Yet another search engine redirect problem

[Shadoefax]

(cont.)

2009-11-15 17:36 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-15 17:36 . 2009-11-15 17:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-15 17:15 . 2009-11-15 17:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-15 17:12 . 2009-11-15 17:12 -------- d-----w- c:\program files\Microsoft
2009-11-14 01:35 . 2009-03-17 18:01 -------- d-----w- c:\program files\Safari
2009-11-14 01:32 . 2009-11-14 01:32 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-09 22:33 . 2009-11-09 22:33 10134 ----a-r- c:\users\CBaker\AppData\Roaming\Microsoft\Installer\{F19F7B24-AAD4-4236-8475-5335483DA676}\ARPPRODUCTICON.exe
2009-11-09 22:29 . 2009-11-09 22:29 -------- d-----w- c:\users\CBaker\AppData\Roaming\Avery
2009-11-08 19:22 . 2009-03-25 01:18 -------- d-----w- c:\users\CBaker\AppData\Roaming\COWON
2009-11-08 19:22 . 2008-02-22 02:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 19:04 . 2009-11-08 19:04 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-11-08 18:05 . 2009-10-31 16:41 -------- d-----w- c:\program files\Minefield
2009-11-07 19:02 . 2009-11-07 19:02 24576 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\30x4518e.c2ap\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2009-11-05 23:20 . 2009-11-05 23:20 376 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\30x4518e.c2ap\extensions\{75739dec-72db-4020-aa9a-6afa6744759b}\7zip.bat
2009-11-02 18:37 . 2009-11-02 18:37 424 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.FEBE 7.0 dev\extensions\{75739dec-72db-4020-aa9a-6afa6744759b}\zip.bat
2009-11-02 18:37 . 2009-11-02 18:37 376 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.FEBE 7.0 dev\extensions\{75739dec-72db-4020-aa9a-6afa6744759b}\7zip.bat
2009-11-02 18:37 . 2009-11-02 18:37 364 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.FEBE 7.0 dev\extensions\{75739dec-72db-4020-aa9a-6afa6744759b}\wzcline.bat
2009-11-02 18:37 . 2009-11-02 18:37 340 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.FEBE 7.0 dev\extensions\{75739dec-72db-4020-aa9a-6afa6744759b}\cygzip.bat
2009-11-01 21:27 . 2009-11-05 23:20 172032 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\30x4518e.c2ap\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2009-11-01 21:27 . 2009-11-01 21:27 120832 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.FEBE 7.0 dev\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-10-30 19:54 . 2009-03-04 00:26 -------- d-----w- c:\program files\SeaMonkey 2.0
2009-10-29 09:17 . 2009-11-25 13:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-26 19:49 . 2009-10-26 19:49 90112 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.mSTART\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
2009-10-26 19:49 . 2009-10-26 19:49 307200 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.mSTART\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2009-10-26 19:49 . 2009-10-26 19:49 172032 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.mSTART\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2009-10-22 20:04 . 2009-12-18 23:19 798720 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\2iot7g74.Chuck(Fx3.5)\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\ImageMagicResize.dll
2009-10-22 20:04 . 2009-12-18 23:19 490496 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\2iot7g74.Chuck(Fx3.5)\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\avformat-51.dll
2009-10-22 20:04 . 2009-12-18 23:19 19968 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\2iot7g74.Chuck(Fx3.5)\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\avutil-49.dll
2009-10-16 15:56 . 2009-10-16 15:56 593920 ----a-w- c:\users\CBaker\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910150-0-main.dll
2009-10-14 15:52 . 2009-06-07 00:28 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-14 15:52 . 2009-06-07 00:28 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-11 11:17 . 2008-12-05 21:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08 . 2009-11-15 17:12 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-15 17:12 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-15 17:12 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 01:33 . 2009-12-18 23:19 8186 ----a-w- c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\2iot7g74.Chuck(Fx3.5)\extensions\exif_viewer@mozilla.doslash.org\content\check2.bat
2009-10-01 01:02 . 2009-11-15 17:14 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-15 17:14 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-15 17:14 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-15 17:14 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-15 17:14 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-15 17:14 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-15 17:14 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-15 17:14 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-15 17:14 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-15 17:14 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-15 17:14 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-15 17:14 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2008-07-04 22:41 . 2008-07-04 22:41 22 --sha-w- c:\windows\SMINST\HPCD.sys
2008-12-24 20:13 . 2008-12-24 20:13 56 --sh--r- c:\windows\System32\7950857381.sys
2008-12-24 20:13 . 2008-12-24 20:06 3766 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOMERunner.exe" [2009-08-27 247144]
"SUPERAntiSpyware"="c:\users\CBaker\Desktop\Utilities\Virus utilities\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-20 2002160]

 

[Shadoefax]

(cont.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\2007\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\CBaker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-5-22 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\users\CBaker\Desktop\Utilities\Virus utilities\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\users\CBaker\Desktop\Utilities\Virus utilities\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8e,cb,41,df,c9,33,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/15/2009 6:00 PM 64288]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [7/9/2008 5:28 PM 20496]
S1 SASDIFSV;SASDIFSV;c:\users\CBaker\Desktop\Utilities\Virus utilities\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
S1 SASKUTIL;SASKUTIL;c:\users\CBaker\Desktop\Utilities\Virus utilities\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
S1 VBoxDrv;VirtualBox Service;c:\windows\System32\drivers\VBoxDrv.sys [12/21/2009 5:24 PM 123280]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\System32\drivers\VBoxUSBMon.sys [12/21/2009 5:24 PM 41616]
S2 gupdate1c926e716881e10;Google Update Service (gupdate1c926e716881e10);c:\program files\Google\Update\GoogleUpdate.exe [10/5/2008 5:37 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 6:19 AM 1181328]
S2 SBSDWSCService;SBSD Security Center Service;c:\users\CBaker\Desktop\Utilities\Virus utilities\Spybot - Search & Destroy\SDWinSec.exe [12/15/2009 7:41 PM 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME\TomTomHOMEService.exe [8/27/2009 8:05 AM 92008]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 7:23 PM 21504]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 7:36 AM 501248]
S3 SASENUM;SASENUM;c:\users\CBaker\Desktop\Utilities\Virus utilities\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\System32\drivers\VBoxNetAdp.sys [12/17/2009 3:02 PM 99152]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\System32\drivers\VBoxNetFlt.sys [12/17/2009 3:02 PM 110096]
S3 VBoxUSB;VirtualBox USB;c:\windows\System32\drivers\VBoxUSB.sys [12/17/2009 3:02 PM 31824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\2007\Office12\EXCEL.EXE/3000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
FF - ProfilePath - c:\users\CBaker\AppData\Roaming\Mozilla\Firefox\Profiles\2iot7g74.Chuck(Fx3.5)\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - file:///C:/Users/CBaker/Desktop/Client%20Website%20Development/CSC/clients.html
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
HKLM-RunOnce-<NO NAME> - (no file)

 

[Tmagic650]

I've seen a lot of back door Trojan's well hidden, that affect the redirects too

 

[Shadoefax]

(cont.)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 09:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-26 09:15:02
ComboFix-quarantined-files.txt 2009-12-26 16:14

Pre-Run: 299,217,997,824 bytes free
Post-Run: 299,173,576,704 bytes free

- - End Of File - - B419FAEC7073B27818313BEDD7823EF8

 

[Tmagic650]

What the heck Shadoefax!
Combofix log? Don't know how to attach? How is your computer running now? Did you turn off System Restore and then turn it back on?

 

[Shadoefax]

Yes, I do know how to attach, but in a previous post I was told to copy/paste. After re-reading Bobbye's instructions, he did indeed say attach. By bad ...

And no ... I'm still experiencing the search engine redirect problem.

ETA: I did not turn on/off system restore. It wasn't explicitly mentioned in Bobbye's post.

 

[Tmagic650]

Sometimes you have to turn off System Restore to make sure infected restore points don't reinfect the computer upon a restart or when you turn on the computer after a night or even after a few days

 

[Shadoefax]

Bump, please

 

[Tmagic650]

Turn off System Restore. Delete the temporary files by using this utility:
Temp File Cleaner Restart your computer...

Rerun the 3 scans again, and attach the logs as instructed by the 8-Step Virus & Malware Instructions

 

[Shadoefax]

As requested, logs attached.

 

[Bobbye]

Shadoefax, I'll try to take you through this. My apology for the delay.

to make sure infected restore points don't reinfect the computer upon a restart or when you turn on the computer after a night or even after a few days

Restore points don't reinfect a computer on restart. 2 of us tried to explain this to Tmagic, but guess it didn't sink in. When the computer is booted up, it does NOT boot from a restore point! We do not turn off the System Restore points at the beginning of the cleaning. Even if malware has gotten into them, using a restore point might be the only way to get back into the system. A restore point is NOT going to reinfect the machine useless you do a system restore to a date that has the malware. We remove all the old restore points when the system is clean and have you set a new clean restore point.

You should update this: Mozilla Firefox 3.5 Beta 4\fx.exe
But I'm puzzled by the fx.exe I found a reference for that on a torrent download for AdBlockPlus. However, after seeing the multitude of Tracking Cookie you have, it's not doing it's job. Try this:

Reset Cookies

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Update the Firefox HERE.http://www.mozilla.com/en-US/firefox/3.5.6/releasenotes/ This will give you v3.5.6. It should overwrite the beta you have.

Please reopen HijackThis to 'do system scan only.'. Check the following entries if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
(If you have an IE homepage set to open as a blank page, you can leave the entry above. If not, check.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
O1 - Hosts: ::1 localhost

Close all Windows except HijackThis and click on "Fix Checked."

Can you bring me up to date on the current problems please? You've been sent in a few different directions.

 

[Shadoefax]

Thanks for the reply. Since I seem to be getting conflicting instructions on this forum from too many helpers, I will only follow your advice from here on.

I am aware of the system restore points and how they work. I did turn it off per Tmagic650's instruction even though I knew it would not make a difference in debugging this problem. It is now turned back on and I will create a new restore point when the problem is resolved.

A note about Mozilla Firefox 3.5 Beta 4\fx.exe:
I am currently using Firefox 3.5.7 even though the directory name would seem to indicate otherwise. As a developer, I may have several versions of Firefox installed to test/debug my extensions and sometimes re-use the same directory but forget to rename it.

I have temporarily renamed firefox.exe to fx.exe because that is the only method I have discovered that actually eliminates the search engine redirection issue. It only cures the symptoms though, not the problem.

Firefox cookies have been reset. (BTW, Since Firefox 3.5, the cookie manager is located in Tools > Options > Privacy [Drop down menu > Use custom settings for history])

I have AdBlock Plus installed, but disabled. Some of the forums I frequent will not allow ads to be blocked. Besides, it seems to slow down browsing for me.

After running HiJackThis again and allowing the fixes, the redirection problem has seemed to disappear! It has disappeared in the past, though, only to return a few hours or days later. Two of the items in the HijackThis log were fixed the last time you instructed me to run it (See this post). The only difference this time is that I chose "Run as administrator" so it could fix the hosts file. (Previously I got a message saying it could not open the hosts file.) Strangely enough, one of the first things I checked when this problem started was the hosts file. It only had one entry (localhost) so I assumed all was ok with it.

I will post again in a few days to let you know if the problem has truly been solved or is just taking a break. Thanks so much for your help!

 

[Bobbye]

Thank you for the great explanation About the conflicting information: I am very sorry about that. I continue to hope that this board will be more controlled as to the advice given. I'm sure it is confusing to those with the problem, especially since most are not as experienced as you are.

About attaching vs pasting: I was able to get the pasting of the HJT log authorized. When that is done, I can search to identify entries directly from my browser instead of having to go through the copy and paste routine. That saves me a large amount of time. Then any other logs can be attached. Some members don't understand this although it has been explained. Occasionally, such as in the case of a host file hijack(01) or Logitech Desktop Manager (018), the log is too long to be within the character limit so it has to be attached. That might be confusing to some, but an explanation as the reasoning may help with the understanding.

Thank you for the heads up on the Cookie settings for FF v3.5. I'll add that to my reset instructions. I've been sticking with v3.0.17 as one of the add-ons I use isn't compatible with v3.5. 'Course it has to be the most valuable add-on I have! That's kind of how things work, isn't it?

Do you have the Easy List filter with AdBlockPlus? I haven't noticed any slowdown and it's great to see a blank white space instead of an ad!

Let me know how you doing when you resume- we'll go from there.

Wishing you a Happy New Year.

 

[Tmagic650]

New Restore Points are created many times when programs or utilities are installed... I have seen "infected" restore data flagged and removed by many malware cleaners. There is nothing wrong with turning off System Restore (deleting all saved restore points) and creating new clean restore points once in a while. I hope you can understand this

 

[Bobbye]

Tmagic, go back to the books and read about this feature:

I have seen "infected" restore data flagged and removed by many malware cleaners.

There is nothing wrong with turning off System Restore (deleting all saved restore points) and creating new clean restore points once in a while.

New Restore Points are created many times when programs or utilities are installed.

Look until you find something you can understand about the significance of malware in restore points and why turning off system restore at the onset of cleaning is not recommended.

It's When you do it that's appropriate.

Do you even know that the owner should set a new restore point before an update, install, download, etc?

STOP telling these members to turn it off. It is wrong and it could mean the someone might not be able to access their system.

For a computer technician, you surely have little understanding! You are still not aware of System Restore, how it works, when restore points are set and when they should be removed.

 

[Tmagic650]

I am going by experience here. We have gone over and over the System Restore debate. I turn it off after a period of time, and turn it back on, and create one so that I have a known good restore point, that has my most recent drivers, settings and programs in it. This seems like a good common-sense thing to do... I know you don't have much computer hardware experience. It must be the leftover temp files that reinfect most computers thought to be clean in most cases here though. I have cleaned over 6GB's of temp files on a single infected computer. A massive amount of left over cookies, also contributes or aids infections

 

[Bobbye]

Turning off System Restore to clean out old files and turning off system Restore at the beginning of cleaning are NOT- Tmagic- NOT the same issue! Why can't you get that through your head!

This discussion ends. IT serves no purpose on this thread.

 

[Tmagic650]

This discussion ends. IT serves no purpose on this thread...

Bobbye, just remember that you start all these, by constantly posting nagging, know-it-all and insulting remarks towards some of us. I am just trying to help