8 steps completed after getting redirected on the internet

[Dela]

Hello, this is my first post but I stumbled across this site when I was searching for a solution to my computer problem.

The main symptom I had was whenever I was clicking on links on websites no matter what it was I would periodically get redirected to a different site, namely fling.com even though I had never been to the site prior. Not every link would go to this site. Sometimes it happened and sometimes it wouldn't so I don't know what triggered it.

I have completed the 8 steps and have attached my logs, so far I haven't experienced the redirection yet since completing the steps but does that mean it all worked and I'm done? What should I do now?

Anyways, for the first step I used Sophos Antivirus and all it it found SearchIt adware and quarantined it. There was a link describing it but I can't post it here.

Thanks for any help you guys might have

 

[mflynn]

Hi Dela

Great job.

Run HJT scan only select and remove the below items

O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')

You need to run MBAM again in case the items removed in the last run exposed others not seen on the 1st run.

And due to the content of the logs do the below.

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[Bobbye]

I'm going to step in because some things were missed that need to be handled:

Re SAS: you have Tracking Cookies that you need to have SAS remove. One of them is ad.yieldmanager.com which needs to be handled this way:

Open Internet options> Security tab> Trusted Sites> highlight and remove ad.yieldmanager.com
One done go to Restricted Sites> Sites> type in *.ad.yieldmanager.com then click on Add.

Reset Cookies:

Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Regarding the SafeNet Sentinel you have:
Please check this vulnerability. Make sure it's patched:
SafeNet Sentinel Protection Server/Key Server Directory Traversal Vulnerability:
http://secunia.com/advisories/27811

I will tell you right up front that you have WAY too many programs and processes running! If speed is an issue for youm this is why. The entire list of 04 processes is loading every time you start up the computer!

The ONLY proceses you need on Startup are the AV program, firewall, and for your laptop, the Appoint touchpad- NOTHING else!

Are you really using all those Toshiba processes? If not, take them off Startup! Mike, maybe you can help Dela slim down those startups when through.

You are also using duplicate translating programs: IME and Phime:

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

The IEHOME processes Mike told you to remove are a Backdoor Proxy. That may be causing the redirect.

Mike, let's have the user remove this too:
O18 - Filter hijack: text/html - {b95fab61-4677-4c95-99ed-a3b077298685} - C:\WINDOWS\system32\mst120.dll

 

[Dela]

Ok so I ran Hijack this scan and removed the 3 things Mike listed. I also ran MBAM again and it didn't find anything. I have been trying to run Combofix but it's in asian symbols which I can't seem to change. I think the laptop which isn't mine is set up with asian symbols, I'm just borrowing it and trying to fix what I caused.

Any ideas how I can turnoff the asian symbols for now so that I can run Combofix and then turn it back on later?

As for Bobby's instructions,,, ad.yieldmanager.com was not listed in the trusted site area so I couldn't remove it but I did add it to the restricted site area. I also resetted the cookies as per your instructions. I didn't do anything beyond that. I'm a little confused what I am suppose to do in regard to the SafeNet Sentinel.

As for having too many programs running... the slowness hasn't been a problem and since it's not my laptop, I figured they're there's a reason for all the Toshiba proccesses and don't really feel comfortable about removing them since it's not my laptop...

Sorry if I'm being difficult... I'm a beginner and I really just wanted to get rid of the redirection thing that started happening only after I had used the laptop for a couple of days. I didn't want to give it back with problems....

I ran hijackthis again and removed the:
O18 - Filter hijack: text/html - {b95fab61-4677-4c95-99ed-a3b077298685} - C:\WINDOWS\system32\mst120.dll

the latest HJT log is attached...

Is there anything else I can do? Sorry if I'm beign difficult!!

 

[mflynn]

Hi Dela

Not sure if all else runs OK, what the issue is with ComboFix.

D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Please make a note of what it found if any as it has no log.

So lets get a deep look to see if we can see anything else.

Then get and Run: http://info.prevx.com/downloadcsi.asp

Download OTScanIt: http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, attach contents back to here.

Mike

 

[Bobbye]

Have you been asked to do something with this laptop other than use it?I ask speciffically because of the two Asian language translating programs. IF the original user has that set up, the circumstance of you use make me question whether the original user want changes made.

The HijackThis logs now hows this entry:
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
psexesvc.exe is not in itself malicious but this file is used by various worms to replicate and Trojans to gain access to your PC.

When you began using the laptop, did you experience any problem then? At what point did they begin? When did 'fling.com' start? It is among other things a dating site. It is also suspected of being a scam.

 

[Dela]

I have honestly just used it for the microsoft word, internet and messenger. When I first got it, which was maybe two weeks ago everything seemed fine. I only had to switch the language when using word so that I could type in English. No problems with the internet until last night when I kept on getting redirected to that site.



Xclean found and removed:

Detected Consumer Alert System:
Registry Keys (1) :
HKEY_CLASSES_ROOT\AppID\Main.DLL

After the scan I rebooted and PrevX found

THREAT C:\Documents and Settings\yang\Local Settings\Temporary I

I couldn't see see the rest of the name but under threat it says worm. I also couldn't clean up, it required a license activation. Do I have to buy this?

I have attached the log from OTScanit

 

[mflynn]

I think Prevx has changed to this recently. Uninstall and remove it. Do not purchase.

We appear to be clean of Malware. So if we still have issues they are not Malware related.

But I would still like to see a Combofix run to be sure. Try renaming ComboFix.exe to KomboFix.exe and try to run once again.

So what don't work what needs fixing?

Mike

 

[Dela]

Everything seems to be working fine now. Thanks for all your help Mike and Bobby! I really appreciate it.

Dela