Help with xtendmedia malware please?

A freind asked me to help remove this bug from her laptop, it appears as a small window on the bottom left of internet explorer and seems to redirect to different advertising pages. She had alread tried removing it, and at this point, it just shows up and an empty frame with a red X in the top right.

I followed the steps for removing redirected, no dice. Then continued with general removal instructions, still no dice so I'll post the logs created and hopefully someone can help us wipe this thing out.

Thanks,

L.G. McCaw

 

Thanks for the response. As suggested, I deleted the folder abd reset IE back to defaults. I also purged the DNS Cache and restarted IE. something is still going on because the frame is still there when I go to different web pages although there's nothing in it. I also get a popup from Malware bytes saying it's blocked access to certain IP adresses. I'll attach the malwarebytes protection log.

Thanks,

L.G.M.

 

Spoke too soon. It's still there, depending on the website the frame gets blocked, but others contain ads for Iview or PCSpeedup. I'm guessing it changes ad servers and Malwarebytes is only blcoking a portion of them.

 

Downloaded Combofix as advised, here's the resulting log file.

Thanks again,
L.G.M.

 

It's IE9 on Windows 7, it says 9.0.8112.16421 with update 9.0.12 (kb2761465) 256bit encryption.

Thanks,

L.G.M.

 

Downgraded to IE8, restarted, still same issue. Now Malwarebytes isn't poping up with blocked site, but the frame is still there. Depending on what site I'm at it says FHServ.COM or AD.xtendmedia for the domain info.

Thanks,
L.G.M.

 

Thanks for the response, as requested I looked, nothing there. I checked loaded, run without permission, downloaded. Some HP printer stuff, some microsoft stuff,an orcle java and some adobe addons. No accelerators and only Google for a search engine. I've also reset IE defaults again.

Thanks,

L.G.M.

 

It didn't find any threats, but it DID find the HOSTS file had a bunch of blank lines and false entries that it corrected. That seems to have done the trick. I'm guessing the hosts file was redirecting to reinfect, mayware bytes was blocking the redirect.
I'll keep an eye on it a day or two and see what happens before I close out this thread.

I hope Karma returns the favor since I can't!

Thanks guys,
L.G.M.

 

Gota give'em credit, they're pretty tricky. I dunno what got rid of the initial infection, she'd (the owner) already run a few things before she called me. It was still there, because I had created a new hosts file, and it continually was modified to add the lines to the end. (I'm guessing ComboFix did the trick, but it didn't clean out the HOSTS file.) Is there anything else beside turning her AV back on that I need to do in the way of cleanup? I've already reinstalled JAVA (from a known source), flash and adobe reader. I've also reinstalled (or will) IE9 and all the other MS updates.

Thanks again,
L.G.M.

 

OK, seems all is good so far. Combofix uninstalled and other utilities & cleanup completed. Licensed Malware bytes. My friends very happy, machine even seems "quicker" according to her.

Thanks so much,
L.G.M.