Perhaps multiple nasties

[princevulpine]

I, too have a couple instances of iexploere.exe running in my tack manager, and when I end one, they both go away, and they both come back when I get back on.

But that is not the worst of it... I first noticed the problem, when i would browse the web. I would google search, then click of the link, and it redirects to som random search engine (moot, bling, yellopages, etc.) Now if I cut and paste the url from the search into the url box it has no problem sending me to the right page.
Secondly, my computer has complete frozen up a few time since this started, I mean COMPLETE freeze, even the clock, the only thing I can do is minimize and then once everyhing is minimized; it's completely unresponsive. I have to do a hard restart everytime.
Thirdly, I began to folow your 8 step instructions, but my computer will not run, or sometime not even install, mbam, SAS and HJT. I had rename the first two and run them from their .exe file. And HJT I had to run in safe mode.
I think that is all.
I appreciate all your help.

 

[princevulpine]

one more thing...

I'm also getting a lot more pop-ups than usual (google toolbar is not block them.) and a scroll down blurb at the top of the screen that wants me allow microsoft dynamic html editing control... in that box yellow that pops open when it's blocking a download or wants to run activex, etc.

 

[Bobbye]

1. Multiple entries for iexplore.exe are normal with IE8.

2. Please run a full system can with the antivirus program>> save and attach the log.

I'm concerned about the combination of problems.

 

[princevulpine]

Response. posting antivirus log

I ran avira free version, fully updated. Attached is the log.

 

[Bobbye]

Okay, thanks. I was concerned that Virut might show up.

Regarding "microsoft dynamic html editing control."
Microsoft Dynamic HTML (DHTML) Editing Component ActiveX control :
DHTML Editing Control for Applications is a redistributable component that is available for Windows Vista to enable compatibility for MS Access 2003, and other applications which previously relied on this control in Windows XP and Windows 2003.

May be related to you install of:
O16 - DPF: {0C7F3F20-8BAB-11D2-9432-00C04F8EF48F} (Downloadable Speech API)

Suggest you disable this as follows:
Open IE> Tools> Manage Add-ons> find DHTML and click to highlight> click on Disable> apply> OK

SAS found malware in Coldware software. I found this on Software Informer with little information. I don't see it in running processes, but if you have this download, I recommend that you uninstall it then delete all the files, followed by emptying the Recycle bin.

Did you have to run Malwarebytes in Safe Mode? If so, please UPDATE and do another scan in Normal Mode, attach new log.

Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Follow this with rescan with HijackThis in Normal Mode.
You have many unnecessary processes starting on boot that I will help you stop later. They are legitimate processes, but using system resources running in the background. They don't need to start on boot.

When through attach:
1. New Mbam log.
2. SDFix report
3. New HJT log.

Are you noticing any difference in the system since running the cleaning programs? What?

EDIT: Found by AV scan: C:\Program Files\mame\roms\mjfriday.zip>>> [0] Archive type: ZIP
--> 2603.2f>> Mahjong Friday (Japan)
[DETECTION] Contains HEUR/HTML.Malware suspicious code
Beginning disinfection:
C:\Program Files\mame\roms\mjfriday.zip
[NOTE] The file was moved to '4aa17ca9.qua'!

If you have Mahjohg and/or MJFriday still installed, I recommend you uninstall them and delete the program files, follow by emptying Recycle bin.

 

[princevulpine]

continue...

First of all, yes, mbam is up to date. I had to rename it and I can only access it through it .exe in programs; the form the start menu. I followed your instructions and the problem is still there.
After running SDFix, I ran Mbam, it asked to reboot in order to remove one item. Upon reboot the machine froze up... I could move the mouse, but nothing was clickable, and the time stopped. Ctrl-alt-del did work and I restarted it through the task manager.
It is still redirecting me all over the internet to various other search engines when I click on any search result that I googled...
I noticed several processes in task manager that have never been there before...

b4dafee-5069-4a14-bcdc-f120f6340591.exe
hpqbam08.exe
hpqste08.exe
Far more svchost.exe than I remember...

Attached are the requested new logs and reports

 

[Bobbye]

We always request Mbam be updated before each scan. It's not the program itself that' getting updated- it the database.

These are part of HP Digital Imaging: should only run when being used. If on Startup, UNCHECK ALL HP entries on Startup menu: running processes show as:
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

b4dafee-5069-4a14-bcdc-f120f6340591.exe>> can't identify by name, but the HijackThis log shows this entry:C:\Program Files\SUPERAntiSpyware\b4dafeee-5069-4a14-bdc4-f120f6340591.exe
I haven't noticed this before.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

SDFix shows files from 2007 for AOL Total Care beta. It's an all-in-one security and performance suite that is suppose to resemble Windows Live Onecare. To quote a CNet review:

AOL has partnered with a number of best-of-breed third-party vendors, with McAfee providing antivirus, firewall, and antispyware protection; Iolo Technologies providing performance tools; and FarStone Technology providing backup-and-restore tools.

You can read about it here:
http://reviews.cnet.com/internet-se...are-beta/4505-3667_7-31985375.html#cnetReview

The review if from 07/25/2006. It was suppose to have more added 2 months later, but the reviews were so bad, I'd be surprised if it's still supported. Looks like it's a purchase, but states "Sorry! The AOL Total Care beta is not currently available from any of our online merchants."

So you need to find it and uninstall it. Then use Windows Explorer to remove the program folder and any left over files. Empty Recycle Bin when through.

Rescan with HJT when through and include new log and Combofix report.

 

[princevulpine]

Alright next step...

Well, the borwsing seems to be back to normal...
I could find AOL total care beta, anywhere in ad/remove programs, or even a folder in programs.
Attached are the two requested logs...

 

[princevulpine]

When combo fix was creating the report, zone alarm warned that pcv.cfexe was trying to access the internet. I allowed, I didn't know if it was part of combofix or not. I can go back in and tell it to deny if you think that wise...?

 

[Bobbye]

Combofix scan instructions:
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

What you Combofix report shows"

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

What happened when you left the security running:

zone alarm warned that pcv.cfexe was trying to access the internet.

This is a false positive.

I'd like you to update and run Combofix once more, with the security off, to be sure nothing was missed.

AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background :

* right click it-> untick the option AntiVir Guard enable.
* You should now see a closed, white umbrella on a red background:

Boot into Safe Mode> Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following before running Combofix:
Avira entries
ZoneAlarm
Be sure to include Superantispyware in what you uncheck on Startup.

I am not familiar with this: tblmouse.exe (Aiptek HyperPen driver)
It is described as an input device for a digital tablet, but most references were for Linux.It is a "must" for startup.
Apply> OK>

While still in Safe Mode: Start> Run> services.msc> right click on TrueVector Internet Monitor (vsmon)> Properties> change Startup type to Disabled> Stop the Service.

Reboot: NOTE: ignore and close the nag message after checking 'don't show message again.' Stay in Selective4 Startup.

I have 7-9 svchost running all the time. Many of those entries come from Services that are running. IF you show one with a large amount of CPU usage, then we'll chase it down.

Rescan with HJT, include new log and Combofix report.

 

[princevulpine]

Alright, next...

Everything seems fine, but I followed your instructions and attached are the requested logs.
Thank you so very much for your hard work!

 

[Bobbye]

I didn't get the email notice of your reply- it happens once in a while! What is your status now? I notice the Combofix has accumulated several runs over the4 years. It should be uninstalled before doing another scan. You have logs on file since 2007.

IF you are still having the problems, you should uninstall Combofix as follows:
[*] Click START then RUN
[*] Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

[*]When shown the disclaimer, Select "2"

Then download it new. Follow the instructions in Reply #2.
Attach new log.

IF you are still experiencing the freezes, please do the following: Errors are time coded. You will be looking for Errors that correspond to the time of the freeze:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:

• 
  [1]. Click to open the log>
  [2]. Look for the Error>
  [3] .Right click on the Error> Properties>
  [4]. Click on Copy button, top right, below the down arrow >
  [5]. Paste here (Ctrl V)
  [6].NOTES
• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Include new Combofix report and any corresponding Errors in next reply.

 

[princevulpine]

More crap!

Everything was working fine last friday, but then...
The boss's brother-in-law installed VNC on all the computers. Now I don't know if the problem in virus realted or VNC related. I tried to folow your last set of instructions, but I could not access any combofix link. It continually gave me a cannot find server message. And it has been doing buggie stuff all morning. Like, I will google the term "palm frawn" and half of the images won't show. Then I went to view my hotmail account and none of those iamges would show, and when I would go to the login page, it would give me the cannot find server message. Is this something on my end, or do I need to go to the boss.
Thanks for your help.

 

[princevulpine]

ignore that last one...

The computers all over the building are having intermittent internet problems.
So, I will do that last email after things are cleared up.
Can you tell me what VNC actually does and what is actually seen on the other end?
It's not like I do anything bad or illegal on my computer. But, I would at least like to understand what this is and what it does exactly.

 

[Bobbye]

You might get better information about VNC here: http://en.wikipedia.org/wiki/Vnc

There are also links. Be sure to check the Security link.

Be sure to turn your antivirus program and firewall back on!

Let's get the cleaning tools off your system- if it's working at all!

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you use.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

After the system stabilizes, see what's going on. Let me know and we can restart any process if needed.

Again, turn AV and firewall back on!