Second time around

greetings:

I had this problem before, did all the things you required and seemed to have fixed the issue, only to find it back less than a week later.

I should point out that one of my daughters went to some Italian site (she now can't remember which) to translate something, and that's when the problems began in the first place.

The situation is as follows:

I get redirected to one of two web pages, even when I click to exit the info box that comes up (its in Italian, so I can't read it). IE takes me either to:

www.skymasters.com .. or
www.sfondissimo.net

It also adds a shortcut called "exsplorer" - in fact this is added in multiple locations, including into my root C:\, into Program Files, the desktop and other places. All these are shortcuts to the Skymasters site.

These turn out to be sex sites of a particuarly nasty nature. I also found, on running the Hijacker last time, the following entries:

O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz

These were cleaned off and reappeared, so I'm assuming there's something else that is somewhere that keeps redirecting me.

So today, I did the following:

I turned off Sytem restore
I rebooted in safe mode
I ran Bitdefender, it said nothing was found
I ran Ravscan - it found a trojan - weather.exe - and a backloader (suspicious) called win32/Poebot.E

These last 2 were found with Ravscan before but were apparently not cleaned out or they reappeared

I ran Stinger - nothing was found

I then disconnected my internet.

I ran CCCleaner - it deleted 11.2 mb of cookies and other files
I ran AdAware - it found 3 tracking cookies as follows:
@atdmt.txt
@doubleclick.txt
@pref.overture.txt

I cleaned these out
VX2 Cleaner found nothing

Spybot only identified the firewall and antivirus overrides I have on - I use my router firewall combined with my ISP protections and I use Norton Antivirus. However, Spybot has cleaned out dialers and sextrackers before (all of which I have added to my privacy blocks).

I ran CW Shredder - nothing found
I ran Kill2fix - nothing found
I ran About buster - nothing found
I ran HS Remover - it said 8 items were removed but kept no log

I then ran Hijackthis in Safe mode and kept a log.
Then I rebooted normally, and ran Hijackthis again, and kept a separate log.
I then reconnected my internet and am now posting this to you.

Can you help? I think I've followed your instructions properly, and I have the logs ready to upload whenever you give the word.

Morton

 

I apologize. I wasn't as clear as I should have been, then, though I thought I was fairly detailed. I ran all the steps from what I got today on the site. That included the other scans, like Panda and so on. I was able to download everything and Panda found some files which I deleted as well. I'm attaching the Panad scan to this post. I still have the Hijack this log. I have, as I said, already cleaned this a while ago using the requirements that were available then, but the problem came back, which is why I ran the stuff again today. I'm hoping that the clean up would have worked the first time, though it didn't. So, I thought that after another clean, if the Hijack log showed something I didn't recognize as a problem, you'd be able to point it out to me 9along with a fix). Now, I wonder if the problems Panada identified would have been the cause of the redirect to the bad site coming back.

Hope that this is clearer and that you can help.

Mortonator

 

Also, even though you now allow posts of the hijack log, I didn't want to send anything that would clutter up the servers without it being necessary. However, I'll attach it now.

 

I understand why you thoufght I hadn't run the new procedure, but I assure you I did. I ran Microsoft Antispyware too and it found a few things that I got rid of. The other runs that are no longer part of the procedure were run anyway because I thought it wouldn't hurt, since all the same problems that arose before the first cleanup showed up again. If that was causing any problem, then I will not run them again.

As to the qquestion about what problems I'm still having, the answer is none. That's what happened last time, and about a week or so later they came back. So I thought if there was something that caused the problem still hidden, you might see it where I will not.

Finally, yes, I cleaned up all user accounts. There were some of the same problems in the other accounts (i.e. some of the files that were created in the temp folder) and I made sure all those were removed.

Thank you for your last suggestions about the minor clean-up. I will do those. I sincerely hope that I don't see the same problem again, but if I do, you can be sure I will be back! In fact, I intend to visit regularly to see if there are any new updates, suggestions or advice that I might take advantage of!

One last question, if I might. Do you recommend against running the cleanup (using the LATEST instructions, of course!) every so often (and yes, I have done the Spybot innoculation and left the Microsoft Antispyware on "protect" and all the other things that I can too), even when I don't appear to have a problem? I should think it would be good practice (and yes, I did read the tutorial on how to protecrt my computer) - its just that I've both received AND read so much conflicting advice that I prefer to ask the question directly and get an answer directly.

Thanks again for all your help.

Morton

 

Yes, I know. Previously, I ran the READ ME that was available at the time, did what was suggested and appeared to have cleaned the problems up. Because at that time you were not looking for logs until you wanted them, and everything seemed ok, I never posted. Its only when the problems returned that I figured I must have missed something and posted.

Thank you. And I assume that it would be a good idea to check for any updated procedures here before doing that?

Yes, as I mentioned in an earlier post, I run the firewall in my router, as well as the protection that my ISP provides. Given that I had this problem, perhaps its a good idea that I install one. Any recommendations on a reasonably good one?

I haven't any idea as to why it doesn't show, but it definitely is running. I have already used it to good advantage. It found several things for me to remove, and has prevented my kids from changing home pages without my knowing about it and deciding on whether to allow it. Do you think there may have been an installation problem? Perhaps if I uninstall and reinstall it, it will show up.

In any case, thanks for all the help to date. This is the first time I've actually gotten "help" that really worked!

Morton

 

Yes (laughing), I really DO know that they are there. As I said before, I always try and get a direct answer. I was wondering if there was one in particular you think does the best job.

It is attached.

Yep, I see that and I think that's a good thing!!

Nope, not as of yet!

Morton