IE redirect, 8 steps completed

[athomemom]

Recently ran recovery on computer and hadn't gotten time to reinstall some AV (have done now) so Norton let thru a an annoying trojan. It redirects my IE and netscape to some spam anti-virus page. I can only work in FoxFire. Also Malware is having an error when updating?

 

[Bobbye]

I notice that you are now running two antivirus programs:
Symantec
Avira
This can make the system more vulnerable. It can also slow it down. Please remove one of them.
To remove Symantec/Norton use the Norton Removal Tool
To uninstall Avira:

• Start> Settings> Control Panel> Add or Remove Programs
• Wait for the list of installed programs to load, then click on Avira.
• Click Remove next to the program's name
• Press Yes, to confirm the removal and then OK.
• . Click Next until Finish. The software is removed.

Be sure to reboot the computer after doing the uninstall

Please reopen HijackThis to 'do system scan only.' check each of the following if present:Optional Removal is in green:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

There are 2 identical entries for this process. I cannot identify any parts of the entry. Do you know what it is? If not, check for removal
O4 - HKLM\..\Run: [veimndef] C:\Documents and Settings\HP_Administrator.PC\Local Settings\Application Data\popkol\arycsftav.exe
O4 - HKCU\..\Run: [veimndef] C:\Documents and Settings\HP_Administrator.PC\Local Settings\Application Data\popkol\arycsftav.exe

O15 - Trusted Zone: .trymedia.com[/url] (HKLM)>> See Option 1

Option 1: Trymedia.
If you are a developers, publisher and portals/retailers and find is necessary for this to be in the Trusted Zone, leave it. I personally don't recommend anything be put in the Trusted Zone. Here is a description:
Trymedia Systems, Inc. is a division of RealNetworks that provides digital distribution services based on its proprietary ActiveMARK DRM and digital distribution technology.

Trymedia operates an online network of digitally distributed computer games. The network is integrated into Microsoft's digital locker service,[8] and provides white label online retail services to affiliates such as Electronics Boutique and GameSpot.

Close all Windows except HijackThis and click on "Fix Checked."

Once you get the duplicate AV handled and these entries removed from HJT, rescan with HJT and I'll see what else needs to be done.

You have a great many Tracking Cookies. I recommend the following:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

 

[athomemom]

Okay, done. arycsftav.exe popped up last night as a Trojan. I removed it this time (hopefully), Norton and took your recommendations too. Thanks, I've attached my 2nd log.

 

[Bobbye]

arycsftav.exe popped up last night as a Trojan.

Popped up how? Where? From what program? Name of Trojan?
I suspected it was malware, but it's unusual with all the tools I use not to be able to ID any parts of the string.

Also Malware is having an error when updating?

What was the error? I need to know these things in order to guide you.

For the future, if you every have to do a recovery or reinstall, the first thing you want to do is get an antivirus program on the system!

You HijackThis log looks much better. You should be running better also.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
  Notes: If Combofix prompts you to install a Recovery Console, allow it to.
  If Combofix asks for an update, allow the update.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console if given.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please follow Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[athomemom]

Arycsftav.exe was something new running on my processor and I was having an insane amount of 'alerts' from a malware 'anti-virus sercuity site', couldn't open Malwarebytes either, I was unable to use my computer due to this. So I end process and things calmed down and ran Malwarebytes and it found a key reg for arycsftav and TR/FraudPack.allj. Also Norton is the default on my computer, it came with the package so when I ran recovery last time I just let Norton boot up and run instead of reinstalling a qualtiy product, my fault there. So I wasn't running w/o any AV software just w/o anything effective. As for the update error, it's corrected now I updated it this morning with no problems.
I have ran ComboFix and attached my log. I followed your steps, I have 2 icons for Combofix (ComboFix, ComboFix.exe) doesn't seem correct to me. I clicked to download in FoxFire once before and had to hit cancel (my 2yr old woke up) and began Download again in IE. Just want to make sure I didn't screw something up.

 

[Bobbye]

[QUOTEI have 2 icons for Combofix (ComboFix, ComboFix.exe)][/QUOTE]
One is for the program itself. the other is the report from the scan.

FoxFire

Best you know the name of this browser is Firefox, not FoxFire. It's a common mistake- but if you go searching for FoxFire wanting something for Firefox, you will become confused.

Did you run the Eset scan? If not, please do it and give me the log.

I suggest you stay out of the Registry.

 

[athomemom]

Sorry for the delay. ESET log attached

 

[Bobbye]

I have 2 questions before I move the files:

Are you on a HPPavillion or a CompaqPresario?

What is the D Drive?

 

[athomemom]

I am on a HPPavillion and Drive D is my recovery, does that answer your questions? I'm not very tech savvy.

 

[athomemom]

My firewall keeps turning off (Windows Firewall)? This just started after I downloaded ComboFix? This is new.

 

[Bobbye]

It means the malware could still be on the system- or back. But the entries in the Eset scan might be False Positives.

Recently ran recovery on computer

Please submit the following files for identification. There is a chance that it is a False Positive:

Suspicious file(s) to scan: > browse or upload each of the following files to Jotti:

C:\hp\bin\wbug\HPPavillion_Spring06.exe

D:\I386\APPS\APP19117\src\CompaqPresario_Spring06.exe

I came across some discussion of this being found in the HP Recovery Console. Paste the results in your next reply.

I asked about the drives because the Eset logs shows the same malware on both the C drive and the D drive. There are 2 infected files on the D drive> one from a HPPavillion- same system as for C drive. But the other files is from a [/b]CompaqPresario[/b]

I'd like to wait on that ID before trying to move anything.

 

[athomemom]

Is this all you needed?


HPPavillion_Spring06.exe Status:
Scan finished. 8 out of 19 scanners reported malware.


Filename: CompaqPresario_Spring06.exe Status:
Scan finished. 9 out of 20 scanners reported malware.

 

[Bobbye]

No. I need for you to paste in the report itself.