yeller
asked on
Delete browsing history in Explorer 8
I am trying to fix a friends PC. The browsing history (IE8) contains porn sites, I have used the tool in IE8 to delete browsing history and CCleaner as well. I can not remove the sites in the history. I have opened the history and manually deleted each one. They disappear but when I reopen IE8 they are back. I have scanned this PC for Viruses with AVG but none were found.
How can I get rid of the history?
How can I get rid of the history?
Hello,
You have a spyware not a virus.
Regards
You have a spyware not a virus.
Regards
Have you tried in safe mode? I recommend starting computer in safe mode and trying. Both CCcleaner and avg are free so they might just take care of some. I recommend buying an antivirus for around 40-80 bucks and update its definitions. Only then you might be protected. It sound like a strand of persistent trojans or viruses.
Other alternative, http://www.malwarebytes.org/ but you still have to pay some to get the best results. Good luck buddy!
Cheers.
Other alternative, http://www.malwarebytes.org/ but you still have to pay some to get the best results. Good luck buddy!
Cheers.
yeller--You could try Security System Suite. Check the Temporary boxes in both columns
http://www.geocities.com/igor_shpak/
But malware removal is probably the right solution. Run a scan with your existing (I hope) antivirus program and SuperAntiSpyware as well
http://www.superantispyware.com/ The scan is free.
Then run HiJackThis.
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
If you need help in analysis, post here or analyze online at
http://www.geocities.com/igor_shpak/
But malware removal is probably the right solution. Run a scan with your existing (I hope) antivirus program and SuperAntiSpyware as well
http://www.superantispyware.com/ The scan is free.
Then run HiJackThis.
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
If you need help in analysis, post here or analyze online at
ASKER
Hi all,
Thanks for the suggestions. I'll try CCleaner, Malwarebytes and SAS in Safe Mode. I'll let you know what happens.
Thanks a million.
Thanks for the suggestions. I'll try CCleaner, Malwarebytes and SAS in Safe Mode. I'll let you know what happens.
Thanks a million.
ASKER
Ok, so I tried the following:
Boot Safe Mode
Ran Malwarebytes: it found something like "hijack.displayProperties
Ran SAS: 0 found
Ran Spybot: 0 found
Ran: Ccleaner
I thought Malwarebytes had found and removed the problem but as soon as I rebooted, the problem returned.
I always get the same 4 or 5 pron web sites listed in the History.
Help
Boot Safe Mode
Ran Malwarebytes: it found something like "hijack.displayProperties
Ran SAS: 0 found
Ran Spybot: 0 found
Ran: Ccleaner
I thought Malwarebytes had found and removed the problem but as soon as I rebooted, the problem returned.
I always get the same 4 or 5 pron web sites listed in the History.
Help
yeller--Put IE8 into InPrivate mode for the future. See left panel here
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Run Malwarebytes in Normal mode. Then run HiJackThis.
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Run Malwarebytes in Normal mode. Then run HiJackThis.
ASKER
I ran hijackthis and removed a few items. I ran Malwarebytes in normal and safe mode.
The sites in the history remain.
Help please.
The sites in the history remain.
Help please.
yeller--You might be better off by posting your MalwareBytes and HiJackThis logs here. Statements such as "it found something like "hijack.displayProperties"
I have a strong feeling you have not eliminated all malware.
Once that is done, you can then do the following.
Did you try putting IE8 into InPrivate mode?. See left panel here
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Delete History items by using http://www.nirsoft.net/utils/iehv.html
Once you run it, click Edit|Clear All.
I have a strong feeling you have not eliminated all malware.
Once that is done, you can then do the following.
Did you try putting IE8 into InPrivate mode?. See left panel here
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Delete History items by using http://www.nirsoft.net/utils/iehv.html
Once you run it, click Edit|Clear All.
ASKER
Hi jcimarron,
Thanks for the replies. I am sure you are right. The Malware is definitely still there. I don't see how to put IE8 in "inprivate" mode.
Here is the hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:21 PM, on 04/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\PROGRA~2\AVG\AVG8\avgwd
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.e
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUP
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Program Files (x86)\Hewlett-Packard\Medi
C:\Program Files (x86)\Hewlett-Packard\Medi
C:\PROGRA~2\AVG\AVG8\avgem
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.ex
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macrom
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-A
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O13 - Gopher Prefix:
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-4
O16 - DPF: {E2883E8F-472F-4FB0-9522-A
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SAS
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\Driver
O23 - Service: @%SystemRoot%\system32\Alg
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgem
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwd
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.e
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shar
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpserv
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.e
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125
O23 - Service: @%systemroot%\system32\psb
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Loc
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\SLs
O23 - Service: @%SystemRoot%\system32\snm
O23 - Service: @%systemroot%\system32\spo
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\Driver
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Medi
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Medi
O23 - Service: @%SystemRoot%\system32\ui0
O23 - Service: @%SystemRoot%\system32\vds
O23 - Service: @%systemroot%\system32\vss
O23 - Service: @%Systemroot%\system32\wbe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 10685 bytes
Thanks for the replies. I am sure you are right. The Malware is definitely still there. I don't see how to put IE8 in "inprivate" mode.
Here is the hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:21 PM, on 04/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\PROGRA~2\AVG\AVG8\avgwd
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.e
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUP
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Program Files (x86)\Hewlett-Packard\Medi
C:\Program Files (x86)\Hewlett-Packard\Medi
C:\PROGRA~2\AVG\AVG8\avgem
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.ex
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macrom
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-A
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O13 - Gopher Prefix:
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-4
O16 - DPF: {E2883E8F-472F-4FB0-9522-A
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SAS
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\Driver
O23 - Service: @%SystemRoot%\system32\Alg
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgem
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwd
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.e
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shar
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpserv
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.e
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125
O23 - Service: @%systemroot%\system32\psb
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Loc
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\SLs
O23 - Service: @%SystemRoot%\system32\snm
O23 - Service: @%systemroot%\system32\spo
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\Driver
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Medi
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files (x86)\Hewlett-Packard\Medi
O23 - Service: @%SystemRoot%\system32\ui0
O23 - Service: @%SystemRoot%\system32\vds
O23 - Service: @%systemroot%\system32\vss
O23 - Service: @%Systemroot%\system32\wbe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 10685 bytes
Well now you can try taking IE8 off and deleting the history using the methods you have tried. If this doesn't work, then try this method that helps you go through the hole nine yards and more.
http://browsers.about.com/od/internetexplorertutorials/ss/ie8privatedata.htm
As always follow the steps, and report your findings.
just a last thought, do you have any software that prevents you from making some changes to your computer such as deepfreeze, windows steady state, centurion technologies or something like that?
Just a thought!
http://browsers.about.com/od/internetexplorertutorials/ss/ie8privatedata.htm
As always follow the steps, and report your findings.
just a last thought, do you have any software that prevents you from making some changes to your computer such as deepfreeze, windows steady state, centurion technologies or something like that?
Just a thought!
yeller--I am no HJT expert , but you do seem to have some baddies
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: @%SystemRoot%\system32\SLs
O23 - Service: @%systemroot%\system32\vss
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: @%systemroot%\system32\spo
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpserv
The first and the last are "missing" so serve no purpose. The other six seem to be running from the the wrong folder and probably are the baddies.
So, run HiJackThis again and this time "Fix" the baddies. I think you will be able to quarantine them in case I am wrong and you want to restore. Alternatively, backup your hard drive to an external drive to allow a restore. If all is OK after a day or so, DELETE those/that backup(s) immediately. Also delete any System Restore points from the past and start fresh.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: @%SystemRoot%\system32\SLs
O23 - Service: @%systemroot%\system32\vss
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: @%systemroot%\system32\spo
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpserv
The first and the last are "missing" so serve no purpose. The other six seem to be running from the the wrong folder and probably are the baddies.
So, run HiJackThis again and this time "Fix" the baddies. I think you will be able to quarantine them in case I am wrong and you want to restore. Alternatively, backup your hard drive to an external drive to allow a restore. If all is OK after a day or so, DELETE those/that backup(s) immediately. Also delete any System Restore points from the past and start fresh.
ASKER
I tried pr0t0c0l12's removal procedures and the problem remains. I don't quite understand what you means by "now you can try taking IE8 off". Do you want me to uninstall IE8?
cimarron: I have already fixed those items in Hijackthis but the problem remains. IThis PC does not have any of that software you mentioned. I finally figured out how to put IE8 in inprivate mode. I ran the "delete browsing history" but no improovement.
I really do not know what else I can do.
cimarron: I have already fixed those items in Hijackthis but the problem remains. IThis PC does not have any of that software you mentioned. I finally figured out how to put IE8 in inprivate mode. I ran the "delete browsing history" but no improovement.
I really do not know what else I can do.
yeller--"I have already fixed those items in Hijackthis but the problem remains. IThis PC does not have any of that software you mentioned. I finally figured out how to put IE8 in inprivate mode. I ran the "delete browsing history" but no improovement."
If you put the baddies into quarantine, both from MalwareBytes and HJT, they should not be affecting IE until at least the next boot, if ever again. So I do not understand how the problem can remain unless you need stronger malware removal such as ComboFix. I am not at all expert with that, so hope someone else will guide you. There is no point to putting IE8 into InPrivate mode until you are free of the baddies. It does not act retroactively. Conderning software you feel you do not have, there is none you need (except perhaps ComboFix, which I have only now mentioned) so I do not know what you mean by that.
If you put the baddies into quarantine, both from MalwareBytes and HJT, they should not be affecting IE until at least the next boot, if ever again. So I do not understand how the problem can remain unless you need stronger malware removal such as ComboFix. I am not at all expert with that, so hope someone else will guide you. There is no point to putting IE8 into InPrivate mode until you are free of the baddies. It does not act retroactively. Conderning software you feel you do not have, there is none you need (except perhaps ComboFix, which I have only now mentioned) so I do not know what you mean by that.
ASKER
jcimmaron: sorry, it was pr0t0c0l12: that asked " just a last thought, do you have any software that prevents you from making some changes to your computer such as deepfreeze, windows steady state, centurion technologies or something like that?" This PC does not have any of thoses programs installed.
I am at a loss as well. I have run all the suggested removal programs but the problem remains.
I will try Combofix.
Thanks
I am at a loss as well. I have run all the suggested removal programs but the problem remains.
I will try Combofix.
Thanks
ASKER
I can not run Combofix. This PC is running Visat 64 bit.
Now what?????
Now what?????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately this is a business PC and they want me to get rid of any Malware, if it exists. So, they would not want to just rename the sites.
I do not understand this suggestion: "Encrypt it, using TrueCrypt or something similar". It seems to me that you are suggesting I encrypt the History file but I might be confused. What do you want me to encrypt? Do you want me to encrypt the entire hard disk?
Additionally, you said "Rebooting should create a new and empty History file." Is this after the hard disk is encrypted? I am not clear on this suggestion.
In the "further steps" you gave links to XP repair installation. This PC is Vista 64bit.
Thanks for all your help. Any clarification would be really appreciated.
I do not understand this suggestion: "Encrypt it, using TrueCrypt or something similar". It seems to me that you are suggesting I encrypt the History file but I might be confused. What do you want me to encrypt? Do you want me to encrypt the entire hard disk?
Additionally, you said "Rebooting should create a new and empty History file." Is this after the hard disk is encrypted? I am not clear on this suggestion.
In the "further steps" you gave links to XP repair installation. This PC is Vista 64bit.
Thanks for all your help. Any clarification would be really appreciated.
yeller--I presume the reason for your question here is because the History folder, full of porn site URL's, is embarassing. It actually causes no harm to the function of the PC--assuming all malware has been removed. If you encrypt the existing, but renamed, History folder, it cannot be opened for all to see, except those that have the password.
" So, they would not want to just rename the sites." I do not know if anyone has suggested that. Interesting idea. But if you are trying to get rid of the sites, why would "they" care if you renamed them?
You have done just about everything that can be done to get rid of malware (though I think your order was sometimes mixed up), so either a Repair Install or Clean Install
http://www.vistax64.com/tutorials/88236-repair-install-vista.html
http://www.vistax64.com/tutorials/117366-clean-install-full-version-vista.html
is about all there is left to do. The latter will wipe everything off the drive.
" So, they would not want to just rename the sites." I do not know if anyone has suggested that. Interesting idea. But if you are trying to get rid of the sites, why would "they" care if you renamed them?
You have done just about everything that can be done to get rid of malware (though I think your order was sometimes mixed up), so either a Repair Install or Clean Install
http://www.vistax64.com/tutorials/88236-repair-install-vista.html
http://www.vistax64.com/tutorials/117366-clean-install-full-version-vista.html
is about all there is left to do. The latter will wipe everything off the drive.
ASKER
jcimarron,
Thanks a million for all you help and suggestions.
I will give you the points for this question.
I did find an alternative to your suggestions (but it basically disables your ability to see any history):
1) This clears existing address bar autocomplete history: (but will also clear your entire index, which will rebuild next startup)
Start button>Control Panel>System And Maintenance>Indexing Options, Click on Internet Explorer History, Click ADVANCED, Click RESTORE DEFAULTS
2) This will stop autocomplete history showing again in future: (slightly different for IE7 vs IE8 but you will get the idea)
IE8 > Tools > Internet Options > Content > AutoComplete Settings > Use Autocomplete for: > Uncheck 'Web Addresses'
Thanks again,
Yeller
Thanks a million for all you help and suggestions.
I will give you the points for this question.
I did find an alternative to your suggestions (but it basically disables your ability to see any history):
1) This clears existing address bar autocomplete history: (but will also clear your entire index, which will rebuild next startup)
Start button>Control Panel>System And Maintenance>Indexing Options, Click on Internet Explorer History, Click ADVANCED, Click RESTORE DEFAULTS
2) This will stop autocomplete history showing again in future: (slightly different for IE7 vs IE8 but you will get the idea)
IE8 > Tools > Internet Options > Content > AutoComplete Settings > Use Autocomplete for: > Uncheck 'Web Addresses'
Thanks again,
Yeller
yeller--Thanks for sharing your good information with us!
You should have written this reference
http://browsers.about.com/od/internetexplorertutorials/ss/ie8privatedata.htm :)
You should have written this reference
http://browsers.about.com/od/internetexplorertutorials/ss/ie8privatedata.htm :)
ASKER