TechSpot

Google Search Links Redirected (problem)

By carnage
Dec 13, 2009
  1. Hey

    Like everyone else, I too seem to be experiencing problems with google search linkes. The google search engine works fine, but when clicking on the actual links, I get redirected to some ad site like searchmeup4.com and ebay.com. This seems to be only happening to my IE8 browser and Safari4. Firefox (so far) is not experiencing this problem.

    I believe this is causing my internet to slow down. It was fine a few days ago, but on thursday, it started to slow down. It was also on thursday that this google redirection problem commenced.

    Here are the log attachments.

    Thank you for your time, especially during this busy season.

    btw, my computer is Windows XP media center if that helps.
     

    Attached Files:

  2. carnage

    carnage TS Rookie Topic Starter

    Should I scan my computer with hijack, mbab and superantiware once more and update the logs to see if anything new happened? Or would it not matter?
     
  3. AnonymousSurfer

    AnonymousSurfer TS Maniac Posts: 346   +18

    If you haven't taken any actions, most likely nothing has happened. One thing we here at Techspot do not like to see is "No Action Taken". Do another scan and remove all malicious software.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, carnage. I'll help you with the malware. My apology for the delay. As you can see, this is a very busy forum, so your patience is appreciated.

    There is a line in Malwarebytes (similar on in Superantispyware) that says:
    Make sure that everything is checked, and click Remove Selected.

    If this isn't done, then every malware entry will show: No Action Taken. I don't think this was made clear to you. Please update Malwarebytes and run the scan again> Make sure that everything is checked, and click Remove Selected.

    IF you did not check the similar line in SAS, please updatee, scan again, check to remove. You have a high amount of malware> much coming from FunWeb Products and Shopper Reports. I advise you to stop using either.
    -------------------
    I have noticed that you have multiple antivirus programs running
    Avast
    Symantec

    You should decide which you want to keep and remove the others for the following reasons:
    • Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • Multiple antivirus programs can also slow down the system.

      If you are using a paid program, Consider removing the free programs. If you are using a Trial of a paid program, please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful:
    • Avast Removal
    • Norton Removal Tool
      Note:Security programs are best removed while in Safe Mode. Download the removal tool and save to your desktop. Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Please reboot the system when you have made the change. Update the antrivirus program you keep.
    ------------------
    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:
    • Download the Flash Player Uninstaller and save it to your desktop.
      Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/ Don't run yet.
    • Please reopen HijackThis to 'do system scan only'. Check the following processes if found:

      O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; FunWebProducts; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Zango 10.3.85.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.trimble.com/gps/howgps-error-anim02.shtml"

    • Close all Windows except HijackThis and click "Fix Checked."
    • Boot into Safe Mode
      [o] Restart your computer and start pressing the F8 key on your keyboard.
      [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
    • Reboot your computer to complete the uninstall.
    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • Once the new version is installed, follow the directions to disable the auto-updater.
      [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
    -------------------------------------------------------------
    Please include the following in your next reply:
    1. New Mbam log
    2. New SAS log
    3. New HJT log (rescan)


    We'll go from there.
     
  5. carnage

    carnage TS Rookie Topic Starter

    Sorry for the extreme lateness. I was somewhat busy with school matters seeing that this is the last week before the winter holidays.

    I have done all the steps you have provided me in your previous post. Presently, I am still having google redirecting problems as well as my pc and internet have began to slow down. I keep getting this "Discover" window stating "socialization fail" for some reason. Could that be causing a problem?

    Thank you again for helping me Bobbeye. I am truly grateful.

    Yeah, I am not sure how I got FunWeb Products and ShoppersReport. I think SuperAntiSpyware quarantined them though.

    Here are the attached logs.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're okay on malware but you need to do some housekeeping: Please print out the directions:

    Did you do this in my Post #4?
    The following entry is in the HJT log:
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.adobe.com/shockwave/welcome/"

    Please follow my directions for removal.
    ----------------------------------------------------
    You need to get the Tracking Cookies under control. Most of them are "the usual", but there are quite a few from a game related site or ad. That particular one is Ad4Game: The Internet's game Ad Network - game advertising online ..I doubt this is something you have by choice!

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
    -------------------------------------------------
    About Discover: You have the following entries running: It's a play on words:
    C:\Program Files\DISC\DISCover.exe
    C:\Program Files\DISC\DiscUpdMgr.exe> update manager
    C:\Program Files\DISC\DiscStreamHub.exe

    • (DISCover Drop Play System): DISCover.exe - Part of the DISCover PC Game Console operating system.
    • It is a screen console enabling a user to play online games that are remotely hosted. It is sometimes preloaded by PC makers.
    • It is a user invoked program> this means that it does not need to start on boot and run in the background. User can open the program as needed.

    Here's the site for it- you can get an idea of what it is: http://www.videogameconsolelibrary.com/pg00-discover.htm

    If you do not use this, it should be uninstalled: Follow my directions in #4 to reopen HJT and check each of the 3 entries. Then click on "Fix checked."

    When you boot into Safe Mode for the Shockwave Updater, include this:
    • Go to Add/Remove Programs in the Control Panel> Uninstall DISC or Discover- however it's listed.
    • Right click on Start> Explore> My Computer< Local Drive (C)> Programs> do a right click? Delete on folder for DISC or Discover.

    FYI: Fun Web Products = To name a few: Smiley Central, Cursor Mania, FunBuddyIcons, My Mail Stationery, Popular Screensavers, MyWebSearch
    Their promo is "Get thousands of smileys, screensavers, cursors and more cool stuff - all 100% free!". What they don't tell you is that the products are full of adware, spyware and other pests> all easy to get and hard to get rid of.

    Please do this online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Follow with rescan of HJT.
    Include both logs in next reply.
     
  7. carnage

    carnage TS Rookie Topic Starter

    Yes, I re-installed flash player.

    The online scan took a whole day to do. That's why it took me a while to respond back.

    Here are the logs.
     
  8. carnage

    carnage TS Rookie Topic Starter

    Was I suppose to delete the threats with Eset scanner? I am not sure if you intended this or not.

    I was not sure if I was suppose to so I did not.

    Oh and the other account users on my computer find it difficult to use the internet (specifically IE and safari; firefox sometimes) since it takes between a half hour and an hour to load a page.

    However, I am not experiencing that problem (although in some occasions, it takes like 10 minutes to load a page for me). But my page does sometime freeze when I go on rpg sites or video sites.

    Not sure if that might help, but I am guessing it is linked with the google redirecting problem.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    carnage, I posted this last night- I have no idea why it isn't here: You are have entries from MyWebSearch: Again, follow instructions for Shockwave Updater. Be sure to disable the startup after the reinstall.You will also-again-check the entry in the HJT log.

    To remove the entries in Eset:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\hp\bin\wbug\HPPavillion_Spring06.exe	
      C:\Program Files\Netscape\Netscape Browser\chrome\m3ntstbr.jar	
      C:\Program Files\Netscape\Netscape Browser\plugins\NPMyWebS.dll	
      C:\Program Files\Windows Live\Messenger\riched20.dll	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------
    You have many unnecessary processes starting on boot and running in the background. None of them need to: Suggest all be unchecked:

    Please reopen HijackThis to 'do system scan only'. Check each of the following if present:

    HP DigitalMedia Archive
    HP Software Update
    HP OrderReminder
    iTunesHelper
    LightScribe
    Microsoft LifeCam
    Search Enhancement Pack
    Yahoo!\SoftwareUpdate
    iPod
    DISC\DISCover
    HP\9972322\Program\Updates
    EasyGifAnimator_Toolbar
    AlwaysReady Power Message APP
    QuickTime
    Google Software Updater (gusvc)
    iPod Service
    LightScribeService Direct Disc Labeling
    Real Player update: TkBellExe
    Adobe Reader:


    Still getting this: check again:
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.3; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.adobe.com/shockwave/welcome/"

    The Cloaker is a legitimate process. But you have duplicates> advise remove the following dups:
    O4 - S-1-5-21-2899736542-978247726-3410570447-1008 User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'moorthy')
    O4 - S-1-5-21-2899736542-978247726-3410570447-1009 User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'atcha')
    O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')


    Close all Windows except HijackThis. Click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click> Run> type in msconfig> enter> Selective Startup> Startup menu> Uncheck each of the following :
    ALL of the HP entries: to include all HP DigitalMedia and Update processes
    Then uncheck ALL of the processes related to the list above that you checked in HJT for removal:
    iTunesHelper
    LightScribe
    Microsoft LifeCam
    Search Enhancement Pack
    Yahoo!\SoftwareUpdate
    iPod
    DISC\DISCover
    HP\9972322\Program\Updates
    EasyGifAnimator_Toolbar
    AlwaysReady Power Message APP
    QuickTime
    Google Software Updater (gusvc)
    iPod Service
    LightScribeService Direct Disc Labeling
    Real Player update: TkBellExe
    Adobe Reader: Reader_sl.exe
    Java: jushed

    When through, click on Apply> OK

    Start> Run> type in services.msc> find each of the following Services> double click on each> Set Startup type as given:
    Google Software Updater (gusvc)> Disable
    iPod Service> Manual
    LightScribeService Direct Disc Labeling> Manual

    Close Services.

    Reboot into Normal Mode: NOTE: the first time you boot after making msconfig changes, you will get a nag message. Ignore the message an close after checking 'don't show this message again.' Stay in Selective Startup.

    Note Having HJT remove the entry and taking a program off of startup doe NOT mean you won't be able to use it. Simple click on All Programs and launch what you want to use, when you need it.

    As for the delayed startup> taking some off of startup will help that. but a delay of 10 minutes to an hours to load anything would indicate a problem with the memory. Either you don't have enough RAM installed, ot one or more of the chips have gone bad.
     
  10. carnage

    carnage TS Rookie Topic Starter

    alright, I re-installed the shockwave updater. I did not see it on the Hijack log so I am assuming it's been taken care of.

    In terms of the msconfig section, I only saw itunehelper there. I did not see the other options on the list. They were on the Hijack log though.

    And recently (today), I keep getting C:\WINDOWS\TEMP\hwhe.tmp\svchost.exe message from avast. I tried deleting it and moving it to chest, but it keeps re-appearing. It says it's a worm/malware. Should I use malwarebyte anti-malware to try to get rid of it or something else?

    Oh, in terms of the slow startup, it was not my startup (or other user's startup) that was slow. It was just opening the internet that was slow, more specifically IE8. It occurs sometimes though; sometimes it would be normal speed and sometimes too slow.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please submit this file for identification:

    C:\WINDOWS\TEMP\hwhe.tmp\svchost.exe

    to> http://virusscan.jotti.org/en

    Leave the results when finished.

    When we have finished, please move to the Windows OS forum for this:
     
     
  12. carnage

    carnage TS Rookie Topic Starter

    I still have the google re-directing issues.

    And how do I use that scanner. Avast has quarantined 53 files similar to that (not exactly, but similar + one rootkit file).
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You read the directions and paste the entry in. There's a box that says "File to scan" and a button that says "Submit."
     
  14. carnage

    carnage TS Rookie Topic Starter

    Sorry if this sounds stupid or anything, but do I put the file in .txt form or in direct form.

    Edited, forget I wrote that; figured it out.

    this is what i get for

    iexplore.exe.hdmp

    Scanners
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Win32:Alureon-ET 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing 2009-12-19 Found nothing
    2009-12-21 Found nothing 2009-12-21 Found nothing
    2009-12-21 Found nothing

    svchost.exe

    Scanners
    2009-12-21 Downloader.Piker.sx 2009-12-21 Trojan.Spammer.ABT
    2009-12-21 Trojan-Downloader.Win32.Piker!IK 2009-12-21 Trojan-Downloader.Win32.Piker
    2009-12-21 Win32:Malware-gen 2009-12-21 Trojan-Downloader.Win32.Piker.sx
    2009-12-21 Found nothing 2009-12-21 Win32/Kryptik.BKO
    2009-12-21 TR/Dldr.Piker.SX 2009-12-21 W32/Obfuscated.EA
    2009-12-21 Trojan.Spammer.ABT 2009-12-21 Trj/Downloader.MDW
    2009-12-21 Found nothing 2009-12-21 TrojanDownloader.Piker.sx
    2009-12-21 Troj.Downloader.W32.Piker.sx 2009-12-21 Mal/Waled-B
    2009-12-21 Found nothing Operation timed out
    2009-12-21 W32/Downldr2.IGJB 2009-12-21 Trojan.DL.Piker.FJ
    2009-12-21 Trojan-Downloader.Win32.Piker.sx


    There are also other svchost type files, but they could not be scanned since they were 0bytes. They were all in the form of C:\WINDOWS\TEMP\...
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I might have mislead you in the directions: did you browse to this file on your computer, choose it and submit it? You should have gotten a report that you could copy and paste here.
     
  16. carnage

    carnage TS Rookie Topic Starter

  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thanks- that's just what I wanted! Let's try something:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Empty the Recycle Bin

    When you finish, run the Eset online scanner again> delete previous log. Leave new log in next reply.
     
  18. carnage

    carnage TS Rookie Topic Starter

    alright, I followed your above instructions.

    Here is the log from ESET scan.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Carnage, I'm going to ask for help with this. Clearly we're not reaching all the sources of the infection. Please be patient. I'll send a PM, but know he is really busy.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Leave report on nexr reply.
     
  21. carnage

    carnage TS Rookie Topic Starter

    Hey bobbye

    How long does it typically take for combofox's first window to appear on the desktop. I had disabled all the necessities and ran combofox. I got a small loading screen, but soon vanished after it was done. I've waited like 5-10 minutes and nothing has happpened. Is there something wrong going on or do is this normal?

    I am on my lap so I haven't touched my pc.
     
  22. carnage

    carnage TS Rookie Topic Starter

    alright, I managed to get it to work. Here is the log I obtained from combofox

    so far, my internet seems to have gotten faster, but there is no guarantee since it has done this in the past (with the malware) so i'll give you an update after 10 minutes or so and see if I still have problems.

    Same goes with the redirecting issue.

    Edit

    not having any redirecting issues or any other problems currently. IS there any other task i should do to keep my computer at this stage.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please do the following:

    Download and run the Norton Removal Tool HERE

    Update and scan with Malwarebytes again:

    Please download Malwarebytes' Anti-Malware and Save to the desktop

    • .
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware.
    • Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

    Run the scan with Malwarebytes again> When the scan is complete, click OK, then 'Show Results' to view the results. Be sure that everything is checked, and click 'Remove Selected'.

    When completed, a log will open in Notepad.

    Use the Kaspersky Online scan:
    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop

    Save all logs and reports and attach them tp next reply.
     
  24. carnage

    carnage TS Rookie Topic Starter

    I am unsure if I did this correctly since some of the concepts you requested for were not available from that link. This is what I got so far.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Kaspersky logs shows 3 entries that had malware but have been quarantined:
    1. The OTMoveIt I moved from te previous scan
    2.and 3: Qoobox files. Qoobox is the folder where Combofix places files it guaranties. The entries will be removed when Combofix is uninstalled.

    I know you feel you are 'scanned out'! So let me know if any of the original problems remain or there are any new malware related problems.. If there are not, you can remove the cleaning tools and old restore points:

    Remove all of the tools we used and the files and folders they created

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    If I can be of help in the future, please let me know.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.