IE Search Bar changed

I have Spywareguard running on my computer - and all day I've been getting a popup that An Attempt to change Internet Explorer settings has been detected.

Your Internet Explorer current user search bar has been changed from http://www.google.com/ to
http://www.zxyielberkptil.com/fZd4/BO9GE/PK8ipYg7fNpAt4ct494XTG!s49RsTDIGuodi

So I say to Restore old value - and a couple of minutes later it pops back up with the same message...

So - I went through the list of things to do.

The Trend Micro's scan found TROJ.SWIZZOR.R - which I removed.

The Symantec Security Check came up clean.

McAfee AVERT Stinger came up clean.

Ran CCleaner

Ad-Aware SE found a bunch of stuff that we removed - the VX2 Cleaner didn't find anything.

I had already run CWShredder, it found nothing - but I ran it again - still nothing.

Ran all the other tools - they didn't find anything.

Tried some other programs, none of them stopped it either.

I ran HijackThis - and found and deleted some items, but still...

Any suggestions?

Thanks in advance...

Pam

 

OH - and I forgot a couple of things...

This started after my computer "rebooted itself" during the night.

And I did all the stuff in safe mode that it said to do in safe mode. And, the popup doesn't come up in safe mode.

Thanks again.

Pam

 

have you been here yet?
http://forums.majorgeeks.com/showthread.php?t=35407

that will run you through some things

and this will also get you through some more ( if needed)
http://forums.majorgeeks.com/showthread.php?t=38752

follow them both exactly

if you have done everything in both threads
then post a hjt log ( thread above will tell you how)

 

Thanks - yes those threads were the "list of things to do" I was referring to in my message. Sorry I wasn't clear about that.

I have to HijackThis files - one is in safe mode, when the popup thing isn't happening - and the other is in normal mode, when it is. I'll attach them both.

Pam

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

I don't like this one
O4 - HKCU\..\Run: [Hold inside] C:\DOCUME~1\pamster\APPLIC~1\HELPSO~1\Name Heck.exe


That has to be one of the longest logs I've seen..

 

Should I have HiJackThis fix all the items that you listed?

Pam

 

Thank you SOOOO much. I had HJT fix all those items - rebooted - and it stopped!!!!

Pam

 

Well, just as a follow up. I kinda spoke too soon that it was gone - because I came back from the store and it was happening again. But I had a clue, now. That same item was back in my HJT list.
This one: O4 - HKCU\..\Run: [Hold inside] C:\DOCUME~1\pamster\APPLIC~1\HELPSO~1\Name Heck.exe

So I tracked it down and found the file - and sure enough, the time on it was 3:00 AM on 10/15, which was the time that my computer rebooted "on its own". So I got rid of the folder it was in - and did a search for any other new files for that time period and got rid of them. Rebooted - and things have been working since then. Then I added a second firewall.

So I'm wondering what happened at 3 AM in the morning yesterday? I had a firewall - and whenever I do a security check it says that my computer isn't visible from the internet. And I have all kinds of popup and spyware etc blockers running. I'm running XP SP2, and I keep my virus definitions (I run both Norton and AVG) and windows updates current. Did I accidentally download something from some website that came alive at 3 AM? Or did someone gain access to my computer in some way? Any thoughts?

Thanks for the help.

Pam

 

Hi Pam,

You should not be running two different firewalls at the same time (unless one is hardware & the other is a software firewall) due to potential conflict. Also, you should make sure your Windows Firewall is off since you have SP2 - if you are running an additional software firewall.

You should not be running two different anti-virus at the same time either. Again, there could be a conflict.

Many of the things that HijackThis fixes will come back if you do not delete the corresponding files. ATTACH a new HijackThis log and let us make sure you are clean.

You should also take a look at Chaslang's recommendations:How to Protect yourself from malware!

Best,

PP

 

Thanks - my Windows firewall is off.

I was told that AVG and Norton's could co-exist. My Norton's subscription is up in December - guess I might as well give up on it now, and get something new. I was trying out AVG, but don't like it so much, either. And Avast doesn't scan automatically - and sometimes it misses things that AVG finds.

Thanks for the link - I already have all that... the only thing left is to remove MS java.

I've attached a new HJT log.

Thanks again...

Pam

 

Hi Pam,

The log looks good. Frankly, I'm amazed ANYTHING got through the line of defense you've got going!!

As far as Anti-Virus proggys go, AVG & Avast seem to be VERY popular in the Software Forum. Another decent FREE product is Anti-Vir. It does a good job and they update the definitions every 2-3 days. You should ask the opinion of the Software Forum.
My .02:
If you want one of the better anti-virus products on the market, you might want to check out Kaspersky.

Happy Surfing

PP

 

can be fixed

O9 - Extra button: TREND MICRO HouseCall -
{2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} -
http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file
missing

Kodo, Chaslang
lojack found this as a badie
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

and the HijackThis log file analysis said it must be fixed
must it? and why?
what is with the dangling " /Q ?

 

I'd like to know about this, too. It found some spyware that other products hadn't found. Why would I need to fix it?

Thanks,

Pam

 

You do not need to fix this. Spyware Doctor is a legitimate and respected product. It is available here at MGs. . . . MGs even runs advertising for it!

Any luck finding a suitable Anti-Virus product?

PP

 

I am asking why it says so?
not suggesting pamster does

 

it was an entry mistake on my part into lojacks database. Disregard it.. I thought I cleared it out.

[entry cleared permanently]

 

That's where I found it - which is why I really wondered about why I would need to delete it. Especially since the HJT report said "MUST be deleted - so emphatically." Well, I didn't - and I really do like it.

I'm giving Kaspersky a trial, and I really do like it. Thanks for the recommendation.

Pam

 

Pamster,
Read my post above yours.. it should clarify why my program listed it wrongly.