looking for help...:)

xjenn,

You started a new thread (http://forums.majorgeeks.com/showthread.php?t=40745) which I have closed. Please remain in one thread for a particular problem. You should refer to the closed thread and the info I left there for you. Do what is indicated and report results back here. As I said there you have a bunch of problems that must be fixed!

 

If you have really run everything requested, post a HijackThis log as an attachment!

 

In the other thread I gave you a bunch of items to do and asked some questions. You did not provide me any feedback on the results (like what was found and cleaned etc). Also you did not answer my questions. I specifically said:

1) Do NOT run Hijack This from the Desktop, a temp folder or choose run from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

You are still running it from a ZIP file. Do what I asked or you will not get any backups from changes made with HJT.

2) REPORT RESULTS BACK IN THE OTHER THREAD. Also what is you home page supposed to be. Your log showed http://213.159.117.134/index.php which does not look valid!

You gave no results other than saying it all worked! What worked? I need to know what the results of all the scans were. What was found? What was cleaned/fixed? What was not fixed? Any error messages. I need to know your expected home page.

3) Also immediately run HJT and have it fix these lines:
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com

It does not look to me like you had HijackThis fix these lines. They are still in your log file.
Unless you fixed them and they came back. (another reason for me asking for results).

4) Also note: SpyKiller is a fake/rogue spyware removal product. You should uninstall it. See this link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

I still see SpyKiller in your log. It is not going to help you. It is crap! Also I'm not familiar with BestPopupKiller but I guessing it came with SpyKiller. If that is the case, it is probable crap too.

In order to best help me to help you, you must follow directions and provide useful feedback. I did not even get to the trojans yet. (You really need to get some decent protection installed.) Now after completing anything from above that was not completed, do the following:

Okay the first thing you must do is disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668

Don't reboot yet when it asks. We will reboot later!

Now enable Windows Explorer to view hidden file and folders: http://forums.majorgeeks.com/showthread.php?t=37650

You have the Downloader.Harnig trojan. It downloads Trojans, adware, and dialers, and terminates services associated with antivirus software (this is shown by the system.exe and wintime.exe files) Also you have the Trojan.Win32.Dialer.bi infection (the questmod.dll file shows this).

Bring up Task Manager by hitting CTRL-ALT-DEL and select Processes. Find the two below processes and end them (make sure you tell me results for this):
system.exe
wintime.exe

Now click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\questmod.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\1090350916.dll

then click OK. If a dialog box confirming this action appears, click OK.

Now shutdown ALL applications and run HijackThis. Put check marks on the following lines and then click fix (I'm assuming that the R0 & R1 lines are not what you want for home page & default search. I went there and ran into a couple virus/trojans.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: {C0135040-022F-4632-9C8E-77607D9CEE96} - {C0135040-022F-4632-9C8E-77607D9CEE96} - C:\WINDOWS\1090350916.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)

Then immediately reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Use Windows Explorer to delete the following (if found)
C:\WINDOWS\system.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\questmod.dll
C:\WINDOWS\questmod-1.dll
C:\WINDOWS\udpmod.dll
C:\WINDOWS\1090350916.dll

Reset Web Settings by opening Internet Explorer. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com).

Reboot normal and let me know how things are working and post a new HJT log as an attachment.

 

Looks a lot better now doesn't it? How is everything running? Anymore TIB Browser problems?

Note you still did not uninstall SpyKiller or BestPopupKiller. That's your decision if you feel comfortable with them. But SpyKiller is crap. There is much much better free software available. Like some of the items I have had you run. Also, SpywareBlaster and SpywareGuard to block spyware from getting on your PC. Ask youself how good SpyKiller is. Look at all the malware problems that were on your PC. As I said before, I'm not familiar with BestPopupKiller so I really have no opinions about it. I just assumed based on the name it my be from the same company.

 

Your welcome! And here is a canned speech some of which you may already have:

Make sure you get your system protected from reoccurrence of issues like this. Here are some simple steps you can take to reduce the chance of infection in the future. I strongly encourage you to do them all.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly
patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Do this at least once a month.
b. Never add any site to your Trusted Sites Zone.

2) Anti Virus: make sure you have one and keep it updated. Here are some good free ones:
http://majorgeeks.com/download1968.html Avast
http://majorgeeks.com/download886.html AVG
The top two hands down. Better than Norton or McAfee!
Only run ONE AV!

3) Firewall: if you don't have one get one of these below. The last two are free versions:
Don't care if your on dial up or High Speed....you must have a firewall
http://majorgeeks.com/download738.html Kerio Personal Firewall
http://majorgeeks.com/download3356.html Sygate Personal Firewall Free
http://www.majorgeeks.com/download388.html ZoneAlarmFree

4) Get a Temp File/Cookies/index.dat cleaner
http://majorgeeks.com/download4191.html CCleaner (Crap Cleaner)

5) SpyWare Prevention (These prevent, they are not scanners. Scanners are listed later.)
http://majorgeeks.com/download2859.html SpyWare Blaster
http://majorgeeks.com/download3045.html SpyWare Guard

6) SpyWare Scanners/Removers
http://majorgeeks.com/download2471.html SpyBot (Use the Immunize feature. I don't activate the TeaTimer)
http://majorgeeks.com/download506.html Ad-aware SE
http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe VX2 Cleaner Plug-In for Ad-Aware