Please HELP! Homepage Hijacked "isafetypage.com"-popups, balloons,...UGH!

Sirs,
I don't know what happened exactly. Last night I tried opening my homepage and it went to this isafetypage.com site and won't let me go to my normal homepage at all, google. I get several sex popups and continuous balloons from an "X/Question mark" icon in my task tray and DID have an additional balloon which was continuously popping up from my task tray but this other one has stopped since completing all of the "Sticky thread" steps required of all new people with problems. The remaining balloon that keeps popping up says "Critical System Error!" Another said something about W32.MyZor.FK@yf. Something else said something about a "backdoor trojan". Please help me. I'm not the most computer savvy person but think I've done everything requested from your instructional sticky. I believe I have all the proper downloads and logs and will post them below.
Per your instructions from the sticky, when I got to the spybot and scanned it afterwards I did the immunization and immunized a bunch of stuff. At the Panda stage it found 30 spyware and 1 hacking tool found, none of which were "disinfected".
Again, I hope I've followed the instructions well. Please let me know if I can supply anymore information. I'm TRULY greatful for your help.
THANKS AGAIN!!!
Jim

 

here are my other two attachments. Thanks again for your time and effort!
Jim
I think I made a mistake when saving the HJT log. I'll try and figure this out and submit again. Sorry...

 

Okay, I think the mistake was I didn't change the hijack this log filename to .txt from .log. So here we go.... Hope it works. Thanks again! Looks like it's gonna work. Sorry for the extra post.

 

Please follow the procedures in this thread:SpywareQuake & SpyFalcon Removal Procedure

Once you come to the last part (manually removing files and folders) also note that

C:\Program Files\MMediaCodec

is the same as

C:\Program Files\MediaCodec and C:\Program Files\Media-Codec

so you can also delete that folder.

 

Matt, thanks for your help. I didn't find anything that was on the list. Here is my .txt file requested. Hope I did everything right. Please let me know if there's anything else I can provide. Again, THANKS for your help.
The hijacking of my homepage just quit doing that (taking me to the isafetypage.com site) after about four days. Now, I get the recurrent popup continuing from the task panel I mentioned in the beginning. Thanks!
jim

 

DId you delete C:\Program Files\MMediaCodec

As the symptoms seem to have changed and its been nearly a week since you posted the logs, I think it would be best if I look at a some fresh ones. Please post a new HJt log, a new shownew log and a new activescan log.

 

Matt, here are the redone logs as requested. Thanks Matt!!!

 

Using add/remove programs which can be accessed from the control panel, uninstall the following:

For more info on why I want you to uninstall pokerroom.com see this http://www.bleepingcomputer.com/uninstall/987/PokerRoom.com-remove-only.html

I want you to uninstall Limewire because you are still running it whilst running these fixes. The chances are that you picked up the infection from a dodgy file on Limewire anyway. You can reinstall it when we are done if you want to.

Download

- Pocket KillBox

- Process Explorer

Extract each to their own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)


- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of IECodecPlg.dll once and then click the kill button. After you have killed all of the IECodecPlg.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of IECodecPlg.dll and kill it. (If you do not find the dll, just continue on.)

Repeat the above procedure for the following DLL Files

Now just exit Process Explorer.




Run HijackThis. Click the 'Do a system scan only' button.


Once the scan has completed click Config

Click Misc Tools

Click Open Process Manager

Terminate the following processes by selecting them from the list and clicking Kill Process
Note: This may not be present but we need to check.

Click back to return to the scan results.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode.

Let me know how things are running now

Post a fresh HijackThis log, a fresh newfiles log and a fresh activescan log.