Solved Search engines redirected when click on links

[Ocastra]

My parents computer is infected with some virus that redirects whenever you click a link on google yahoo bing ect. I have tried all the ways I know of getting rid of it, but I can't seem to find it. I've been trying to run GMER for the past day and a half unsuccessfully, it reboots the computer after about 3 hours of running and I loose everything that it was doing. Any help would be appreciated, I tried reformatting this computer though windows recovery, but it persevered through the wipe back to factory specs. Any help would be appreciated.

 

[Bobbye]

Welcome to TechSpot. I'll help with the malware. The Hosts files have been hijacked and when you search, you are being directed to a site in Poland.

While I finish checking the logs, Please do the following in order listed: Print out for reference:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

=================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=============================
Try to run GMER> first, uncheck Devices and try. If that doesn't work, try scanning in Safe Mode.

Please do not use any other cleaning programs or scans while I'm heloing you unless I instruct you to. Do not use a Registry cleaner or make any changes to the Registry.

It looks like the scans were all run after the recovery attempt- don't do any other restores, recoveries or repairs while I'm helping you.

 

[Bobbye]

Is this your ISP?
IP: 195.242.208.40
descr: ip69 internet solutions AG
country: DE (Germany)

==================================
Remove this Domain from the Trusted Zone:
Internet Options (through the Control Panel or Tools in IE)> Security tab> Trusted Zone> Sites> remove trymedia.com> Apply> OK
=================================
After you have run Combofix, follow with this:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::
DDS::
Hosts: 89.149.210.171	www.google.ch
Hosts: 89.149.210.171	www.google.it
Hosts: 89.149.210.171	www.google.gr
Hosts: 89.149.210.171	www.google.dk
Hosts: 89.149.210.171	www.google.co.za
Hosts: 89.149.210.171	uk.search.yahoo.com
Hosts: 89.149.210.171	www.google.no
Hosts: 89.149.210.171	www.google.se
Hosts: 89.149.210.171	www.google.nl
Hosts: 89.149.210.171	www.google.com.br
Hosts: 89.149.210.171	www.google.at
Hosts: 89.149.210.171	www.google.be
Hosts: 89.149.210.171	www.google.fr
Hosts: 89.149.210.171	www.google.es
Hosts: 89.149.210.171	www.google.ca
Hosts: 89.149.210.171	search.yahoo.com
Hosts: 89.149.210.171	www.google.com.au
Hosts: 89.149.210.171	us.search.yahoo.com
Hosts: 89.149.210.171	www.google.com
Hosts: 89.149.210.171	www.google.ie
Hosts: 89.149.210.171	www.google.co.uk
Hosts: 89.149.210.171	www.google.com.mx
Hosts: 89.149.210.171	www.google.fi
Hosts: 89.149.210.171	www.google.de
Hosts: 89.149.210.171	www.google.co.jp
Hosts: 89.149.210.171	www.google.pt
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

Registry::
Driver::

FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Do you recognize any of the following processes- all from 10/30 and 10/31/2008:
2008-10-31 22:51:50 18437 ----a-w- c:\program files\common files\ewanudutik.db
2008-10-31 22:51:50 15453 ----a-w- c:\program files\common files\qodicad.dat
2008-10-31 22:51:50 15192 ----a-w- c:\program files\common files\aladirij.reg
2008-10-31 22:51:50 14138 ----a-w- c:\program files\common files\sucari.reg
2008-10-31 22:51:50 12760 ----a-w- c:\program files\common files\cewijig.dl
2008-10-31 22:51:50 11966 ----a-w- c:\program files\common files\huwuk._sy
2008-10-31 22:51:50 11568 ----a-w- c:\program files\common files\uzyl.sys
2008-10-30 16:37:05 19659 ----a-w- c:\program files\common files\munyqac.pif
2008-10-30 16:37:05 15378 ----a-w- c:\program files\common files\ukocu.scr
2008-10-30 16:37:05 10289 ----a-w- c:\program files\common files\iboryfujuk.pif

Searches either produced nothing or foreign sites. File extensions are for Program Information File (.pif), Registry (.reg), system or driver (.sys) and database (.db)
I notice you have Python loaded. I am not familiar with that programming language

 

[Ocastra]

I tried GMER and still won't work, a Windows has recovered from a serious error message popped up both times. and I live in Oregon (US) And my ISP is Comcast. so no I do not live in Germany. When I went to windows trusted sites in internet options there were not sites there to find. And as I stated this is not my computer, so I do not know about any of those processes. All I know is I have a teenage brother who recently discovered girls. and has created a lot of computer problems for me to fix.

 

[Bobbye]

First order of business:
The antivirus that was disabled for Combofix, Antivir, shows it is outdated:
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
There are also processes for Symantec and McAfee. You need to get down to one, current updated antivirus program. Cleaning is useless with out that.

Here are removal tools for all 3 programs. Remove 2 of the programs then make sure the one you keep is current. Reboot the computer when done:

• McAfee Removal
• Norton Removal Tool
• To uninstall Avira:
• Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
• Wait for the list of installed programs to load, then click the name of the Avira program.
• Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
• Press Yes, to confirm the removal and then OK.
• . Click Next until Finish. The software is removed.

==============================================
After the antivirus programs have been handled:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\dllcache\tlntsess.exe
c:\windows\system32\dllcache\telnet.exe
c:\program files\Common Files\ewanudutik.db
c:\program files\Common Files\qodicad.dat
c:\program files\Common Files\aladirij.reg
c:\program files\Common Files\sucari.reg
c:\program files\Common Files\cewijig.dl
c:\program files\Common Files\huwuk._sy
c:\program files\Common Files\uzyl.sys
c:\program files\Common Files\munyqac.pif
c:\program files\Common Files\ukocu.scr
c:\program files\Common Files\iboryfujuk.pif

DirLook::
D:\resycled

Folder::
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ifbmoegwf

DDS::
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
TCP: {31169019-17A7-4D45-B6C3-D8892549726D} = 195.242.208.40
TCP: {892900FC-9814-4488-99C0-81491C1EE93D} = 195.242.208.40
TCP: {91596777-B8BB-4946-B982-4B1B88DFE628} = 195.242.208.40
.
Registry::

Driver::
Rootkit::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
About Telnet:
Telnet is installed.(2009-06-12 12:31) It is a legitimate process, but it is running in the background. Experts in computer security, such as SANS Institute, recommend that the use of Telnet for remote logins should be discontinued under all normal circumstances, for the following reasons:

• Telnet, by default, does not encrypt any data sent over the connection (including passwords),
• Most implementations of Telnet have no authentication that would ensure communication is carried out between the two desired hosts and not intercepted in the middle.
• Commonly used Telnet daemons have several vulnerabilities discovered over the years.
• Most Telnet implementations do not support the extensions for Transport Layer Security (Secure Shell (SSH) protocol,) and Secure Shell (SSH) protocol,
• In a word, it is not safe.

====================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave new Combofix report (just 1) and Eset log in next reply.

 

[Ocastra]

I have work today, so I will be doing the online scan while at work. Here is the log you requested.

 

[Ocastra]

Here is the Eset Log. And Telnet is no longer used on this computer, is there a way to get rid of it. I used to MUD when I lived with my parents.

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\Program Files\Netscape\Netscape Browser\chrome\m3ntstbr.jar	
  D:\I386\APPS\APP16464\src\CompaqPresario_Spring06.exe	
  D:\I386\APPS\APP16464\src\HPPavillion_Spring06.exe	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

The other entries have either been quarantined by Combofix (Qoobox) or are in restore points (System Volume) These are not active in the system and will be removed later. In the meantime, please do not do a System Restore as it could reinfect the computer.

Combofix script to follow.

 

[Bobbye]

Pleas see my Reply #5 regarding multiple antivirus processes running. If you're keeping Avira, use the removal tools for McAfee and Symantec.

Multiple AV programs can make the system more vulnerable as well as slow it down.

 

[Ocastra]

I did remove mcafee and samantec.

 

[Ocastra]

I also did a Gmer save file every ten minutes till it crashed. and this is what I got.

 

[Ocastra]

OT move it's log

 

[Bobbye]

Try running GMER without Devices checked. If that doesn't work, try running it in Safe Mode.

I may be able to help with the Telnet removal.

 

[Ocastra]

Got Gmer to finally work in safe mode.

 

[Bobbye]

Are you having any of the original malware problems?

 

[Ocastra]

Just tested the search engine and all appears to have been resolved. Thank you very much, did you see anything else that needs to be addressed?

 

[Bobbye]

I would like you to run a quick scan with HijackThis. If I see any bad entries, I can have you remove them.
Then I'll have you remove the cleaning tools:

Please select version 2.0.4 on this page:
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[Ocastra]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:52:35 AM, on 6/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DISC\DiscGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: .trymedia.com[/url] (HKLM)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 7954 bytes

 

[Bobbye]

All the entries are okay except this"
Adware-TryMedia

It needs to be removed from the Trusted Zone:
Open Internet Options from the Control Panel or Tools: Security tab> Trusted Sites> Sites> highlight and remove *.trymedia.com> Apply> OK

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Please update the Adobe Reader. System has v7, current is v9.xx:
Visit the Adobe Readerhttp://www.adobe.com/support/downloads/product.jsp?platform=windows&product=10[[bsite for the update.
Note: Older versions of the Adobe Reader should be removed in Add/Remove Programs found in the Control Panel.

Let me know if you need any more help.

 

[Ocastra]

When I go to trusted sites, it lists no sites in said spot. it's empty.

 

[Bobbye]

Instead of going to the Trusted Sites tab, click on Restricted Zone> Sites> add *.trymedia.com to the Restricted sites.

Don't be surprised if you get a message that the site is already in another zone. We might have to find the adware for it.

 

[Ocastra]

I added it and it was added to the list.

 

[Bobbye]

Okay! Sytem is clean. Here are some tips to help you stay that way! You should at least go ahead and replace the Host files as in MVPS Hosts files (second to last)

Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance

• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

 

[Ocastra]

Thank you sooo much, This was some virus XD. Wish there weren't such awful people around making such awful programs.

 

[Bobbye]

You're welcome. I think those malware writers have too much time on their hands! Stay clean.