Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Nasty, Stubborn, redirect thingy ...


  • This topic is locked This topic is locked
41 replies to this topic

#1 jacsma

jacsma

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 05 July 2011 - 04:12 PM

A longish story, but want to give you as much background/info as possible.

A few days ago, I noticed my laptop running a bit sluggish, slow to open desktop, links, etc. I downloaded Google Chrome day before yesterday. Yesterday, while on a completely innocent site, reading a recipe - a malware "windows 7 tool" type thing popped up. Of course, it looked completely legit at first, until it finished its 'scan' (that I couldn't pause or stop) and told me I needed to 'upgrade' to a different level of this Microsoft 'tool' in order to fix all the problems. In trying to close it out, my desktop, icons, background, etc. disappeared (as I assume is the norm).
My son advised me to do a system restore to rid myself of it, and I did. That did bring back my desktop, icons, etc. and I haven't seen that "tool" pop up again, but now am stuck with the 'redirect' issue that so many others have had.

I have an active McAfee subscription, and that popped up once, telling me it had destroyed a trojan. When I opened McAfee, I noticed that my protection was "off". Everytime I turned it on, I'd watch, and within 3 seconds, it turned itself off again. Whether or not this is related ... I don't know.
I downloaded Malwarebytes, and started a full system scan on that. While that was scanning, I finally got McAfee to run at the same time. Malwarebytes showed 2 infected files, McAfee showed 2 infected files and 14 tracking cookies. They both supposedly took care of the issues ... but the redirect continues.
I also notice that my "Internet/Protected Mode: On" keeps turning itself off as well. This used to stay "on" all the time, but now I have to keep turning it on manually every hour or so, when I notice it's not on.

Everytime I try to run a different scan of another type (like avg, mcafee, security check, etc.) I get an error message pop up from Malwarebytes "[OpenEvent] Failed to perform desired action. Error Code:2"

I tried to run "hijackthis", but got an error message on that (sorry, don't remember what it was), and it wouldn't let it produce a log.

After reading several posts here from people with the same problem, I've taken a couple of the recommended steps, hoping to expedite your assistance. Be aware though, I'm a complete novice. You'll have to speak to me in pretty elementary language, with step by steps, etc.

I have a Dell Studio 1749, Intel Cor i3, 64bit operating system, Windows 7 Ultimate

My redirect issue is with google search results (I haven't tried other search engines). It happens in both IE and Firefox. When I click on a search result, I'm taken to completely random sites like yellowpages.com, fitness.com, recipes.com, groupon.com, local.com, etc. This makes absolutely no sense to me. What's the point?

I ran the Security Check as advised in another user's post, and got this log result:
Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee Security Center
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.2.152.26
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.17)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
``````````End of Log````````````

I then ran the Malwarebytes again, and got this log result:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7029

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/5/2011 4:33:27 PM
mbam-log-2011-07-05 (16-33-27).txt

Scan type: Quick scan
Objects scanned: 187313
Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Now what?

Thank you in advance for taking the time to read my post, and respond.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:44 AM

Posted 05 July 2011 - 04:25 PM

Welcome aboard Posted Image

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

==================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 05 July 2011 - 08:35 PM

here's the log from part 1 of your instructions:

MiniToolBox by Farbar
Ran by pam (administrator) on 05-07-2011 at 21:31:43
Windows 7 Ultimate (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
Hosts file not detected in the default diroctory
================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : pam-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : 00-27-10-10-3A-25
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : 00-27-10-10-3A-25
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6200 AGN
Physical Address. . . . . . . . . : 00-27-10-10-3A-24
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f04e:9aa3:7fed:2f91%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 05, 2011 9:29:00 PM
Lease Expires . . . . . . . . . . : Wednesday, July 06, 2011 9:29:01 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 184559376
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-FF-EB-18-00-26-B9-F7-A7-F2
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-26-B9-F7-A7-F2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A4B20C38-5245-413D-B694-49AE7E577F1A}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{45C116A6-3AA8-4442-ACEC-FC26BA5A414D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2c05:3a2a:b8be:369(Preferred)
Link-local IPv6 Address . . . . . : fe80::2c05:3a2a:b8be:369%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{168D3F4C-3E61-471F-8B7C-0888CA302A1C}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{FE3AA4BC-12BE-46EE-AB09-8FDD152B48BB}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.93.99
74.125.93.147
74.125.93.106
74.125.93.105
74.125.93.104
74.125.93.103


Pinging google.com [74.125.93.103] with 32 bytes of data:
Reply from 74.125.93.103: bytes=32 time=31ms TTL=53
Reply from 74.125.93.103: bytes=32 time=31ms TTL=53

Ping statistics for 74.125.93.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 31ms, Average = 31ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56


Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=89ms TTL=52
Reply from 98.137.149.56: bytes=32 time=85ms TTL=52

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 85ms, Maximum = 89ms, Average = 87ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
14...00 27 10 10 3a 25 ......Microsoft Virtual WiFi Miniport Adapter #2
13...00 27 10 10 3a 25 ......Microsoft Virtual WiFi Miniport Adapter
12...00 27 10 10 3a 24 ......Intel® Centrino® Advanced-N 6200 AGN
11...00 26 b9 f7 a7 f2 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.2 281
192.168.1.2 255.255.255.255 On-link 192.168.1.2 281
192.168.1.255 255.255.255.255 On-link 192.168.1.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 58 ::/0 On-link
1 306 ::1/128 On-link
15 58 2001::/32 On-link
15 306 2001:0:4137:9e76:2c05:3a2a:b8be:369/128
On-link
12 281 fe80::/64 On-link
15 306 fe80::/64 On-link
15 306 fe80::2c05:3a2a:b8be:369/128
On-link
12 281 fe80::f04e:9aa3:7fed:2f91/128
On-link
1 306 ff00::/8 On-link
15 306 ff00::/8 On-link
12 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/05/2011 04:43:28 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16800, time stamp: 0x4db1c462
Faulting module name: mshtml.dll, version: 8.0.7600.16821, time stamp: 0x4de084b7
Exception code: 0xc0000005
Fault offset: 0x0000000000240d68
Faulting process id: 0x1dc4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/05/2011 04:25:19 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16800, time stamp: 0x4db1c462
Faulting module name: mshtml.dll, version: 8.0.7600.16821, time stamp: 0x4de084b7
Exception code: 0xc0000005
Fault offset: 0x00000000001a4f57
Faulting process id: 0x18ec
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/05/2011 01:10:19 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15600

Error: (07/05/2011 01:10:19 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15600

Error: (07/05/2011 01:10:19 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/05/2011 11:48:34 AM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7600.16450, time stamp: 0x4aebab8d
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000005d30f8
Faulting process id: 0xf7c
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (07/04/2011 08:41:15 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16800, time stamp: 0x4db1c462
Faulting module name: mshtml.dll, version: 8.0.7600.16821, time stamp: 0x4de084b7
Exception code: 0xc0000005
Fault offset: 0x0000000000240d68
Faulting process id: 0x1714
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/04/2011 07:46:14 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16800, time stamp: 0x4db1c462
Faulting module name: mshtml.dll, version: 8.0.7600.16821, time stamp: 0x4de084b7
Exception code: 0xc0000005
Fault offset: 0x0000000000240d68
Faulting process id: 0x1dd4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/04/2011 05:47:33 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16800, time stamp: 0x4db1c462
Faulting module name: mshtml.dll, version: 8.0.7600.16821, time stamp: 0x4de084b7
Exception code: 0xc0000005
Fault offset: 0x0000000000240d68
Faulting process id: 0x187c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/04/2011 04:53:30 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16800, time stamp: 0x4db1c462
Faulting module name: mshtml.dll, version: 8.0.7600.16821, time stamp: 0x4de084b7
Exception code: 0xc0000005
Fault offset: 0x0000000000240d68
Faulting process id: 0x1ab0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3


System errors:
=============
Error: (07/05/2011 09:29:40 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:29:28 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:29:06 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:29:01 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:29:01 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:29:00 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:29:00 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:28:59 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/05/2011 09:28:57 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (07/05/2011 09:28:55 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.


Microsoft Office Sessions:
=========================
Error: (07/05/2011 04:43:28 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.168004db1c462mshtml.dll8.0.7600.168214de084b7c00000050000000000240d681dc401cc3b540761b3d7C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dll6f3e01f3-a747-11e0-a350-0026b9f7a7f2

Error: (07/05/2011 04:25:19 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.168004db1c462mshtml.dll8.0.7600.168214de084b7c000000500000000001a4f5718ec01cc3b4e007ae449C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dlle65e3460-a744-11e0-a350-0026b9f7a7f2

Error: (07/05/2011 01:10:19 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15600

Error: (07/05/2011 01:10:19 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15600

Error: (07/05/2011 01:10:19 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/05/2011 11:48:34 AM) (Source: Application Error)(User: )
Description: Explorer.EXE6.1.7600.164504aebab8dunknown0.0.0.000000000c000000500000000005d30f8f7c01cc3b29be977d58C:\Windows\Explorer.EXEunknown3cc0599b-a71e-11e0-bafb-0026b9f7a7f2

Error: (07/04/2011 08:41:15 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.168004db1c462mshtml.dll8.0.7600.168214de084b7c00000050000000000240d68171401cc3aaa9b97f0a6C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dll7cdfad73-a69f-11e0-b408-0026b9f7a7f2

Error: (07/04/2011 07:46:14 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.168004db1c462mshtml.dll8.0.7600.168214de084b7c00000050000000000240d681dd401cc3aa390b1dbe5C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dllcd4efad8-a697-11e0-b6de-0026b9f7a7f2

Error: (07/04/2011 05:47:33 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.168004db1c462mshtml.dll8.0.7600.168214de084b7c00000050000000000240d68187c01cc3a92cbde2c35C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dll38a3ced9-a687-11e0-b6de-0026b9f7a7f2

Error: (07/04/2011 04:53:30 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.168004db1c462mshtml.dll8.0.7600.168214de084b7c00000050000000000240d681ab001cc3a8b5663b115C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dllab903d63-a67f-11e0-b6de-0026b9f7a7f2


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 46%
Total physical RAM: 3764.52 MB
Available physical RAM: 2010.74 MB
Total Pagefile: 7527.19 MB
Available Pagefile: 5048.93 MB
Total Virtual: 4095.88 MB
Available Virtual: 3980.89 MB

======================= Partitions: =======================================

1 Drive c: (OS) (Fixed) (Total:581.48 GB) (Free:502.46 GB) NTFS

================= Users: ==================================================

User accounts for \\PAM-PC

-------------------------------------------------------------------------------
Administrator Guest pam
The command completed successfully.

================= End of Users ============================================


I'll post part 2 of your instructions as soon as it's complete.

#4 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 05 July 2011 - 10:26 PM

okay, I ran GMER. When it ended, the only text in the box was something like C:\tempfiles ..... 32000 bytes
and then another line of the same kind of info...

I thought this wasn't enough info and there must be a mistake, so I ran the scan again.

This time, a box popped up with the text "GMER hasn't found any system modification". Immediately after this popped up, another box popped up telling me to enter a correct email address. I clicked okay on each of these, and then ran the scan again, this time getting the same box "GMER hasn't found any system modification". That's it.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:44 AM

Posted 05 July 2011 - 10:42 PM

That's normal message, if no changes have been found.

We don't have much so far.

One thing we have to fix is missing "hosts file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :filefind
    hosts
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 05 July 2011 - 11:57 PM

I got nervous that I had done something wrong or missed something. I'm not sure that avg was disabled when the scans ran on GMER. AVG only lets you disable for a max of 15 minutes. I checked to be sure that Mcafee was disable and disabled AVG again, and then started the GMER scan immediately. The results were different this time.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-06 00:52:27
Windows 6.1.7600
Running: 0ji26t12.exe


---- Files - GMER 1.0.15 ----

File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\banner_renderer_detect[1].js 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\clogo-frost[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\Earthlink1[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\shadowbox-en[1].js 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\shadowbox-jquery[1].js 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\shadowbox.skin2.3rc1[1].js 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\shadowbox[1].css 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\BlueBar[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\c-bottom[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\CAKK28OL.HTM 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3BT50Z2C\adinfo[1].php 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\photo_default[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\bkgd-button-300[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\c-right[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\footer_bkgd[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\view[1].gif 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\95351[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\grid[1].css 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\icon-customerservice[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\clogo-pnc[1].gif 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\shadowbox.skin2[1].css 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\st[1].htm 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9NYVE91W\jquery.tools.min[1].js 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\clogo-cb[1].gif 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\hotoff[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\CrateBarrel2[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\c-bottom-right[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\social-icon-home[1].png 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\shadowbox-img[1].js 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\269748[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\2f0c7185e02c19cf0a739884d4938bd001ba0f8d[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\39f03b1bbe27abf4939703e4bef17a1d1f09d355[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\69996de30018d6789a6ad177b37bcb6156beed3d[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\8d8c039efa625d2411cb475382844eeb136da0e2[1].jpg 0 bytes
File C:\Users\pam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNT4RXVD\Bell1[1].png 0 bytes
File C:\Users\pam\AppData\Roaming\Microsoft\Windows\Cookies\Low\pam@scanscout[1].txt 2001 bytes
File C:\Users\pam\AppData\Roaming\Microsoft\Windows\Cookies\Low\pam@adme.mevio[1].txt 0 bytes

---- EOF - GMER 1.0.15 ----


working on the next step now..... (thank you)

#7 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 06 July 2011 - 12:01 AM

SystemLook 04.09.10 by jpshortstuff
Log created at 00:59 on 06/07/2011 by pam
Administrator - Elevation successful

========== filefind ==========

Searching for "hosts"
C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\hosts --a---- 824 bytes [21:00 10/06/2009] [21:00 10/06/2009] 3688374325B992DEF12793500307566D

-= EOF =-

EDIT: HJT Post Removed ~Budapest

Edited by Budapest, 06 July 2011 - 07:02 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:44 AM

Posted 06 July 2011 - 06:27 PM

We're not allowed to work with HJT logs in this forum, so please don't post any extra logs.

Let's start with fixing "hosts" file issue.

Open Notepad.
Copy all text from the following code box and paste it into Notepad window:

@echo off
copy C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\hosts C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
exit

Save the file as fix.bat.

Double click fix.bat to run it.
A pop-up window will open and you'll see number of files being copied.
The window will close, when all copying is done.

Re-run System Look with the same code as in my reply #5.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 06 July 2011 - 07:19 PM

when I double click fix.bat, and black box appears, but the text says "access denied" "0 filed copied"

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:44 AM

Posted 06 July 2011 - 07:59 PM

Take ownership of C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder: http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/ and try again.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 06 July 2011 - 08:52 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 21:47 on 06/07/2011 by pam
Administrator - Elevation successful

========== filefind ==========

Searching for "hosts"
C:\Windows\System32\drivers\etc\hosts --a---- 824 bytes [01:45 07/07/2011] [21:00 10/06/2009] 3688374325B992DEF12793500307566D
C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\hosts --a---- 824 bytes [21:00 10/06/2009] [21:00 10/06/2009] 3688374325B992DEF12793500307566D

-= EOF =-

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:44 AM

Posted 06 July 2011 - 08:57 PM

Good job :)

How is redirection now?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 jacsma

jacsma
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 07 July 2011 - 12:05 PM

Last time I checked, it was still redirecting. I rebooted to see if that would make a difference, and am now without a laptop. The blue screen flashes for a millisecond, and then tries to boot up, but then says it can't. It offers to repair or open normally. If I choose repair, it scans forever (and says the scan cannot be stopped once it's started) and then tells me it can't fix my problem and offers again to repair or start up normally. I can't start it safe mode, safe mode command prompt, or any other way.
Unfortunately, I stupidly didn't create a backup CD when I got my computer, and they didn't send an operating CD with it, just instructions on how to create one. I'm using my antique desktop right now, but have someone emailing me a file for me to save to CD to run that will hopefully be the same as the operating backup CD that I should have made.

At this point, I'm just waiting to see if I can get it to come on again. If I do, I'll let you know if it's still redirecting.

A seperate question for you ... as I'm just curious...

I just read a post from another user that started out with the same Windows 7 repair virus that I had, and who now has the same remnant redirect issue. He is being helped/coached by a different user, who has instructed this person to take completely different steps and use completely different scans, etc. Are these various steps, tools used just as a matter of personal preference, and they all basically arrive with the same end result?

This is the biggest nightmare I've ever had with a computer. I've had my last Dell (the "antique" I'm typing on now, for almost 12 years. It still runs, but the memory, etc. is so outdated, I decided to buy a new Dell laptop. I'm very careful regarding viruses, links, etc. I use my computer an average of probably 16 hours a day, and I haven't had a virus/bug issue in more than 7 years. I had McAfee up and running when I got hit with this thing. The cybercrooks are obviously multiplying and getting better at what they do. I don't know how a person can protect themselves nowadays.

I'll let you know if I ever get my computer to come back on.

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:44 AM

Posted 07 July 2011 - 08:18 PM

Are these various steps, tools used just as a matter of personal preference, and they all basically arrive with the same end result?

Normally we use this manual to remove said infection: http://www.bleepingcomputer.com/virus-removal/remove-windows-7-repair

What happened here and why you can't boot, I'm not sure. We really didn't fix anything yet.

I'll report this topic to people, who deal with this kind of situation.
Someone will come here shortly.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:44 PM

Posted 08 July 2011 - 01:03 AM

Hi jacsma,

I will be assisting you from now on with your issue.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users