TechSpot

Adware, redirected links, and "missing cd"

By rhinotough
May 6, 2009
  1. Yesterday I began encountering some difficulties with adware. I downloaded, ran, and promptly uninstalled the latest free Adaware which found 4 "problems" that I deleted but that didn't help. I keep getting directed to ad sites (most helpfully for mcafee and norton security packages) and I'm also getting an error message (c0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c) that means I need to insert to proper cd. I'm running XP. Here's the HJT file I created this morning. Can't wait to hear from you folks!
     
  2. touch

    touch TS Rookie Posts: 978

  3. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    It mostly worked....

    I followed all 8 steps as you recommend. The proxy server that Firefox was operating on has failed to respond anymore and my google homepage no longer works. I've attached the log files for all Malwarebytes, SAS, and HJT.
     
  4. touch

    touch TS Rookie Posts: 978

    I assume you don´t use proxy server, as it was not shown in your first hijackthis log.

    Go to Internet Settings
    From the "Tools" menu, select "Internet Options".
    Click the "Connections" tab.
    Under "Local Area Network Settings," select "LAN Settings".
    Under the header of "Proxy Server," uncheck "Use a Proxy Server ."
    Click " OK" twice to save your preferences.

    Restart internet explorer.

    Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

    Choose one of the servers at Majorgeeks....save the file on your desktop

    Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    Run HostsXpert 4.2 - Hosts File Manager from its new home
    Click on "File Handling".
    Click on "Restore MS Hosts File".
    Click OK on the Confirmation box.
    Click on "Make Read Only?"
    Click the X to exit the program.

    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.


    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  5. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    I simply switched to "No proxy" in the "Configure proxies to access the internet" in "Settings" section of the "Advanced" tab in Firefox's "Options" menu under "Tools". Will that cause me more problems? It seems to be working just fine.

    This the only text file that I think could be the logfile. I ran the CFScript through Combofix twice and restart after each run. The Comodo firewall that I installed per the 8 steps threw up a bunch of red flags but I OKd all of them. Thanks so much for all your help thus far!
     
  6. touch

    touch TS Rookie Posts: 978

  7. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Ok, that one worked! Thanks. Here's the log.
     
  8. touch

    touch TS Rookie Posts: 978

    Great :)

    Please download http://swandog46.geekstogo.com/avenger2/download.php
    by Swandog46 to your Desktop.
    Click on Avenger.zip to open the file
    Extract avenger2.exe to your desktop

    Start Avenger

    Copy/Paste all the text in the above quote box into the main window
    Click Execute

    The Avenger will automatically do the following:
    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions.

    This log file will be located at C:\avenger.txt

    Attach C:\avenger.txt in next reply.

    If you can run combofix now, please do, and attach that log as well
     
  9. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Hmm, i ran it but it doesn't seem to have worked. ComboFix didn't run either.
     
  10. touch

    touch TS Rookie Posts: 978

    Looks like the files and folders don´t exist. Please attach new hijackthis log.
     
  11. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Ok, glad it worked at least. Here's the new HJT.
     
  12. touch

    touch TS Rookie Posts: 978

    I can´t find it ! :D
     
  13. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Wonderful! Thanks for all your work. I'm still experiencing the problem of links being redirected to the wrong website. Do you have any thoughts about that?
     
  14. touch

    touch TS Rookie Posts: 978

    What I mean was - you wrote -> Here's the new HJT.

    You have NOT attached a hijackthis log !
     
  15. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Oh darn! ok, here it is
     
  16. touch

    touch TS Rookie Posts: 978

    Great :D

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
    O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Power2GoExpress] NA
    O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
    O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
    O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe



    Reboot, attach fresh hijackthis log.
     
  17. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Ran the scan, fixed the entries, rebooted, scanned and saved and... attached the file!
     
  18. touch

    touch TS Rookie Posts: 978

    I´ve missed something, sorry.

    Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

    Choose one of the servers at Majorgeeks....save the file on your desktop

    Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    Run HostsXpert 4.2 - Hosts File Manager from its new home
    Click on "File Handling".
    Click on "Restore MS Hosts File".
    Click OK on the Confirmation box.
    Click on "Make Read Only?"
    Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Reboot, and tell how things are running ?
     
  19. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    It's hard to tell but I think that fewer links are being redirected, although some are still not linking the appropriate address. Also, Avira is not able to update for some reason. Here's an HJT scan after the HostsXpert download and reboot.
     
  20. touch

    touch TS Rookie Posts: 978

    Please download http://jpshortstuff.247fixes.com/GooredFix.exe
    and save it to your Desktop. Double-click GooredFix.exe to run it. Select "Find Goored (no fix)" by typing 1 and pressing Enter.
    You will be presented with a log, please attach the contents of that log in your next reply. (It can also be found on your desktop)
     
  21. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Here's the Goored log.
     
  22. touch

    touch TS Rookie Posts: 978

    Please double-click Goored.exe on your Desktop to run it. Select 2.
    Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again.
    A log will open, please attach the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

    And tell how things are running ?
     
  23. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    I think that fixed it! Links are going where they should now. Here's the log.
     
  24. touch

    touch TS Rookie Posts: 978

    That´s good news :)

    Now your computer problems are solved, it is time for the clean-up procedure
    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    If you have any comments or questions, feel free to post back.

    Otherwise, keep safe :wave:
     
  25. rhinotough

    rhinotough TS Rookie Topic Starter Posts: 23

    Wonderful! All appears to be well. Thank you so much for time and professionalism. God bless!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...