Internet pages hijacked - Please help

Welcome to Majorgeeks!

You seem to have ignore or skipped some steps in the READ ME.

MSconfig should not be running. See step 0 of the READ ME.

You seem to have not follow step 2 exactly (at least that is how it looks according to your runkeys.txt log).

You also skipped step 3 of the READ ME. You have Bullguard and Kav installed. You must uninstall one of these.

HijackThis is not install into the correct folder. It is installed exactly where we specify not to install it.

HijackThis.exe is not renamed as requested and this is critical.

Correct the above issues BEFORE continuing to the below.



Please run this procedure: WareOut Removal and attach the requested log afterwards.

Then run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - (no file)
O4 - HKLM\..\Run: [Network Services] netsvc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Network Services] netsvc.exe
O9 - Extra button: GloPhone - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\DOCUME~1\ALLUSE~1\Desktop\Glophone.lnk (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{29B376B7-0227-4AC7-A960-4DB03A4FE811}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA609F3-121E-4CBD-A233-7669D8348351}: NameServer = 85.255.113.94 85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{615BB3C1-F0AF-447F-93E6-C7550CC344DF}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{29B376B7-0227-4AC7-A960-4DB03A4FE811}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O17 - HKLM\System\CS3\Services\Tcpip\..\{29B376B7-0227-4AC7-A960-4DB03A4FE811}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19


After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot into safe mode and delete the below if found:
c:\windows\system32\netsvc.exe


Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. FixWareout log
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

Those directions are not for FireFox. Follow them as written with Internet Explorer.

Why did you say that this:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA609F3-121E-4CBD-A233-7669D8348351}: NameServer = 85.255.113.94 85.255.112.19

is not in your log when it clearly is. Please fix it.

You seem to have be doing things in the wrong order! You must follow the directions in the order written. Your GetRunKey log shows things that do not show in your HJT log. That means you ran GetRunKey before you did the fix with HijackThis. Please attach new logs from GetRunKey, ShowNew, and HJT.

 

For the current logs you just needed to Reset Web Settings first. Please do that and please use Majorgeeks for the home page as suggested so I can see the effect. I would suggest shutting down KAV and CounterSpy before doing the reset of web settings.

 

I have a feeling it is not going to work properly. I see that a majorgeeks item is alreay in your log. So try the below. Again, make sure CounterSpy and Kav are not running.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new HJT log.

 

No! It is not a problem of concern. It is in System Restore and when we do our final steps all of System Restore will be removed. And KAV is wrong! They did not delete it. They cannot delete anything in System Restore and they should know better than to say they are.

Now with CounterSpy and KAV shutdown, set your start page to www.majorgeeks.com

Now run please run this procedure again: WareOut Removal and attach the requested log afterwards.


Now run HijackThis and fix any lines like below that have the 85.255.113.94 IP address in them:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA609F3-121E-4CBD-A233-7669D8348351}: NameServer = 85.255.113.94 85.255.112.19


Now uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 5

Now delete the below file:
C:\WINNT\system32\CMMGR32.EXE


Also delete all files in the below folders except ones from the current date (Windows will not let you delete the
C:\Documents and Settings\Fred\Local Settings\Temp


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!