How to restore ComboFix changes?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Imhtp, Mar 23, 2008.

  1. Imhtp

    Imhtp Private E-2

    I had a recent problem that your cleaning steps resolved. Thank you. My IE7 browser (but not FireFox) was being taken to click.linksynergy[dot]com/fs-bin/click?id=ul*c/lKZnQE&offerid=85078.10000620&type=3&subid=0&u1=40427FCE-5EA2-45EA-9D32-DE0CC37C6147 whenever I tried to simply go to www.dell.com. Various scans with NIS 2008, System Mechanic spyware removal function, Ad-Aware 2007, and Spyware Doctor Starter Edition didn't find the problem. However, Spybot Search & Destroy found and removed, among other things (mostly cookies), an AdHoc installation I was unaware of. However, rather than checking after that for resolution of my problem I went on to the ComboFix step. Since that step several processes that I desired are now gone such as the system tray accessible utilities for my touch pad/pointing stick, my Dell wireless utility, and so on. My clock is stuck in the 24hr mode, also. Is there an easy way to restore these changes????

    With a mixture of thankfulness & frustration,
    Me

    PS. I'm making note of your freeware suggestions for security since I'll be using freeware on my children's computers when their commercial security software subscriptions expire. Your suggestions are great ideas beyond my initial inclinations based on my limited experience and reading.
     

    Attached Files:

    Last edited by a moderator: Mar 23, 2008
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Based on your log from ComboFix, it really did not remove anything so I'm not sure what the cause of your problems with your system tray utils is from. Perhaps it is just that certain startup processes are no longer loading them. The 24 hour clock issue can easily be fixed but before we do anything else, perhaps you should just use System Restore to restore to a point just prior to running ComboFix. ComboFix did create a new restore point when you started it.

    I do have to ask some questions though. I see Norton Internet Security, Iolo System Mechanic 7 and EMBASSY Security Center. Norton and Iolo both have antivirus programs included but I'm not sure what Embassy Security Center includes. Some info states it has an antivirus too. If this is all true, you would have 2 or 3 antivirus programs installed which a very bad thing to do as stated in the READ ME.
     
  3. Imhtp

    Imhtp Private E-2

    Thanks for your response. I should have waited and been more observant before submitting my post.
    --Since my original post I note that the missing features from the system tray are back after one of the subsequent reboots.
    --The 24 hr clock setting wasn't corrected automatically as I initially expected. However, I was able to fix this through Start > Control Panel > Regional & Language Options.
    --Prior to reading the READ ME section I've been keenly aware of avoiding more than one firewall and using only one real time antivirus product. I have Norton Internet Security 2008, however the System Mechanic product I have is the regular version without an included firewall and antivirus features. System Mechanic Professional is the flavor of the product that includes antivirus and firewall features. Lastly, EMASSY Security Center is a suite of features that utilizes the capabilities of my Dell business laptop's TPM chip and fingerprint reader. It also allows, among various features, one to password protect the hard drive and/or the computer's boot process. It is unrelated to antivirus and firewall functions.

    After noticing the return of the system tray back to its previous state I tried out IE7 to see of the problem was indeed solved. Well, unfortunately, when I direct the browser to www.dell.com I get the same annoying problem, i.e. the browser is taken instead to click [dot] linksynergy [dot ] com/fs-bin/click?id=ul*c/lKZnQE&offerid=85078.10000620&type=3&subid=0&u1=40427FCE-5EA2-45EA-9D32-DE0CC37C6147.

    I tried one additional measure to try to clear IE7 from this malfunction. I ran a SuperAntispyware scan after booting up in safe mode. Nothing but a collection of cookies were found that were collected in the limited browser use after my detailed following of the initial clean up directions. Is this a previously noted problem? Prior to the clean up instructions here I tried full system scans with Norton Internet Security, the antimalware feature of Iolo's System Mechanic (this specifiic feature supplied by Sophos), Spyware Doctor Starter Edition, and Ad-Aware 2007.

    Thanks.
     
    Last edited by a moderator: Mar 25, 2008
  4. Imhtp

    Imhtp Private E-2

    Addendum:
    I also, following the realization that the original problem still existed, I did a scan with McAfee's AVERT Stinger v3.8 in safe mode. Nothing was found.
     
  5. Imhtp

    Imhtp Private E-2

    My apologies for the inclusion of the potentially troubling live link in my first message and another message awaiting editing and approval. I won't include it in subsequent posts in this thread.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so your initial problem with being hijacked is the only remaining problem?

    Do you have the requested log from SUPERAntispyware? Please attach it now.

    I'm not seeing any issues in your logs that would indicate a hijacking problem. Let's try a few things.


    Do you know what the below files are for?
    Code:
    "C:\Documents and Settings\Imhotep\Application Data\"
    mainhst.zgh   Mar 21 2008         944  "mainhst.zgh"
     
    "C:\WINDOWS\system32\"
    secura~1.sys  Dec 22 2007       15464  "securable.sys"
     
    "C:\WINDOWS\Temp\"
    fb_192.lck    Mar 23 2008      262144  "fb_192.lck"
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Shutdown Spyware Doctor and your Norton Protection as they could interfere with the below working properly!

    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
      [*]It will create a folder named HostsXpert in whatever folder you extract it to.
      [*]Run HostsXpert.exe by double clicking on it.
      [*]click the Make Writeable? button.
      [*]click Restore Microsoft's Hosts File and then click OK.
      [*]Click the X to exit the program
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/start
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    After clicking Fix, exit HJT.


    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot your PC!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Mar 25, 2008
  7. Imhtp

    Imhtp Private E-2

    Yes, it is the only remaining problem. I'll attach the log I obtained yesterday from SUPERAntispyware. Here is the bulk of the message not posted yet because (I presume) it has to have a link edited so it's not live:
    Thanks for your response. I may have submitted my initially post too soon.
    -- The system tray items that initially didn't show up did finally show up after a subsequent reboot.
    -- The 24 clock setting didn't go back to its previous state as expected. But, I was able to go to Start > Control Panel > Regional & Language Options to return to my initial settings.
    -- I'm keenly aware of certain rules of thumb in terms of antivirus and firewall software. I do have Norton Internet Security 2008. The version of System Mechanic 7 that I have is the regular version. System Mechanic Professional includes firewall and antivirus features. And the EMBASSY Security Center is simply a suite of functions for the use of my laptop's TPM chip and fingerprint scanner. It is unrelated to antivirus, antimalware, or firewall features.

    Prior to my explicit following of your site's "cleaning" instructions I did full system scans with Norton Internet Security 2008, Ad-Aware 2007, Spyware Doctor Starter Edition, and the antimalware scan/removal feature of System Mechanic (courtesy of Sophos).

    Upon checking to see whether my IE7 had the same problem I initially reported I was frustrated to find that the problem still exists, i.e. the redirection from www.dell.com. This problem doesn't affect FireFox.


    Thank you.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But you said you ran it in safe boot mode. You need to make sure you run it from normal boot mode. Do your hijack problems occur when you are in safe boot mode.


    You don't need to repeat all of this. It is already in 3 of your messages (one was deleted as a dupe already). I simply wanted the short story as to what are the current problems.

    Did you do the rest of what I posted in message # 6? I may have been editing that message when you returned.
     
  9. Imhtp

    Imhtp Private E-2

    Thank you for your response. I didn't try to see whether the hijacking of IE7's attempts to reach Dell's home page occurred in safe mode. (I've generally never wanted to be connected to the internet with security disabled...even if from behind a hardware firewall.) SUPERAntispyware I ran in normal boot mode as I recall. My apologies if its log indicates otherwise. It was McAfee's AVERT Stinger utility that I ran in safe mode, as I recall. I already upgraded Java over the weekend but will follow the other steps in message #6, which I've just noticed. In brief, the hijacking of attempts to reach Dell's home page with IE7 is my only problem which I hope your instructions will resolve. I'll be back with a note regarding what happens.
     
  10. Imhtp

    Imhtp Private E-2

    Addendum:
    You asked about three files... I only know what one of them likely is. Securable.sys I strongly suspect is from a free utility I downloaded and ran from Gibson Research Corporation called Securable (http://www.grc.com/securable.htm). I haven't the slightest idea about the other two, fb_192.lck and mainhst.zgh, even after doing some searching on line for clues. I found one forum where someone spent time also trying to figure out what mainhst.zgh is from. That search was unyielding (on BleepingComputer.com).
     
  11. Imhtp

    Imhtp Private E-2

    Well, after carefully following your directions in message #6 I found that the IE7 misdirection involving Dell's home page was seemingly solved. However, not all of the IE add-ons were active at this point. So, I activated each add-on one at a time or one groups at a time to see if the problem could be reproduced. I then discovered that Anchor Free's AFBho.dll is the culprit. I disabled it and enabled it again to be certain. I will contact Anchor Free and report this incident to them, even if simply for their information. I may carefully reinstall it to see if it functions normally.

    This is from Anchor Free's utility called Hotspot Shield. I suspect that among possibilities that AFBho.dll got damaged or hacked. I've used Hotspot Shield in the past without incident. The utility is among PC Magazine's favorite free software items per a recent PCMag.com newsletter.

    My PC is otherwise cleaned up a bit. But, in terms of IE add-ons I don't know what the following are:
    Diagnose Connection Problems... and Research.
    There are no file names associated with these. Are these features intended to be available for IE7? For now I've left them inactive. I've only preliminarily researched them myself and remain puzzled about them.

    Lastly, prior to deleting Viewpoint Media Player I was annoyed to read how it ends up being automatically reinstalled without permission. It ought to be categorized as spyware instead of adware given, for example, what I read here.
     

    Attached Files:

  12. Imhtp

    Imhtp Private E-2

    FYI: I reinstalled Anchor Free's Hotspot Shield after deleting the version that had already been on my computer. Things ran well without recurrence of the initial problem. However, even after "deleting" Hotspot Shield there was still AFBho.dll listed in the IE7 add-ons loaded. At that point enabling or disabling it seemed to make no difference...the misdirection problem was gone. Perhaps this file was showing up in the (Tools > Manage Add-ons >) "Enable or Disable Add-ons" feature but was actually deleted? Perhaps it was still present, but the IE7 redirection occurred on the basis of something it worked with? Puzzling.

    I've emailed Anchor Free's technical support about my experience and resolution.
     
  13. Imhtp

    Imhtp Private E-2

    Diagnose Connection Problems... and Research I found were both Microsoft related. In brief, the former is IE-related while the latter is related to MS Office.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So at this point I assume you are not having any further malware issues. If that is true, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. Uninstall COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN
      • Now type cf /u in the runbox and click OK.
      • Note: The space between the cf and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
  15. Imhtp

    Imhtp Private E-2

    I've followed your final steps. And I've already been going over the information at the link about avoiding malware several times for ideas of what to add to my arsonal and habits on my primary computer. And I will utilize some of the ideas and suggestions for a couple of my sons' computers on which I plan to use freeware for security, preferably items that require a minimum of interaction.

    Thank you very much for your help.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds