Gaming Tough Virus Help please

[Hakoda]

RESOLVED. kinda.

The 2nd time I tried the BitDefender RescueCD v2.0 dated 6-30-09, it found 4 infected files just like before and it also closed the scanner without warning yet again. But this time I shutdown the computer correctly when exiting the RescueCD instead of just holding the power button. On the next start up, the Security Center 4.52 virus had disappeared. So before I rubbed my eyes hoped this wasn't a dream, I installed avast! Antivirus and ran a scan. It said it had found malware on a certain .dlls. I had them moved to quarantine. It advised me to run a boot-scan, which I did. It found about 15~20 more Win32.Trojans. Fixed those. Now the only problem left is a small adware which won't load Google.com, click on search links from Yahoo or Google, or when searching through Google (with upper right search bar in Firefox) it is in German and it won't let me access language settings. I'm going to run Spybot S&D then TrendMicro's HiJackThis if S&D doesn't work. I'll upload the HJT log (regardless if the Search Engine adware was resolved) here and couple of other places so look out for that tomorrow afternoon since that's when I'll be going over.

Thank Tempers, you guys are wonderful.

~ Jon

 

[Kamiyama]

Why not use the ComboFix? It helped me when same virus was teasing one of my friends computer.

 

[logical thinker]

I'm going to run Spybot S&D then TrendMicro's HiJackThis if S&D doesn't work.

Scan with Ad-Aware too.

 

[Hakoda]

I'm going to run Spybot S&D then TrendMicro's HiJackThis if S&D doesn't work.
Scan with Ad-Aware too.

Got it thanks.

QUOTE(Kamiyama @ Jul 8 2009, 03:23 PM)

Why not use the ComboFix? It helped me when same virus was teasing one of my friends computer.

I was told to NEVER use ComboFix unless told to and instructed by a malware expert/admin/mod from like a antimalware site because it can be harmful to your computer if you don't know what your doing or cant tell the difference between Windows & virus (same thing tho rite

)

Ok thanks guys!

~ Jon

 

[kenyab2009]

dude that is baaaaaaaaaaad it called a hijacker.worm go go microsoft.com then go to downloads then download the windows microsoft malicious software tool that should get rid of it and clean your computer good luck dude

 

[Hakoda]

I scanned with HJT. Here's the log file. Anyone with HJT expertise please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:22 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <a href="http://www.yahoo.com/?fr=fp-yie8" target="_blank">http://www.yahoo.com/?fr=fp-yie8</a>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://www.yahoo.com/?fr=fp-yie8" target="_blank">http://www.yahoo.com/?fr=fp-yie8</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank">http://go.microsoft.com/fwlink/?LinkId=69157</a>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html" target="_blank">http://red.clientapps.yahoo.com/customize/.../search/ie.html</a>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank">http://go.microsoft.com/fwlink/?LinkId=69157</a>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O1 - Hosts: 89.149.210.105 www.google.com
O1 - Hosts: 89.149.210.105 www.google.de
O1 - Hosts: 89.149.210.105 www.google.fr
O1 - Hosts: 89.149.210.105 www.google.co.uk
O1 - Hosts: 89.149.210.105 www.google.com.br
O1 - Hosts: 89.149.210.105 www.google.it
O1 - Hosts: 89.149.210.105 www.google.es
O1 - Hosts: 89.149.210.105 www.google.co.jp
O1 - Hosts: 89.149.210.105 www.google.com.mx
O1 - Hosts: 89.149.210.105 www.google.ca
O1 - Hosts: 89.149.210.105 www.google.com.au
O1 - Hosts: 89.149.210.105 www.google.nl
O1 - Hosts: 89.149.210.105 www.google.co.za
O1 - Hosts: 89.149.210.105 www.google.be
O1 - Hosts: 89.149.210.105 www.google.gr
O1 - Hosts: 89.149.210.105 www.google.at
O1 - Hosts: 89.149.210.105 www.google.se
O1 - Hosts: 89.149.210.105 www.google.ch
O1 - Hosts: 89.149.210.105 www.google.pt
O1 - Hosts: 89.149.210.105 www.google.dk
O1 - Hosts: 89.149.210.105 www.google.fi
O1 - Hosts: 89.149.210.105 www.google.ie
O1 - Hosts: 89.149.210.105 www.google.no
O1 - Hosts: 89.149.210.105 search.yahoo.com
O1 - Hosts: 89.149.210.105 us.search.yahoo.com
O1 - Hosts: 89.149.210.105 uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bridge - <a href="http://download2.games.yahoo.com/games/clients/y/bt1_x.cab" target="_blank">http://download2.games.yahoo.com/games/clients/y/bt1_x.cab</a>
O16 - DPF: Yahoo! Towers 2.0 - <a href="http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab" target="_blank">http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab</a>
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/7%20Wonders%20II/Images/stg_drm.ocx
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - <a href="http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab" target="_blank">http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.67.cab</a>
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - <a href="http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab" target="_blank">http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab</a>
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - <a href="http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll" target="_blank">http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll</a>
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - <a href="http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/SCJohnson/Coupons.cab" target="_blank">http://a19.g.akamai.net/7/19/7125/4058/ftp...son/Coupons.cab</a>
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - <a href="http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab" target="_blank">http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab</a>
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/7%20Wonders%20II/Images/armhelper.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - <a href="http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab" target="_blank">http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab</a>
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - <a href="http://zone.msn.com/bingame/popcaploader_v10.cab" target="_blank">http://zone.msn.com/bingame/popcaploader_v10.cab</a>
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - <a href="http://www.trueswitch.com/sbc/TrueInstallSBC.exe" target="_blank">http://www.trueswitch.com/sbc/TrueInstallSBC.exe</a>
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: getPlus Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9e48f4b542312) (gupdate1c9e48f4b542312) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11602 bytes

~ Jon

 

[Athlon-pv]

just google each .exe file see if their known for being a virus.

There is to much crap installed on her computer.

The amount of service's also is kinda worrying.

What you aim for is removing most of the stuff that is listed anyway and tell her to start it manually after you cleared everything thats mallware.

 

[kobykaan]

as before uninstall all YAHOO JUNK like yahoo toolbars/helpers/updaters etc you don't need them!

get rid of any google addons such as toolbars/picassa/google updater etc you don't really need them

edit your hosts file no ideas why its full of this lot

Spoiler

O1 - Hosts: 89.149.210.105 www.google.com
O1 - Hosts: 89.149.210.105 www.google.de
O1 - Hosts: 89.149.210.105 www.google.fr
O1 - Hosts: 89.149.210.105 www.google.co.uk
O1 - Hosts: 89.149.210.105 www.google.com.br
O1 - Hosts: 89.149.210.105 www.google.it
O1 - Hosts: 89.149.210.105 www.google.es
O1 - Hosts: 89.149.210.105 www.google.co.jp
O1 - Hosts: 89.149.210.105 www.google.com.mx
O1 - Hosts: 89.149.210.105 www.google.ca
O1 - Hosts: 89.149.210.105 www.google.com.au
O1 - Hosts: 89.149.210.105 www.google.nl
O1 - Hosts: 89.149.210.105 www.google.co.za
O1 - Hosts: 89.149.210.105 www.google.be
O1 - Hosts: 89.149.210.105 www.google.gr
O1 - Hosts: 89.149.210.105 www.google.at
O1 - Hosts: 89.149.210.105 www.google.se
O1 - Hosts: 89.149.210.105 www.google.ch
O1 - Hosts: 89.149.210.105 www.google.pt
O1 - Hosts: 89.149.210.105 www.google.dk
O1 - Hosts: 89.149.210.105 www.google.fi
O1 - Hosts: 89.149.210.105 www.google.ie
O1 - Hosts: 89.149.210.105 www.google.no
O1 - Hosts: 89.149.210.105 search.yahoo.com
O1 - Hosts: 89.149.210.105 us.search.yahoo.com
O1 - Hosts: 89.149.210.105 uk.search.yahoo.com

there shouldnt be anything other than your own local host of 127.0.0.0 in there or similar

remove getPlus® its advertisement crap not needed use a different download manager with firefox instead


get rid of whatever this is http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll looks like a redirector dll !?

everything else looks in order but above all uninstall all thats yahoo related its everywhere!

update and scan again with malware antibytes software

read previous instructions for manual removal of problematic files print it and do the removal in safe mode!

once you have got rid of the registry entries and the files it will be easier to sort the rest out!

 

[jalaneme]

this is a virus that i recently just got rid off it's a very annoying virus called Reader_s.exe it sends out information about the computer via a connection and keeps on spreading unless you get rid of it DO NOT connect any flash drive or externals to the infected pc as it will spread into those drives and will re-infect even after you have completely reinstalled windows.

download CCleaner and select these folders to reomve it's contents C:\windows\prefetch c:\windows\Temp also clean up other stuff left by windows e.t.c

DO NOT use combofix that program just made the problem worse and corrupted all my internet connections which i could not repair so i had to reinstall windows XP again becasue combofix messed it up, the best virus program i have used is kaspersky, it removed 90% of the virus, also install malware bytes but RUN IT IN SAFE MODE not normal mode and also disconnect your internet connection or you will be re infected, after you have scaned with malware bytes in safe mode, restart the compter again in safe mode and do a full scan again 3-4 times before all the traces are gone, also update the program first before you go into safe mode.

i hope this helps and good luck with removing the virus, you are going to need it, it took me 6 hours to completly remove it from my computer. (including re install)

 

[MicShadow]

I had this virus, i just used HiJack this to remove it. It didnt have any quarrels opening Hi-Jack this.
Then bam it was gone, used Avira to clean remains

 

[Hakoda]

as before uninstall all YAHOO JUNK like yahoo toolbars/helpers/updaters etc you don't need them!

get rid of any google addons such as toolbars/picassa/google updater etc you don't really need them

edit your hosts file no ideas why its full of this lot

Spoiler

O1 - Hosts: 89.149.210.105 www.google.com
O1 - Hosts: 89.149.210.105 www.google.de
O1 - Hosts: 89.149.210.105 www.google.fr
O1 - Hosts: 89.149.210.105 www.google.co.uk
O1 - Hosts: 89.149.210.105 www.google.com.br
O1 - Hosts: 89.149.210.105 www.google.it
O1 - Hosts: 89.149.210.105 www.google.es
O1 - Hosts: 89.149.210.105 www.google.co.jp
O1 - Hosts: 89.149.210.105 www.google.com.mx
O1 - Hosts: 89.149.210.105 www.google.ca
O1 - Hosts: 89.149.210.105 www.google.com.au
O1 - Hosts: 89.149.210.105 www.google.nl
O1 - Hosts: 89.149.210.105 www.google.co.za
O1 - Hosts: 89.149.210.105 www.google.be
O1 - Hosts: 89.149.210.105 www.google.gr
O1 - Hosts: 89.149.210.105 www.google.at
O1 - Hosts: 89.149.210.105 www.google.se
O1 - Hosts: 89.149.210.105 www.google.ch
O1 - Hosts: 89.149.210.105 www.google.pt
O1 - Hosts: 89.149.210.105 www.google.dk
O1 - Hosts: 89.149.210.105 www.google.fi
O1 - Hosts: 89.149.210.105 www.google.ie
O1 - Hosts: 89.149.210.105 www.google.no
O1 - Hosts: 89.149.210.105 search.yahoo.com
O1 - Hosts: 89.149.210.105 us.search.yahoo.com
O1 - Hosts: 89.149.210.105 uk.search.yahoo.com

there shouldnt be anything other than your own local host of 127.0.0.0 in there or similar

remove getPlus® its advertisement crap not needed use a different download manager with firefox instead


get rid of whatever this is http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll looks like a redirector dll !?

everything else looks in order but above all uninstall all thats yahoo related its everywhere!

update and scan again with malware antibytes software

read previous instructions for manual removal of problematic files print it and do the removal in safe mode!

once you have got rid of the registry entries and the files it will be easier to sort the rest out!

K I'm going to follow these instructions first. I uploaded my HJT Log to BleepingComputer they told me to do a number of things. Since this one is shorter and actually has to do with HJT, I'll be following these instructions first. Then I'll try the BleepingComputer method if this doesn't work. Thanks kobykaan.

~ Jon

 

[Hakoda]

KOBYKAAN YOU ROCK.

All I did was edit the hosts file to only have 127.0.0.0 localhost instead all the crap in there and the redirection stopped. Then i started a scan with avast! and its finding some Win32.Trojans. I uninstalled all Google/Yahoo crap but I didn't even take out that line that contained myheritage or whatever. Anyways, problem's solved officially.

THANKYOU GBATEMP & TEMPERS!!

~ Jon

 

[Athlon-pv]

Make sure that your friend understand no more crap on the computer!

More stuff = dead pc soon.

Even when installing new programs , dare to hit the box which unselects stuff you dont need.

Lots of programs these days add a toolbar and this can be skipped by either clicking top right killbox or unflagging it.