TechSpot

8 steps logs inside

By gmh265
Mar 4, 2009
  1. Updated: 8 steps logs inside/google redirections

    Hello,

    I have had a problem with my work PC for the last few weeks where my webpages get redirected when clicking on links, to pages like

    ww.monstermarketplace.com/searchknt.asp?q=ls


    I have attached my log files.

    Thanks for any help
     

    Attached Files:

  2. gmh265

    gmh265 TS Rookie Topic Starter

    I have done some more research and found that the webpage redirections go through the address 208.122.40.126 and 208.122.40.130

    does that help?

    Thanks
     
  3. gmh265

    gmh265 TS Rookie Topic Starter

    any ideas on this one guys? thanks
     
  4. touch

    touch TS Rookie Posts: 978

    Run a scan with HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exe
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    Reboot to safe mode:
    Begin tapping the F8 key every few seconds as the system boots up until the screen offering
    the Safe Mode option appears (if Windows launches before you can choose a Safe Mode, restart your
    computer and try again).

    SHOW HIDDEN FILES
    1. Click Start button, then go to Programs, Accessories and click on Windows Explorer.
    2. Select the Tools menu and click Folder Options.
    3. Select the View Tab.
    4. Under the "Hidden files and folders" heading please check Show hidden files and folders.
    5. Uncheck the Hide protected operating system files (Recommended) option.
    6. Click Yes to confirm.
    7. Click OK.


    Delete this file ->
    C:\WINDOWS\system\svchost.exe

    NB. You have a legal Microsoft svchost.exe file, located here:
    C:\WINDOWS\system32\svchost.exe << donĀ“t delete it

    Reboot normally, post new hijackthis log (attacht it) and tell how things are running now
     
  5. kritius

    kritius TS Guru Posts: 2,084

    The F2 entry is fine. Leave it alone.

    I don't see an anitivirus program installed.



    Today's internet is simply suicide without an up to date antivirus.

    Not much point in you and I cleaning up the system if you refuse to protect yourself.

    However -- if you don't understand or cannot install an antivirus -- please let me know.



    Please download ONE of the following antivirus programs and install it.


    Once installed, Update it, run full system scan with it and allow it to fix up what it wants.

    Reboot if it fixed anything.



    You should get a firewall as well, either,


    Rename HijackThis.exe to gmh265.exe by doing the following;



    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to gmh265.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Are you working off the same Hijackthis log kritius?

    Here's what I say (just to put 3 points of view into this ;)

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Install Avira free AntiVirus

    Start up Malwarebytes again; Update it; then run another full scan (remove all found Malwares)
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Potentially not, had three or four logs open at once. Don't know how I missed it. Must still be rusty.:eek:
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi kritius

    Don't I know know how easy that is as i have done it often. Not so much that i had them open but after reading several in succession remember the wrong one!

    For the fourth point of view, the F2 should be removed as even tho it is the legit svchost running from the correct location, it should not be attached to userinit.

    Removing the F2 will only un-attach it from the userinit and will not bother the svchost!

    Mike
     
  9. gmh265

    gmh265 TS Rookie Topic Starter

    Hey guys, Thanks for all of the replies!

    I will have a go at it after work today and see how it goes. (that way if i break it I have all night to fix it :)

    You dont think AGV is any good? I will install Avira instead

    Cheers
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...