Search engine hijack, done 8 steps w/logs

By msowsun
Jan 28, 2010
  1. help... :(

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,233   +234

  3. msowsun

    msowsun TS Rookie Topic Starter

    I just finished running Combofix, and everything seems to be back to normal.

    Thanks "Tmagic650". You guys certainly know your stuff... :wave:
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,233   +234

    You are welcome msowsun,
    be sure to keep those cookies and temp files under control
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    msowsun, where is the Combofix report?

    Here are the directions and you will notice there is a line in red tht is not on the referenced page: There is a reason for this emphasis:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Giving a link to a site without any directions isn't giving you any help. You could have done that yourself. But it is important to see what is in Combifix and to possibly deal with some of it further.

    I firmly believe that it is more important that you note the chance to be sure there is a Recovery Console installed then to see screenshots of the program running.
  6. msowsun

    msowsun TS Rookie Topic Starter

    Here it is...

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. You can end the thread if you want. However, I recommend that you do the following:

    [1] I Checked the Combofix log.
    [2] Advising you that you have 2 antivirus programs- neither of which was disabled when you ran Combofix.
    [3] Leaving the following tools for whichever AV program you choose to uninstall- because:
    [o] Multiple antivirus programs can make you more vulnerable
    [o] Multiple AV programs can slow the system down.
    Boot into Safe Mode to uninstall AV
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Uninstall Avira AntiVir Personal software: click Start> go to Settings or to System Administration Software> select the Avira AntiVir> Click on Remove.
    Uninstall Spyware Doctor with AntiVirus: Start> Programs> Spyware Doctor> Uninstall Spyware Doctor.

    Use Windows Explorer to navigate to C:\Program Files' and right click> Delete the folder for the AV program you have uninstalled.
    Reboot back into Normal Mode when finished.

    [4] Stop Real Time Protection before doing ANY of the scans:
    IF you keep Spyware Doctor: You should also temporarily disable PCTools Browser Monitor: If you are running Internet Explorer, click Tools> Manage Add-ons. If PCTools Browser Monitor is on the list, click it & select Disable. You will need to restart your browser after making the change.

    [5] There are some tmp files in the Combofix report that shouldn't be there. If they still show after running the following, I'll have you move them. Please run TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    [6] Delete the Combofix report on the desktop. Rerun Combofix with all security off per instructions: Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection

    [7] Run the Eset Online scanner: Run Eset NOD32 Online AntiVirus Scanner HERE
    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    [8] Rescan with HijackThis

    Attach new Combofix report, Eset scan and new HJT log to your next reply

    When the system has been cleaned, I will have you remove all of the cleaning tools and old restore points.
  8. msowsun

    msowsun TS Rookie Topic Starter

    Thanks for taking the time to advise me. I won't have time tonight to run through it all tonight, but I un-installed the extra AV programs and I am now only running "Spyware Doctor with Antivirus".

    Here is a screenshot of the other programs that are still installed but not running. When I get a chance I will follow your instructions and report back.

    Thanks, Mike

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Mike, if you decide to go ahead without any further cleaning, this will remove the cleaning tools:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.[​IMG]
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    Just keep in mind that the Combofix uninstall will remove the program, the report and the quarantined items. However, if there is additional malware within Combofix itself, it will not remove that and it may reappear.

    But again, this is your choice. I do understand that when there is dissention amoung members who are helping, it can be confusing for the member who is seeking help.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...