Clicking on search results get redirected (8 steps done)

[arliebyrd]

For almost a week everytime I click on a google search result instead of going to the result website I get redirected to random websites. As per you instructions at "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" I have attached the 3 logs that you requested.

For some weird reason I didn't see that I don't have to check the Old Prefetch Data option for CCleaner. Is my computer going to have any problem since I had it checked the first time I ran it?

 

[Tmagic650]

Delete these:
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"

and run the Eset On-line scanner:
[Scanner

 

[Bobbye]

You are having the member remove the legitimate entry
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"

why is that?

And you aren't mentioning that both McAfee and Symantec are running.

why is that??

And you are having her run Eset now?

why is that?

 

[Tmagic650]

You are having the member remove the legitimate entry
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"

why is that?

Because it is not necessary

And you aren't mentioning that both McAfee and Symantec are running.

why is that??

arliebyrd can decide what program to use


And you are having her run Eset now?

why is that?

Why not run the Eset Scanner now?

 

[Bobbye]

Because it is not necessary

You do not have the right to tell the member this is not necessary. If you want to point it out as an optional removals at some point and include all the other "not necessary" programs that don't need to start on boot and run in the background, then list all of the other 21 processes.

I would guess that you don't even realize that LeapFrog is a touch reading program for children. This member could easily have a child that uses this program regularly.

arliebyrd can decide what program to use

Yes, but pointing it out is important. Many users don't know they have multiple AV programs running-or they might never have used a program the manufacturer preloaded. They aren't aware that it's on startup anyway and it has to be properly removed. Telling them why they shouldn't have multiple antiviruses or firewalls is important. They can 'choose' which they want, but only if they are aware.

Tmagic, I'm going to say this once and I don't plan to come back on any of the threads you've picked up:
When someone asks for help, it is the responsibility of the helper to give them the best help possible. And this is based on many things: checking program versions that were run, checking update status, checking for security programs, understanding the significance of the log entries.

Then if the helper tells someone to run a program, the helper will be responsible for handling the results. You don't tell someone to run Combofix and/or Eset and then ignore the results. You don't ask if everything is running okay then walk away. If you read a log with entries you don't understand, search for information-or-ask someone who is more knowledgeable. (that is not an offer) Many times the initial problem such as a redirect can be resolved, but that doesn't mean that all of the malware has been found and removed.

And you don't desert a thread, leaving someone with all the extra programs and reports and logs they've created.

You may have 10,000 post to your credit, but that in no way is a resume of your ability to clean a system correctly and fully.

 

[Tmagic650]

You do not have the right to tell the member this is not necessary. If you want to point it out as an optional removals at some point and include all the other "not necessary" programs that don't need to start on boot and run in the background, then list all of the other 21 processes.

I would guess that you don't even realize that LeapFrog is a touch reading program for children. This member could easily have a child that uses this program regularly.

It was "flagged" by HijackThis.de Security...



Yes, but pointing it out is important. Many users don't know they have multiple AV programs running-or they might never have used a program the manufacturer preloaded. They aren't aware that it's on startup anyway and it has to be properly removed. Telling them why they shouldn't have multiple antiviruses or firewalls is important. They can 'choose' which they want, but only if they are aware.

Yes, but... explains this

Tmagic, I'm going to say this once and I don't plan to come back on any of the threads you've picked up:
When someone asks for help, it is the responsibility of the helper to give them the best help possible. And this is based on many things: checking program versions that were run, checking update status, checking for security programs, understanding the significance of the log entries.

Yes, we are all learning...

Then if the helper tells someone to run a program, the helper will be responsible for handling the results. You don't tell someone to run Combofix and/or Eset and then ignore the results. You don't ask if everything is running okay then walk away. If you read a log with entries you don't understand, search for information-or-ask someone who is more knowledgeable. (that is not an offer) Many times the initial problem such as a redirect can be resolved, but that doesn't mean that all of the malware has been found and removed.

We do our best, don't we?

And you don't desert a thread, leaving someone with all the extra programs and reports and logs they've created.

I was off-line for shoulder surgery. I'm sorry if posts were deserted. They disappear fast off the active page don't they

You may have 10,000 post to your credit, but that in no way is a resume of your ability to clean a system correctly and fully.

We are all learning, and trying to help at the same time. i have learned a lot from our members over the last 10,000 plus posts. I hope I have helped many too

 

[Bobbye]

It was "flagged" by HijackThis.de Security...

It's a hard pill to swallow that you are using some automated program to find entries! If you can't determine these by searching and identifying, then you shouldn't be posting in this forum. Why should the user even bother with you if they can use an automated program like you do!

Warning for the ones who use hijackthis.de
by Marianna Schmudlach Moderator - 1/15/05 10:11 AM

As more and more people seem to use the automated version and a rumor was running around: As far as being inaccurate i suggest you talk to the authors of HJT, as its their site, maintained by them and their support forums.

Merijn himself replied:

"The automated log parser at hijackthis.de was created without my knowledge or consent, and though I don't think it's a bad idea in the first place, you shouldn't rely solely on the automatic parser since it's pretty flawed. I've only used it a couple of times on infected logs and it shows both false positives as false negatives. You can use it for guidance, but the results should be taken with a grain of salt. Generally I feel that the only parser bound to be perfect is your own mind, together with the lists of Startups from Pacman, and the list of CLSIDs from TonyKlein."

http://www.wilderssecurity.com/showthread.php?t=62044

Yes, but... explains this

You search the internet and find out WHY multiple AV programs are not desirable. you explain that to the user. Then you give them the tools to remove them. You take the time to search and write up this information.

We do our best, don't we?

Not all computer users/builders/technicians, etc. are aware of cleaning programs or techniques. Those people can better apply the knowledge they DO have to the area where that knowledge is needed.

I am not 'training' you Tmagic. It just bothers me a lot that you're replying in this forum at all.

My discussion about this ends here.

 

[Tmagic650]

"My discussion about this ends here"...

Let's hope so...

 

[arliebyrd]

I just got back from a business trip and saw the posts just now. I'm sorry but now I don't know what my next step is. Maybe this info would help
- I am using McAfee, the free version from comcast (not sure if there's any difference from the one that you buy
- I thought I got all the Norton/Symantec softwares out. I didn't think I need it after installing McAfee
- I have two kids that uses the Leapster program on the computer. I would prefer that I doesn't get messed up while I'm trying to fix the computer

Thanks for the help guys

 

[Bobbye]

arliebyrd, I have kids and have made good use of the Leap Frog products. There is no need for you to stop any processes related to this program.

About Symantec/Norton: I think half the people in the world who have a computer still have an entry left for the program! This is mainly because so many computer manufacturers preload it on the system before shipping. And as I pointed out, many never use Norton so it's always a good idea to advise people of multiple antivirus programs.

Please download the
Norton Removal Tool and save it to your desktop.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Then double click on the Norton file you saved and run it. You do not need the license key number to uninstall it. Follow any onscreen prompts. Boot back into Normal Mode when finished.

When that has been done, please reopen HijackThis to 'do system scan only.'. Check each of the following if present: Optional removals are in green.

R3 - URLSearchHook: (no name) - - (no file)
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE>> See Option 1
O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) - http://71.130.101.78:8101/JpegInst.cab>> See Option 2
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)>> See Option 3
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - http://b2.lilypie.com/cAWGm7.png>> See removal instructions at end.
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Owner\Desktop\baby_desktop.html

Option 1: Install Pending Files.LNK
Uninstall program for Lanovation's Prism Deploy and Prism Pack adminstrators software deployement tools. The site information is HERE.
If this is something that you or other family members use, leave it. If not, check for HJT to remove.

Option 2: PMJPEG is a shareware image viewer with quick JPEG . It has 'PixWizard' which can take over opening .jpg files. IF you are aware of this and have it installed intentionally, no problem. As far as I can see it's a legitimate program. 'Sharing' is always a word that concerns me.

Option 3: TPSvc is related to the Vmware Workstation 6.0 virtualization software. This program uses the Winlogon Notify key to automatically start. Again, this might be a program that you or your family uses. Read about it HERE. If you aren't using it, HJT should remove the entry and it should be uninstalled.

Close all Windows except HijackThis and click on "Fix Checked."

Removing the 024 entries in HijackThis:
Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.

The next step depends on the Optional Removals. When you have made the decisions and finished the HijackThis removals, please run a new scan and attach new log to next reply.

 

[arliebyrd]

For some reason my computer won't start on safe mode. After selecting the OS to start some lines started to come up. All lines start with "multi(o)disk(0)". Then it would say that it "can not start successfully. A recent hardware or software change might have caused this." So to cut it short I had to run the NOrton Removal Tool on Normal Mode. After that it asked to restart so I did then ran HijackThis and checked all the ones you mentioned except O16, and O23 is not there anymore, and had HJT fix it. I went to the customize desktop but the only thing there was "My current home page".

The HJT log after checking the display/desktop is attached.

Just an update. Redirecting doesn't happen that much anymore but there are still pop ups (not often but never happens before the redirecting problem) even if the pop up blocker is on. Not sure if its related. Again thanks

 

[Bobbye]

We need to find out what's causing this. Try to go to Safe Mode and when you get the error message, check the computer clock. Then do the following:


Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded.

The HijackThis logs looks okay so whatever you did worked. Can you tell me what kind of pop-ups or ads you're getting and what pop-ups blocker you use. It is possible the kids could have clicked on a pop-up?

As for the 'redirecting', some times people are using that term when they don't get a site displayed. Malware caused redirects are going to be specific and constant- not once in a while?
And when you have a problem getting a site, where do you go?

 

[arliebyrd]

Below are the error logs that I got after unsuccessfully booting on safe mode:
Application log (only one)
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 2/5/2010
Time: 6:37:03 AM
User: N/A
Computer: BYRDS
Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 75 6e 6b 6e 6f 77 6e unknown
0028: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0030: 20 61 74 20 6f 66 66 73 at offs
0038: 65 74 20 30 30 30 30 30 et 00000
0040: 30 30 30 000


Here's for the System log (three errors)
Event Type: Error
Event Source: Ftdisk
Event Category: None
Event ID: 45
Date: 2/5/2010
Time: 6:41:20 AM
User: N/A
Computer: BYRDS
Description:
The system could not sucessfully load the crash dump driver.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 56 00 ......V.
0008: 00 00 00 00 2d 00 04 c0 ....-..À
0010: 0a 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

================================
Event Type: Error
Event Source: Ftdisk
Event Category: None
Event ID: 49
Date: 2/5/2010
Time: 6:41:20 AM
User: N/A
Computer: BYRDS
Description:
Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 56 00 ......V.
0008: 00 00 00 00 31 00 04 c0 ....1..À
0010: 03 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

==================================
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 2/5/2010
Time: 6:41:56 AM
User: N/A
Computer: BYRDS
Description:
The following boot-start or system-start driver(s) failed to load:
Cdr4_xp

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I also attached new log files for hijackthis and superanti spyware because results are starting to get redirected again plus IE is acting different. After a few minutes of using IE the tabs will be missing and if you right click a link and choose "open in new tab" it will say that option is not available. Also the taskbar that is usually blue will turn gray and it looks like how is used to in the older versions of Windows.

 

[Bobbye]

Error #7026, Source: Service Control Manager:

An update is available.

The error was likely caused by:Roxio's CDR4 (cdr4_xp.sys)
Roxio, Inc. is the manufacturer. An update is available that may correct the problem you reported. To obtain the update and more information from the Roxio, Inc. Web site please click here:
http://www.roxio.com/enu/support/mserr/cdr4_7.html

Take it off of start up- anything Roxio or Easy Media Creator:
Start> Run> type in msconfig> enter> Selective Startup> Start menu> Uncheck the processes> Apply> OK.

Note: the first time you reboot after using msconfig, you will get a nag message. You can ignore it and close after checking 'don't show this message again.' Stay in Selective Startup.

Error #49, Source: ftdisk:

Microsoft: This event is logged because iSCSI boot systems currently do not support crash dump file generation. Until that support is available, this event can safely be ignored.
To resolve this issue, install the hotfix that is described in Microsoft Knowledge Base article here:
http://support.microsoft.com/kb/939875/

We're getting off track here. I know the thread has been a mess. Work on the events. Run the following:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach Combofix report to next reply.

Rescan with HJT and include new log.

 

[arliebyrd]

I was doing the msconfig that you mentioned then I got a little lost after choosing "Selective Startup". You said start menu then uncheck the processes. Did you mean the startup tab? If that's the case there is no Roxio or Easy Media Creator on the list. I already downloaded the combofix on the desktop (I had to disable McAfee for it to save) so for now the hurdle is the msconfig. Thanks for the patience

 

[Bobbye]

Sorry- didn't get feedback you had replied.

Using the msconfig utility is scary- the first 3 times. Then it's a piece of cake!

Yes, the tab is for Startup When you click on that, the Startup menu opens and you can see what is starting when you start the computer. Everything that is checks will start. Most people have way too much here and it slows the system down. Everything that starts here will continue to run in the background the entire time you're on the system.

The one thing to remember is that the first time you restart the computer after changing the Startup, a message comes up 'suggesting' you go back to Normal Startup instead of Selective Startup. but if you do that, anything you unchecked will recheck itself- so we call that a nag message and tell you to check not to show it again and close it.