uninstall SuperAntiSpyware and Glary Utilities. Any sort of "optimizers" can do more damage than good,Wise Disk Cleaner is more than enoguh



#8 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 04:30 PM

Done, and thanks again.



#9 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 August 2015 - 04:31 PM

How is the situation now ?



#10 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 04:39 PM

Seems to be back to normal.  What do you think happened?  My wife is a pretty safe surfer.



#11 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 August 2015 - 04:40 PM

"Reset IE Proxy Settings": IE Proxy Settings were reset.

 

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

You had proxy on your PC.



#12 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 04:50 PM

Actually, I retract that.  IE 11 IP initially reported a different address and loaded US Google,  now back to the Czech Republic address and location and Google Nigeria.  This is pretty serious.



#13 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 August 2015 - 04:52 PM

I'm on my phone now,so we will continue tomorrow if you don't mind :) I need some sleep.



#14 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 August 2015 - 05:05 PM

You are right, but I never added proxy.  I have removed all checks on IE and Firefox regarding proxies.  We'll see.  I will also check all PCs on my network.



#15 Rwjack2000

Rwjack2000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 August 2015 - 10:17 AM

Additional info:

I blocked the IP in question in Norton, in browsers and router.  Now, even though all proxy settings have been cleared using minitool, IE 11 will not connect: " the proxy server 185.28.193.95:8080 isn't responding".  The exploit still exists somewhere on this system.  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users