Browser hijacker

Welcome to Majorgeeks!

CounterSpy removed part of your problem with a SpywareQuake infection, but I'm not sure it got all of it. Please run the below procedure and attach the smitfiles.txt log:

SpywareQuake & SpyFalcon Removal Procedure


Then attach a new HJT log and also tell me how things are working.

 

You are running two antivirus programs (Authentium and AVG7). You must pick the one you prefer and uninstall the other as instructed in step 3 of the READ ME.

Please explain what the below is:
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

Is it also an antivirus? Is shows as a security service. What exactly is it doing?


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if it exists):
c:\winnt\system32\ldE4FD.tmp

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You would have been better off keeping AVG then Authentium.

Probably also from your ISP. You need to find out exactly what its purpose is from your ISP. See this: http://www.radialpoint.com/home.php and also http://www.radialpoint.com/solutions-security.php

Personally I would not want it on my PC but that's your choice. I do not want my ISP to ever automatically download anything to my PC. That's too much like AOL as far as I'm concerned. I just want a broadband connection to my house and then let me choose what I install/run on my PC.

Again this is from your ISP. When you install software from an ISP you need to know what it is that your are installing. dbpapi.exe is part of Authentium.

Some of the items I asked you to fix are not fixed. This could be due to the stuff you are running from your ISP. You need to shutdown/exit all this protection software that is getting in your way and then do the below fixes. Also shutdown CounterSpy and WinPatrol. If you cannot shut it down or disable all of these programs, then uninstall them (at least until we get your problems fixed) .


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://auto.search.msn.com/response.asp?MT=%3F%3F%C3%B6&srch=3&prov=&utf8
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

After clicking Fix, exit HJT.

Now we need to Reset Web Settings (make sure you set your home page to www.majorgeeks.com for now until we get you fixed. I need you do this so I can tell that the fixes are working.):

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

You're welcome.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!