Solved Vista help w/Bing zugo thing!

broni · 2010/04/05

The error screen said it was denied write access to host files
Click to expand...

You have to remember, when you run HJT in Vista, you have to right click on it and "Run As Administrator ".

Now, I keep, forgetting, you're not running any antivirus program.
Please, download and install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
After installation, run full scan.

When done, post fresh HJT log.

Blue Star · 2010/04/05

Running Microsoft Security Essentials.... do you prefer Avast?

broni · 2010/04/05

No, that's fine.
I didn't see it from HJT log.
Hold on there...

broni · 2010/04/05

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

Blue Star · 2010/04/05

Printing now... and will do.

Noticed that Bing icons now follow underscored links in my text... is this normal?

broni · 2010/04/05

Noticed that Bing icons now follow underscored links in my text
Click to expand...

Say again, please...

Blue Star · 2010/04/05

hjt log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:06 PM, on 4/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

--
End of file - 2701 bytes

text contained within this forum has links.... they are underlined and followed by a Bing icon......

i.e. computer(Bing search iconhere). Hope I'm a bit clearer.

broni · 2010/04/05

i.e. computer(Bing search iconhere). Hope I'm a bit clearer.
Click to expand...

Are you talking about regular links, like:
http://download.bitdefender.com/reso...an8/oscan8.cab
or so called intellitxt, where a word has green double underline?

Blue Star · 2010/04/06

Didn't know the term, but yes... intellitext. The icon is gone since I ran hjt last night. Bing is persistent and seems to ride tail on quite a few downloads...hate it!

Thanks soooo much for all your help thus far! My machine still crashes, but the speed has improved greatly. That alone alieviates much frustration.....

Now, back to Mom's slow machine.....

broni · 2010/04/06

You can get rid of intellitxt only by installing some anti ad Firefox add-on like Adblock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865

Now, please, explain:

Bing is persistent and seems to ride tail on quite a few downloads
Click to expand...

Additionally, are you referring to regular Bing, or Bung/Zugo?

Blue Star · 2010/04/06

was referring to Bing, but it cleared out after we ran hjt and fixed....

broni · 2010/04/06

In that case....

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

broni · 2010/04/12

You never did comment on your computer behavior.

Blue Star · 2010/04/12

sorry.... been absent from this thread and up to my elbows in alligators on Mom's machine.

I got the warning popup and the virus counter redirect again this am while I was working....

will return here shortly, though.

broni · 2010/04/12

Ok.....

Blue Star · 2010/04/15

received the popup again that my computer is infected... then redirect which "scans" and reads many infections..

broni · 2010/04/15

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 3. Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Blue Star · 2010/04/15

malwarebytes log.... restarting and dl gmer after this post..

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3994

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/15/2010 10:38:55 PM
mbam-log-2010-04-15 (22-38-55).txt

Scan type: Quick scan
Objects scanned: 106464
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AutocompletePro (Adware.PredictAd) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AutocompletePro\InstTracker.exe (Adware.PredictAd) -> Quarantined and deleted successfully.

Blue Star · 2010/04/15

hjt...

unable to run gmer this time... first two gmer links stop working and crash me and the third link is dead...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:00 PM, on 4/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Owner\Desktop\WinBBS\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1ca69a01600bf40) (gupdate1ca69a01600bf40) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

--
End of file - 2715 bytes

Blue Star · 2010/04/15

Also... since I last ran malwarebytes, I now have blocked startup programs...

Log in or Sign up

Solved Vista help w/Bing zugo thing!

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

Blue Star Well-Known Member Thread Starter

Blue Star Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Vista help w/Bing zugo thing!

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

broni Moderator Malware Analyst

Blue Star Well-Known Member Thread Starter

Blue Star Well-Known Member Thread Starter

Blue Star Well-Known Member Thread Starter

Share This Page

Useful Searches