Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help have a browser redirect nightmare


  • This topic is locked This topic is locked
10 replies to this topic

#1 alexnconifer

alexnconifer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 09 March 2009 - 02:04 AM

Hey, hope you can help me, my browser redirects bad, and multiple times no matter what search bar I use google or yahoo, computer is slow. downloaded spydoctor, won't let me update malware definitions to start it. downloaded malwarebytes, won't let me open. trendmicro housecall won't start. Adaware can't find anything. I have CA antivirus and antispyware , neither one finds anything. About a week ago , CA said it found a trojan virus , but repaired. Seems like fairly soon after this I started having problems. I can't cut and paste address directly to site without to much problem. If I type in search it will go to appropriate topic in whatever search engine I am using, but when I try to go specific site then it redirects to all kinds of stuff , different weird search engines like infoseek, or weird sites, so far nothing porn or anything but all kinds of unrelated weird stuff. Also computer won't allow me to do a system restore, also tried in safe w/ command prompt, still no luck. Can't defrag either. Haven't found anything in processes on task manager that is a dead giveaway but my knowledge is somewhat limited. The redirects do seem to be getting worse though, and it found my opera browser and is doing it on that one too, it was'nt at first. hope you can help me , I'm stuck and frustrated. thanks, Alex
DDS (Ver_09-02-01.01) - NTFSx86
Run by Lisa Woodhouse at 0:20:21.42 on Mon 03/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1095 [GMT -6:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\TMAS\Apache2\bin\ApacheMonitor.exe
C:\TMAS\mysql\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\AntiSpyware\tmassa.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Documents and Settings\Lisa Woodhouse\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: IEGBH0 Class: {9f3209e2-334b-41e9-b09c-703f398742e7} - c:\program files\trend micro\browser guard\tmieg.dll
BHO: TFSToolbarBHO: {a160a3eb-b076-4190-92cf-9a9663f5f144} - c:\program files\trend micro\browser guard\TFSToolbar.dll
BHO: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No File
BHO: BhoMisc Class: {e3578b37-6346-4ec1-a82b-38273a100dcf} - c:\program files\trend micro\trendprotect\msie\wrs.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: TrendProtect: {f83be649-1cc3-48ee-b2e2-0826cef3822a} - c:\program files\trend micro\trendprotect\msie\wrs.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: Trend Micro Free Security Toolbar: {537853f4-1954-4d0f-a89d-669a91c7fe45} - c:\program files\trend micro\browser guard\TFSToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [cafw] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [CaPPcl] c:\program files\ca\ca internet security suite\ca anti-spyware\CAAntiSpyware.exe /scan /startup
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: NameServer = 85.255.112.178,85.255.112.99
TCP: {6E8C0210-185D-4134-BB0A-B976ADC11814} = 85.255.112.178,85.255.112.99
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: tmtb - {F41E55CA-6660-4350-8E3F-5004097E0AB0} - c:\program files\trend micro\browser guard\TFSToolbar.dll
Handler: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - c:\program files\trend micro\trendprotect\msie\WRS.dll
Notify: PFW - UmxWnp.Dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-8 130424]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-9-3 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-9-3 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-9-3 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-9-3 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-9-3 32240]
R2 Antispyware Server Agent;Antispyware Server Agent;c:\program files\trend micro\antispyware\tmassa.exe [2009-3-8 1703936]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-6-24 144696]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-8 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-8 1095560]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-4 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2007-6-24 255216]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [2008-9-3 823296]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-5-8 185584]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-9-3 108368]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]

=============== Created Last 30 ================

2009-03-08 22:44 2,154 a------- c:\windows\system32\tmasmute.ini
2009-03-08 22:44 6,287 a------- c:\windows\my.ini
2009-03-08 22:44 1,302,528 a------- c:\windows\libmysql.dll
2009-03-08 22:44 46,946 a------- c:\windows\php.ini
2009-03-08 22:43 <DIR> --d----- C:\TMAS
2009-03-08 21:57 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-08 21:57 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-08 21:57 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-08 21:57 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-08 21:57 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-08 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-08 00:37 102,800 a------- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2009-03-08 01:12 258,144 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-08 01:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-08 20:16 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 16:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-11-12 09:54 108,272 a------- c:\docume~1\lisawo~1\applic~1\GDIPFONTCACHEV1.DAT
2008-11-22 12:41 2 a--shrot c:\windows\winstart.bat
2008-02-13 20:12 30,720 a--sh--- c:\windows\rnapxs\Rnapxs.dat
2007-01-05 16:42 56 ---shr-- c:\windows\system32\57AC54779D.sys
2007-01-05 16:42 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-29 09:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat
2008-09-03 22:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat
2007-06-23 10:25 4,800,800 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-06-23 10:25 68,128 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 0:21:10.66 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 21 March 2009 - 01:06 PM

Hello alexnconifer,

I apologise for the delay, the forum is busy.
----------------------------------------------
I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
  • If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Checked (tick) all items except items in the C:\System Volume Information folder, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 alexnconifer

alexnconifer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 22 March 2009 - 11:01 AM

Hi , thanks for getting back to me , haven't had any more luck with removing whatever is afflicting my computer. It doesn't seem to be causing any other system instability as far as other programs not related to browser or internet. Anyway have followed your directions and I am posting the hijackthis log, but computer will not allow me to run malwarebytes, I have downloaded and installed as per directions but to no avail can I load or make it run, hopefully you know another way ? for starters here is hijackthis log. Thanks, alex

Attached Files



#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 22 March 2009 - 12:11 PM

Hello alex,

Can you rename malwarebytes to mbam and try to run it again?

Please do not post attachments.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 alexnconifer

alexnconifer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 23 March 2009 - 09:59 AM

tried to rename mbam.exe using right click and rename tab and changing name in box under icon, still no luck. Am I not doing something correctly ? tried to reinstall and rename the installer as well, no luck there either. any suggestions?

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 23 March 2009 - 10:14 AM

Hello alexnconifer,

Ok we'll try another tool.

First i see you have CA Anti-Virus+Firewall+Antispyware on your pc.
But i also see signs of Trendmicro. What use is Trendmicro for?

You must not have more than 1 Anti-Virus and 1 firewall.
----------------------------------------------
Disable Spyware Doctor until the computer is clean

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Don't forget to re-enable it, after i tell you that your computer is clean.
----------------------------------------------
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 alexnconifer

alexnconifer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 23 March 2009 - 10:55 PM

Hi, did everything as you requested, had great results. seems to have caught worm or hijacker whatever you call it. I'm not getting redirected anymore. Have included combofix log and new hijackthis log. after getting done with combofix and then I turned anti-virus and anti-spyware back on and computer allowed me to open malwarebytes, so I ran scan , it caught 18 items including a trojan. Then CA anti-virus said real-time scanner caught two viruses, they are same as combofix deleted so I don't if it is trying to re-install or what, but everything seems to be working and the computer is allowing me to update security stuff when it wouldn't at all before, so I have my fingers crossed.... Thanks a million ! :thumbup2:

Attached Files



#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 24 March 2009 - 09:00 AM

Hello alexnconifer,

Hi, did everything as you requested, had great results. seems to have caught worm or hijacker whatever you call it. I'm not getting redirected anymore. Have included combofix log and new hijackthis log. after getting done with combofix and then I turned anti-virus and anti-spyware back on and computer allowed me to open malwarebytes, so I ran scan , it caught 18 items including a trojan. Then CA anti-virus said real-time scanner caught two viruses, they are same as combofix deleted so I don't if it is trying to re-install or what, but everything seems to be working and the computer is allowing me to update security stuff when it wouldn't at all before, so I have my fingers crossed.... Thanks a million !

Nice, good to know, and you are welcome.

First i see you have CA Anti-Virus+Firewall+Antispyware on your pc.
But i also see signs of Trendmicro. What use is Trendmicro for?

You missed answering my question. Do you use only Trendmicro's Antispyware?
----------------------------------------------
Registry Cleaners

I notice the presence of Registry Mechanic Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference.
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\windows\Tasks\ErrorEasy Scheduled Scan.job
    
    Folder::
    c:\program files\ErrorEasy
    
    Firefox::
    DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Malwarebytes' Anti-Malware again.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Malwarebytes' Anti-Malware report.

Please do not post attachments, unless i require them.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 alexnconifer

alexnconifer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 24 March 2009 - 10:12 AM

Hi, ok I have done all the things you ask and am now posting the three logs as requested, in answer to question I had trend Micro free housecall on here, and sometime back it quit allowing me to load and run, didn't think much of it at the time. I also deleted registry mechanic as suggested, I had just installed prior to contact with you, in hopes of some remedy. I also have CC cleaner , do you recommend not running that one as well ? thanks again for all your excellent help, Alex in Conifer, CO

Attached Files



#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 24 March 2009 - 02:35 PM

Hello alexnconifer,

Please do not post attachments, unless i require them

Did you see this note? Do not post attachments again please. Just click on post, and copy/paste the reports normally.
Attachments makes my work difficult.

Hi, ok I have done all the things you ask and am now posting the three logs as requested, in answer to question I had trend Micro free housecall on here, and sometime back it quit allowing me to load and run, didn't think much of it at the time. I also deleted registry mechanic as suggested, I had just installed prior to contact with you, in hopes of some remedy. I also have CC cleaner , do you recommend not running that one as well ? thanks again for all your excellent help, Alex in Conifer, CO

Ok since you have CA Internet security, we'll remove TrendMicro.

Please uninstall it, using Add/Remove programs, and reboot your pc. Be sure your browser is closed when uninstalling it.

If you wish to keep Trendmicro and remove CA do not run the Combofix-Script below.
Just let me know.

I want you also to uninstall Malwarebytes' Anti-Malware as it's a very messy installation. It is a very good program and i suggest to download it again and use it often to scan your pc.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Folder::
    c:\program files\Trend Micro
    c:\program files\Registry Mechanic
    
    DDS::
    DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
    
    Driver::
    Antispyware Server Agent
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F3209E2-334B-41E9-B09C-703F398742E7}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A160A3EB-B076-4190-92CF-9A9663F5F144}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{537853F4-1954-4d0f-A89D-669A91C7FE45}"=-
    [-HKEY_CLASSES_ROOT\clsid\{537853f4-1954-4d0f-a89d-669a91c7fe45}]
    [-HKEY_CLASSES_ROOT\TFSToolbar.TFSProtectorBar.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{D11A2419-659C-4cdd-84E6-BC4D2DD3964C}]
    [-HKEY_CLASSES_ROOT\TFSToolbar.TFSProtectorBar]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
    [-HKEY_CLASSES_ROOT\CLSID{F41E55CA-6660-4350-8E3F-5004097E0AB0}]
    [-HKEY_CLASSES_ROOT\CLSID{BC3A5F6F-12A0-4B14-A184-32939F413823}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tmtb]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\trendprotect]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Kaspersky report.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 March 2009 - 05:25 AM

Due to the lack of feedback, this Topic is now closed and will not be reopened.
If you still need help, begin a new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users