Hi,

Starting a few days ago, whenever I've clicked on the linked results of a web search (I'm using IE 6.0), I've been having new blank browser windows open with address (for example - clicking google's linked search results) "web-prayers.com/search.php?qq=google." As far as I can tell, the result is the same if I click the linked results for any web search. If I right click and open a linked result in a new window, the proper linked page opens.

I've just spent a few hours running all of the required scans, installing a firewall, etc. mentioned on your instructions page. I accidentally had Panda Antiroot Kit delete the two problems it found - I'm pretty sure they were both registry entries and that one was called something like "block firewall" and the other something like "block antivirus."

Attached are my log files from Hijackthis, AVG and Combofix.

Please let me know. Thanks.

Attached Files

	Combofix log.txt (11.3 KB, 4 views)
	hijackthis log.log (7.5 KB, 7 views)
	AVG log -20071201-023148.txt (16.0 KB, 4 views)

I have not reviewed your logs.

But see if this works for you: For web-prayers:
Open IE7> Tools> disable the add-on "E404mgr class"> Apply> OK

To whomever deletes or moves posts: Please leave some indication of what has been done. When I get feedback with a link, I expect to see what I am being linked to.

Someone appears to have removed or moved the following:
From S_RIDDLE:
"Would that be the same fix for IE6 ???I AM HAVING THE SAME PROBLEB,STARTED 12/2"

For IE6> tools> Manage Add-ons> look for "E404mgr class"> highlight> Disable> Apply> OK.

I don't have time to go chasing posts and it is not fair to expect me to.

Hi,

The reason why that post was deleted was because the user had a similar problem. He has been notified via PM to start a new thread detailing the specifics of his problem. The forum rules indicate that each user is entitled to his own thread for his own problem.

Judging by the case here, Stuporman's system is likely to be infected; so is S_RIDDLE if he encounters the same symptoms. I would encourage you to ask him to start a new thread if he sends you a PM requesting for help instead.

I apologise for any misunderstanding and inconvenience caused.

Regards,
momok

Hi,

I've looked through the add-ons for my IE 6 and can't find "E404mgr class." I've attached 4 screenshots of the list of add-ons (labeled 1-4 in order from top to bottom of the list, beginning on the left, then on the right). Please let me know if any of the items on the list look suspicious.

Does anyone have any idea what this might be? Am I safe just using Firefox in the meantime - should I format my hard drive?

Thanks again.

Attached Images

	add-ons (1).JPG (74.0 KB, 2 views)
	add-ons (2).JPG (73.2 KB, 2 views)
	add-ons (3).JPG (70.5 KB, 2 views)
	add-ons (4).JPG (69.0 KB, 2 views)

im not sure how to fix the problem but yes firefox should be safe in the meantime, because most browser hijacks/whatever are directed towards internet explorer, not firefox. kind of like how windows pc's get viruses and its almost impossible for a mac or such to get one. because most people use ie/windows.

i dont think you would need to format your hard drive yet. formatting is often the last resort to get rid of something, and since this thread has barely even started, i dont think it would be wise (personally) to format your hard drive. i'll look at those add ons screen shots, but in the meantime, id say yes, use firefox

its a better browser than IE anyway. faster, safer, more extensions, themes... if you want a good forefox theme, use the theme called Vista Aero

its what i use. also, if you use firefox and decide to stay with it, just ask me for some good addons, ill link you to every one i use, or at least those that are helpful lol.

EDIT: those screenshots look good to me. if anything though, i would say get rid of those dictionary.com ones, but that would be up to your decision.

i think i may have found the problems, but im currently looking further into this. id say wait to hear from one of the Special Forces here or someone who knows for sure what exactly is bad and not, but from my googling it, it seems that the problems could lie here in hjt:

also, if someone could look into what this is? im not sure if its bad or not, but it couldnt hurt to check.

almost seems like it could be useless, but im not sure. im not very experienced with hjt logs, but if i see something unusual, ill google it because i have a lot on my pc and i know what it is.

good luck, (and may god be with you lol )

~plasma

Thanks, Plasma - I am going to keep on using Firefox in the meantime.

But get rid of the dictionary.com helper? Are you saying that because you think it poses some threat? I'm a student and need to look up words all the time - if the Oxford English Dictionary had a toolbar, I'd gladly install that, but, till then, dictionary.com is my go-to.

Thanks again for your help.

Hi,

1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   
   Quote:

   File:: C:\WINDOWS\system32\e404d.dll C:\WINDOWS\system32\dllcache\svchost.exe C:\WINDOWS\System32\sw20.exe C:\WINDOWS\System32\sw24.exe C:\WINDOWS\System32\winsys2.exe Registry:: [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]

2. Save this as CFScript on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of Stuporman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

Hi Momok,

Sorry I didn't reply sooner - for some reason, I didn't get any e-mail notification about your new response to my post.

I've just made the change you mentioned in Combothis, run the 3 scans and generate 3 new log files (attached).

Thanks for your help. Please let me know how to proceed.

Attached Files

	AVG Antispyware Scan Log.txt (16.5 KB, 1 views)
	combofix log.txt (13.0 KB, 2 views)
	hijackthis log.txt (7.4 KB, 1 views)

Hi,

1. Have HijackThis fix the following entries:
   O21 - SSODL: E404Helper - {c674a3a8-5adb-439e-b906-ee7515eeb98b} - e404d.dll (file missing)
   O24 - Desktop Component 0: (no name) - (no file)
   
   
2. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   
   Quote:

   File:: C:\WINDOWS\system32\drivers\jqnmbdcwawdr.sys Folder:: C:\Documents and Settings\Noah1\C59I7YFW Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]

3. Save this as CFScript on the desktop.
4. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of Stuporman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

Here are the logs after this most recent round of alterations to combofix and scans.

Thanks.

Attached Files

	AVG Antispyware.txt (19.0 KB, 1 views)
	Combofix.txt (12.4 KB, 2 views)
	hijackthis.txt (7.3 KB, 1 views)

Hi,

Your logs look almost clean, except for a little issue. Are you experiencing any problems?

Go to start > run and type msconfig. Press the enter key.
Search for the following entries. Uncheck them to stop them from starting up.

WinSys2

If SpyBot prompts you, select allow. Reboot your system and run a ComboFix scan and post that log back here.

Regards,
momok =)

momok, just make a comment if a post is deleted on an active thread. Yes, there are reasons to do it, but I still get feedback from the original! If note had been made, I could have addressed it in new location.

I see you found the "C:\WINDOWS\system32\e404d.dll"- directions I was going by referred to the add-on itself. Must be another entry for it.

Stuporman, the first two screen shots for add-ons don't show the file, so It may have been there. A TIP for you: in the Add-on section, the dialog box has 2 settings>> 'add-ons currently on the system' and 'add-ons previously on the system'. You have way too many add-ons currently running. Disable all but those you need. Firefox will give a message "Firefox has blocked a plug-in for safety>> Options". When you click on Options, you will find what you need and can enable it at that time.

From a safety point of view, it's not a good idea to carry around add-ons you aren't using or don't need. Many require the Active X Object and the fewer of these running, the better.

Hi again momok,

I couldn't find Winsys2 in msconfig under any of the tabs (I take it that's where you expected me to find it). A search of the C: drive found the file in c:\qoobox\Quarantine\C\Windows\system32. Please let me know if there's anything I should do with msconfig or this file.

In response to your question, though, all seems normal with my system now - the original problem (web-prayers.com pop-ups) has gone away.

Thanks!

Bobbye -

Thanks for the advice on the add-ons - I've just gone through and cleaned up IE a bit, although I'm using Firefox now (I think permanently). I'll be sure not to have too many add-ons active if I can avoid it.

Thanks again to both of you.

-Stuporman

Hi,

Your logs look clean now.

1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine) You may delete the entire ComboFix QooBox folder too.
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of Stuporman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi momok,

I'm having trouble turning off (and on again) system restore - every time I get into system properties and try to go to the "System Restore" tab, the system properties window freezes and I get an error message: "Run a DLL as an App has encountered a problem and needs to close..."

If you have ideas as to what I should do about this, please let me know.

I will follow the other steps you suggested, though. Thanks again.

Hi,

Could you try the steps listed in HERE?

If it doesn't work, then you should probably reinstall System Restore via the steps as listed in HERE.

Regards,
momok =)

That did it, Momok. I think I'm all set.

Thanks again for all of your help!