Help with IE Newbiee here

Welcome to Majorgeeks!

Why did you tell CounterSpy to Ignore problems? You should have allowed it to fix the problems it found.

Looks like you have a bunch of problems! One of them is Virtumonde. Run the below:

Virtumonde aka Trojan Vundo Removal

And attach the VundoFix log. Then also complete step 7 of the READ & RUN ME and attach a HijackThis log.

 

You're welcome, but you need to finish what I requested (attach the VundoFix log and run step 7 of the READ & RUN ME). You have more problems!.

 

There is always a VundoFix log and it normally appends to it each time it is run.

You did not read and follow step 7 of the READ & RUN ME and as a result you are running HijackThis fromt he exact location we request that you not run it from. C:\Documents and Settings\Harry DeBernardo\Desktop\HijackThis.exe

Did you re-run CounterSpy and let it fix what it found? If not, you should do that.

Now copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. it to your Desktop. We will use it later after a reboot into safe mode.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {5D9204E5-1563-48C4-B715-914E01560191} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5D9204E5-1563-48C4-B715-914E01560191} - (no file) (HKCU)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ScreenSaver.com <--- the whole folder. This is adware!!!
C:\Documents and Settings\Harry DeBernardo\My Documents\Sexy\Wallpaper\!Anne Heche&amp;Joan Chen-Wild Side1.jpg
c:\windows\system32\msbb321.dll
c:\windows\tmp.hta
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\kjjlm.dat
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\kjjlm.tmp
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\orqss.dat
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\orqss.tmp
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please keep all requests for help in the forums not in PMs!

Always run procedures in the order written!

 

Just like the order of my post reads. I forgot to edit out that last sentence which is confusing you. So run it now (right after the CounterSPy run).

 

Looks better but one line remains.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Did you miss this one or did it come back? This sometimes happens and then manual steps may be needed to remove it from the registry. Try fixing it again and then get a new HJT log and tell me if it is gone. If not, I will give you another procedue to use. BUT MAKE SURE all browsers are closed before you click Fix checked.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Of course you can! You just need to allow the change in Spy Sweeper or disable Spy Sweeper's real time protection before making the change. Than re-enable the protection afterwards.

 

What happens when you try to change it (any messages) and are you just using the General tab in IE to change it?

 

That should not be necessary, but it still points to a program like Spy Sweeper running in normal boot mode that is blocking you from making the change.

You're welcome!

 

You're welcome! Which part of Norton was protecting your Home Page?

Was it:
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

 

Thanks! It is probably just all part of the Internet Security Suite.