HELP Please...

I have a desktop that has a virus or some kind of bug that will not let me access the internet. Every time I click on the internet it sends me to a finding site eimg.net and no where else. I have used Norton anti virus, Spy bot search and destroy, Windows Defender, Ad-Aware SE etc... They have not found this virus/bug. I had this problem before and took it to a comp tech who fixed it and told me that the virus would keep coming back but the Ad-Aware SE that he gave me would keep killing it. Well it did for awhile and now I can not get pass the finding site eimg.net. I have the following .txt files for your viewing:

Please Help me.
Thanks
Jason

 

Download LSP-Fix, if you have to download this and save to a CD or USB drive and transfer to the infected PC.

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the lsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move lsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file lsp.dll is already in the remove section, then just click FINISH.)

After completing this reboot and you should be able to access the internet. If so, please run the online scans. If you still can't let me know and we will run another fix on the TCP/IP settings.

 

BJ Garrik,

I appreciate you helping me with this. That did not work, I went through those steps it said it got rid of 3 protocol provider entires removed and 17 renumbered. Rebooted it and it still went to the finding site eimg.net. Its nice to see that you know what my problem might be, since my techs through Embark think by sending me a new modem will fix the problem I told them it is not my modem because I can access the internet on my laptop through the modem. You probalbly already know this but my comp keeps pulling a 169 IP when it should be pulling a 192. Thanks again for your help. Will be waiting for your response.

Jason

 

That entry is your reason for not accessing the internet, if you fixed it with the utility it should have worked. If it did not you may need another fix.

Download WinSock XP Fix 1.2, put it on a disc or USB drive and get it on the infected computer. Run this utility and reboot, let me know if you can get back online to do the scanners.

 

bjgarrick,

Did what you said and ran the Win Sock XP Fix 1.2 on my desk top saw that it wiped the IP clean than rebooted it and checked the IP again and it came back with the 169 IP address. Again it brought me to the finding site eimg.net. My poor computer.

Jason

 

Okay, let's get some basic information out of the way.

How do you connect to the internet? If you connect using ethernet, is the NIC drivers installed and working properly? Check device manager for any yellow questions marks.

Let me know.

 

I am using a ethernet, and I did have yellow question Marks in the device manager on my NIC drivers. I clicked fix and there are no more yellow question marks. Rebooted and tried to log on to the internet, still going to finding eimg.net site.

Jason

 

Right now I just want to get you on the internet, we will worry about the eimg.net site later.

What I need to know is can you now access the internet? Try to manually type in something like google.com, does it go?

If it is back online then run the online listed in the READ ME (way back) and attach the logs with a current HJT log. If it is NOT online then let me know.

 

It goes online and acts like it wants to go where ever I ask it google etc.., but always goes right to that finding eimg.net. Also my connection says little or no connectivity. I can not access those websites online.
Thanks
Jason

 

Go ahead and attach a current HJT log. Also, look in Add/Remove programs and uninstall "ShopatHomeSelect Agent" if you see it.

 

Attached is the file you requested. Also I checked the Add/Remove programs and there was no "ShopatHomeSelect Agent".

Thanks again
Jason

 

Something that bothers me is that in your HJT log the "O10" entry is still there. If you ran my initial post using LSP Fix this should have been removed.

Did you run it exactly as the instructions said?

Run it once more per post #2 and then attach a new HJT log.

 

bjgarridk,

I did everything excatly as was said in the instructions. The O10 is still there. Should I Click a check mark in that block and press Fix Checked?

When I did run the HJT it said 3 removed 18 renumbered. Not doing anything till you tell me.

Here is the new log after I rebooted.

Thanks
Jason

 

NO! HJT can't fix this, that's why we use LSP-Fix.

I havn't requested you run HJT for anything.

Go back to Post #2 and run that exactly as it appears, afterwards reboot. If you do this right you internet will come back.

 

Sorry I ment I ran the LSP-Fix and it said 3 removed 18 renumbered.

I did it exatly how you said. and attahed the new log requested.

Thanks
Jason

 

Try again, I don't see any attachments?

 

Sorry here you go..

 

Sorry having trouble attaching file.

 

Here you go.

Sorry about that.

 

Check device manager again, is the yellow question still there?

Download this utility, save to desktop. Run LSP-Fix once more and select the file "lsp.dll" remove this then run the utility you downloaded. Afterwards reboot and attach a new HJT log.

 

I did everything you said and no there are no more question marks.

Here is the file requested.

Thanks again

 

Question, should I maybe be doing this in safe mode would that help?

Just wondering.

 

You can try running LSP Fix in Safe Mode, I've always used it in normal mode. This has never failed so I'm not sure what's going on.

 

I will try. This is killing me... My poor computer...

 

Okay, I will be around another hour or so.

 

That got rid of it here is my log again... Yeah! now what? lol

 

I'm an idiot, I was digging too deep, the problem was most likely Windows Defender blocking it.

Does the internet work now?

 

Yes it does should I run any other tests? I am on it right now.

 

Please look in Add/Remove Programs for the following and uninstall them if found:

surfmonkey

Authentium Antivirus or AVG AntiVirus
( Running more than one will cause conflicts )

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

smproxy.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\surfmonkey ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Will do and thanks so much.. I may be a Marine But you are definetly a warrior in your own way. Keep kicking butt.

Jason

 

Your Welcome, will be awaiting results and new log.

 

Here is the log you requested. I did everyting from your last post. Just had one more question I am not sure which items in my processes window I really need running. From all of the ones running can I get rid of abunch of them to make my computer perform better? Just wondering.

Thanks again for all of your help.
Jason

 

Your log looks good, are you having any current problems?

 

None that I can see as of right now.

 

You can get rid of Sprint DSL virtual assistant if you don't use it, most of the others are required.

 

Should I use windows defender or go with the earthlink protection scanner, or is there a better one?

 

Personally, I recommend AVG AntiVirus, ZoneAlarm Firewall and Spy Sweeper for protection.

You should see this article on How to Protect yourself from malware!

 

So I should disable and delete the others, if I go with those. Sorry If I am sounding stupid.

 

Be sure you only have 1 of each, otherwise you will have conflicts.

 

Thanks again bud you were great. Take care and If I have any more problems you are definetly the guy I will be coming to and recommending to people.

Semper FI
Jason

 

Not a problem, surf safely!