Adware, redirected links, and "missing cd"

Status
Not open for further replies.
R

rhinotough

Posts: 22   +0
Yesterday I began encountering some difficulties with adware. I downloaded, ran, and promptly uninstalled the latest free Adaware which found 4 "problems" that I deleted but that didn't help. I keep getting directed to ad sites (most helpfully for mcafee and norton security packages) and I'm also getting an error message (c0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c) that means I need to insert to proper cd. I'm running XP. Here's the HJT file I created this morning. Can't wait to hear from you folks!
 
It mostly worked....

I followed all 8 steps as you recommend. The proxy server that Firefox was operating on has failed to respond anymore and my google homepage no longer works. I've attached the log files for all Malwarebytes, SAS, and HJT.
 
I assume you don´t use proxy server, as it was not shown in your first hijackthis log.

Go to Internet Settings
From the "Tools" menu, select "Internet Options".
Click the "Connections" tab.
Under "Local Area Network Settings," select "LAN Settings".
Under the header of "Proxy Server," uncheck "Use a Proxy Server ."
Click " OK" twice to save your preferences.

Restart internet explorer.

Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.


Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\ld08.exe
c:\windows\pp06.exe
C:\WINDOWS\system32\lewiyidi.dll
c:\windows\system32\razifazi.dll
Folder::
C:\WINDOWS\system32\796525
Click to expand...

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
touch said:
I assume you don´t use proxy server, as it was not shown in your first hijackthis log.
Click to expand...

I simply switched to "No proxy" in the "Configure proxies to access the internet" in "Settings" section of the "Advanced" tab in Firefox's "Options" menu under "Tools". Will that cause me more problems? It seems to be working just fine.

This the only text file that I think could be the logfile. I ran the CFScript through Combofix twice and restart after each run. The Comodo firewall that I installed per the 8 steps threw up a bunch of red flags but I OKd all of them. Thanks so much for all your help thus far!
 
Great :)

Please download http://swandog46.geekstogo.com/avenger2/download.php
by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger2.exe to your desktop

Start Avenger

Files to delete:
c:\windows\ld08.exe
c:\windows\pp06.exe
c:\windows\t55ft2692f44.dat
c:\windows\9g2234wesdf3dfgjf23
C:\windows\system\system32.dll
C:\windows\system\sys32.dll
C:\WINDOWS\System32\Taskmgr.bat
C:\WINDOWS\System32\Firewall.bat
C:\43214354.bat
c:\windows\system32\asitelig.ini
c:\windows\system32\ivujabek.ini
c:\windows\system32\emularip.ini
c:\windows\system32\ovfsthiamwiuusocooxtnlmihsjcylpqrloyul.dat
c:\windows\system32\ovfsthnsvstkdqfbbabdrwqxqrvocolmcrtido.dat

Folders to delete:
c:\windows\system32\796525
c:\windows\9g2234wesdf3dfgjf23
Click to expand...

Copy/Paste all the text in the above quote box into the main window
Click Execute

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

Attach C:\avenger.txt in next reply.

If you can run combofix now, please do, and attach that log as well
 
Wonderful! Thanks for all your work. I'm still experiencing the problem of links being redirected to the wrong website. Do you have any thoughts about that?
 
What I mean was - you wrote -> Here's the new HJT.

You have NOT attached a hijackthis log !
 
Great :D

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


Reboot, attach fresh hijackthis log.
 
I´ve missed something, sorry.

Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Reboot, and tell how things are running ?
 
It's hard to tell but I think that fewer links are being redirected, although some are still not linking the appropriate address. Also, Avira is not able to update for some reason. Here's an HJT scan after the HostsXpert download and reboot.
 
Please download http://jpshortstuff.247fixes.com/GooredFix.exe
and save it to your Desktop. Double-click GooredFix.exe to run it. Select "Find Goored (no fix)" by typing 1 and pressing Enter.
You will be presented with a log, please attach the contents of that log in your next reply. (It can also be found on your desktop)
 
Please double-click Goored.exe on your Desktop to run it. Select 2.
Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again.
A log will open, please attach the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

And tell how things are running ?
 
That´s good news :)

Now your computer problems are solved, it is time for the clean-up procedure
You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place

If you have any comments or questions, feel free to post back.

Otherwise, keep safe :wave:
 
Status
Not open for further replies.

Similar threads

N
New build found unresponsive and won't boot back up. Reboots occur in Post, BIOS, and Windows
Replies
3
Views
3K
Nick Morales
N
Z
  • Locked
Solved Google search results being redirected in Firefox
2
Replies
35
Views
9K
Broni
Broni
E
  • Locked
Solved Google links are redirected, adds popup as new tabs, and system is slow
Replies
19
Views
4K
Broni
Broni

Latest posts

Back