Afraid to use Google because of redirection

[jmmessin]

When I search on google and click on the search sites it finds the Google search page redirects to sites which download viruses and spam. Windows defender and McAfee has detected and stopped some of this crap but not all. After the redirection the task manger was disabled and my computer screen turned green.

First, windows defender caught the following:
1. TrojanDownloader:HTML/Renos Remove
2. TrojanDownloader:Win32/Fakeinit Quarantine

McAfee caught 8 ".bup" files of similar name Two names are the following:
1. 7da111c151a1e40.bup
2. 7da111c151b1190.bup

After that I executed the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" process. I've attached the 3 log files you requested in the 8 step process and am awaiting instructions. I'm afraid to search Google because this has happened numerous times and each time I thought I got rid of the viruses and spam by running just malwarebyte antimalware. However, this time I followed all your instructions.
I need to know what to do next. This is very frustrating. I don't understand why this is happening on the wireless laptop and on my wired desktop I don't have any problems. Thanks in advance. Joe

 

[jmmessin]

Is there anyone out there that can help and possibly explain what I'm looking for in these log files. Thanks

 

[jmmessin]

Waiting Patiently. New Log files attached

I am anxious for a response to my problem. In the meantime, I re-ran mbam several times and super antispyware again. Initially, I ran mbam quick scan and it found 2 "trojan.fakealert" files. Then, I ran mbam full scan and it found 2 more "trojan.fakealert files. So, I would recommend only running the full scan. After that, super antispyware found only tracking cookies. A subsequent mbam full scan found nothing more. I'm not sure if I am clean or not at this point. Can you please review my latest logs and give advice. I need them looked at now.

 

[Bobbye]

Thank you for waiting patiently. We appreciate that. My apology for the delay.

Your second Mbam log shows malware in the restore points. It is not active on your system and will be removed at the end when I have you remove the old restore points and set a new clean one. In the meantime, lease do not use the System Restore feature.

Viewing the HijackThis log:

Is there a reason you have 4 of these? I found this information:

Incoming mail for edisonschools.com is handled by three mailservers at edisonschools.com themselves. Two mailservers have the same IP number. Some of them are on the same IP network. edisonschools.com has one IP number. edisonproject.com point to the same IP and also shares nameservers.http://www.robtex.com/dns/edisonschools.com.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com

Since there are 4 entries with the same IP, you will have to tell me if this is correctly set up. If all of these entries are correct, leave them. If any are not, include them and check for the HJT removal as below.

Please reopen HijackThis to 'do system scan only.'. Check each of the following entries if present:
It looks like you may have decided to get rid of the Google Toolbar but it wasn't complete. So let's remove the stragglers:

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)>> this is malware

Close all Windows except HijackThis and click on "Fix Checked."

Run this online scan when you finish the above:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach the Eset log to your next reply.
Rescan with HijackThis and attach the new log.

 

[jmmessin]

Its getting worse

When I came home today the computer screen showed a window as follows:

AXWIN Frame Window:svchost.exe - Application Error
The instruction at "0x0321F7A0" referenced memory at "0x0321F7A0". The memory could not be written.
Click "OK" to terminate
Click on "Cancel" to debug.

I clicked on "OK" and a shutdown message appeared and the computer shut down.
Then, when I restarted it another message popped up as follows:

Data Execution Prevention-Microsoft Windows
To help protect your computer, Windows has closed this program.
Name: Generic Host process for WIN32 Services
Publisher: Microsoft Corp.
Data extraction prevention helps protect against damage from viruses and other security threats.

When I click to close this message it just pops up again.
So now I have two messages on my screen which I can't get rid of.
If I just move them aside I can still use the computer.
I started "Hijack this" and scanned and checked the ones you suggested and hit fix. I checked three out of the four edison schools entries and they all gave the following error:
Unexpected error at procedure:modMain_fixOther1Item(sItem=01-Hosts:127.0.1.10ny-mail-01.ny.edison.schools.com)
Error#75-Path/File access error
Also, I tried to individually check and fix the other entries you suggested(four O2 entries and O21 entry). None would delete because when I did a scan again they were all still there. Is that because these windows I can't get rid of are open?
Then, I did another scan with a log file.
I didn't proceed any further because Hijack this" didn't work. The latest log file is attached. Thanks for all your help. This is really troubling to me to know this can happen.

 

[Bobbye]

Regarding Error#75-Path/File access error:

Program does not have rights or access to a file. Often this is caused when a program is trying to access a network file it doesn't have proper access to either because of network privileges or something is blocking the program. This issue can also be caused when the file is being used by another program or is read-only.

First, troubleshoot here: http://www.computerhope.com/issues/ch000380.htm

Can you please fill me in on these entries:
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com

Is this a student or work related entry?

Please run the Eset online scan and include log in next reply.is online AV scan:

 

[jmmessin]

I'm trying the best I can

I tried to run the ESET scanner but it didn't work.
First, I went onto the ESET web site and presed run ESET scanner. It was loading OK but I forgot to disable my McAfee and it blocked something. Then, I went into the control panel and removed the ESET program. Then, I went into the programs folder and deleted the ESET folder. I went back to the ESET web site and tried to run the scanner but it doesn't start loading like before. It just says "done".
I tried to debug based on info from the computerhope.com web site. I did not have any programs running so there was none to stop. Then, I checked the proceeses in task manager and I stopped process "rundll32.exe" and the Data Execution Prevention Window went away but came right back. Then, I stopped the "dumprep.exe" process and the "rundll32.exe" procss and the data Execution Prevention Window went away for good.
I still have the "AXWIN Frame Window:svchost.exe- Application Error window " memory error on my laptop screen.
I tried google.com and I stil get redirected.
I tried Hijackthis again and it still won't delete the entries I have checked.
The edison schools entry must be related to mail accounts or special internet access to their secure site which was setup a long time ago when my daughter first started going to an edison school in phoenixville, PA called Renaissance Academy. I don't need these anymore and would like to delete them but hijack this still gives me an Error#75.
I attached another log file from today.
Should I try restoring the system? I really don't know what to do next.
Can you tell me why the ESET won't download?

 

[Bobbye]

You are saying the you follow the instructions exactly to check the entries in HijackThis, then click on Fix Checked? But none of the entries get removed? Is that correct? Are you logging on under the Administrative account? And it's risky to be deleting processes as you have been doing.

Please print the following instructions. This will act as a guide, especially when in Safe Mode and you don't have access to the directions:

Please disable the Eset online Active X object: Open IE> Tools> Manage Add-ons> look for one of these entries: (OnlineScanner Control) or special/eos> click to Highlight> Disable> Close.

[1] Run Combofix:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

---------------------------------------------------------------------
[2] Download and run Kaspersky:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
-----------------------------------------------------------
Make sure viewing of hidden files is enabled: Click on Control Panel> Folder Options> View tab> CHECK 'show hidden files and folders'> Uncheck 'hide protected system files:'

[3]Reopen HijackThis to 'do system scan only.' Check each of the following entries if present: Make sure all entries are checked before clicking on Fix checked:

C:\Program Files\BillP Studios\WinPatrol\
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX500 on Sony-vaio] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P42 "Auto EPSON Stylus Photo RX500 on Sony-vaio" /O23 "\\SONY-VAIO\EPSON RX500" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [\Sony-vaio\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P36 "\\Sony-vaio\EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [\\Sony-vaio\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P36 "\\Sony-vaio\EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O1 - Hosts: 127.0.1.10 ny-mail-01.ny.edisonschools.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - (no file)

Close all Windows except HijackThis and click on "Fix Checked."

[4]Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

The nymail account should have been removed when it was no longer needed. Do you know which account it was set up under? IF the edisonschools is not longer needed, then you can try block the domain as shown below:

Click on Control Panel> Internet Options> Security tab> Restricted Zone> Sites> type in each of the following> Add:
ny.edisonschools.com
*.edisonschools.com

Reboot into Normal Mode. Rehide the files and folders. Empty the Recycle Bin

Attach the Combofix report, Kaspersky log to next reply.
Rescan with HijackThis and include new log.

 

[jmmessin]

I think its getting better

Pre-step #1, I do not have an add on like "on ine scanner control or specia/eos". Although, online scanner control,O16, what deleted in "Hijack this".

Step#1. Had some initial problems with combo-fix but after the 4th try got to run successfully and create the log.
Step#2. Had to restart a second time but got it to run successfully and create the log files.
Step#3. None of the c:\ files are listed. The O21 was not listed either. The Fix button seems like it worked this time and created the log.
Step#4. Worked OK. Done.

There was nothng in the recycle bin.
The two windows that used to come up"AXWIN frame" with the memory error and the "Data Execution Prevention" window are gone. That's good news.
Also, I'm including a McAfee access protection log file because as I was writing this response McAfee blocked something related to a registry write I think.

 

[Bobbye]

I notice you have an Enterprise version of McAfee. Is the program through work or work related? If not work, then you need to open McAfee and configure it appropriately.

You need to empty the Java cache: Please click on Control Panel> Java> General tab> Temporary Internet Files> Settings> delete the TIF.

Then go to the update tab> Uncheck 'automatically check for updates'> answer Yes when asked if you're sure> Apply> OK.

In the HijackThis log, if Comcast requires this, leave it. If not, check for removal> click on Fix Checked:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Joe, you have the McAfee suite and Windows Defender to protect the system. when they find or stop malware and/or quarantine it, that's what they are suppose to do. When you ran Kaspersk, it documents an entry in 'Qoobox'. That is where Combofix puts files it has quarantined. When I have you uninstall Combofix when we're through, that file will be removed.

The other entry appears to be in the Java cache. Emptying that should remove it. You also have many temp files on the system. This would be a good time to run TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

The accounts for Debbie and Sarah should each have the Cookies reset to stop the Tracking Cookies:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

I need for you not to look at the logs now and tell me what, if any, system problems are occurring. I don't want to know what a log found- tell me if you're running well-or not.

 

[jmmessin]

Running better

Yes, the McAfee program is through work.
Yes, I am running well. Thanks for all your hard work.
I'm attaching a log file.

 

[Bobbye]

Yes, the McAfee program is through work.

Then it's possible that any blocks may have been pre-configured by the IT at work.

The HijackThis log is clean- looks much better than when you began. Go through Add/remove Programs in the Control Panel occasionally and also the All Programs list. Uninstall any you no longer use or need.

Since the redirect has been resolved, you can remove the cleaning tools and old restore points:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

If I can be of more help in the future, please let me know.

 

[jmmessin]

Clean up and other computer

It looks like the "hijack this" backup files are still there. Do they need to be deleted or should I just leave them on the computer?

Also, I'm starting to look at my other computer. I ran the 8 steps and created the 3 log files. I don't seem to have any visual problems with the computer but I noticed in the "hijack this" log that there is an entry which doesn't look right.
Please review these logs and advise.
Thanks

 

[Bobbye]

Please breaks you new post off and start a new thread with it. Give recap of problem and attach the logs to the new thread.

I'm tried doing more than one computer on the same thread and it just doesn't work! Sooner or later either you or I will mix up our comments!