Avatar of levinlawfirm
levinlawfirm
Flag for Afghanistan asked on

Stumped!

Network administrator here. This site has saved my bacon more times than I can count but this time im stumped. Ive ran Malwarebytes,Super antispyware,hyjack this,combo fix, cw shredder, checked host files, looked in system 32 for rouge files and been all through the regestry and cant find what is blocking these sites. Malwarebytes removes some rouge fake alert programs but it did not identify exactly what it was. Just a generic hit basically. Usually if it is identifyable I can search for manual removal instructions but no luck this time. Im thinking this is something new. Any help would be apreciated.
Anti-Virus AppsAnti-Spyware

Avatar of undefined
Last Comment
technomic

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Dan Cooper

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Peter Hart

if that's true andyou have successfully run all those anti-spyware programs I suggest a clean install.
but first have you tried  a system restore to when it was working  then re-run those programs.
start-all prgrams-accessories-system tools-system restore  and follow the wizard and choose a date that it really last work. restore it and then re-install malware bytes and run (in safe mode)
levinlawfirm

ASKER
3 computers, no domain, ive tried firefox and IE and both are being blocked from going to Windows update/spyware removal sites. all other webpages load no problem. this is my bosses home computers and he went weeks being infected. looks like geek squad gave it a shot with no luck. all in all they are in pretty decent shape except the websites being blocked somehow.
Dan Cooper

One other thing to try - if you have gotten this far (and you are not using Internet Explorer).  You can uninstall completely the browser, and re-install, just check to see if you have a lot of bookmarks to backup.

I did this in a similar scenario as you have described, and uninstalled Firefox and Chrome.  It fixed the issue in Firefox (I was being redirected to strange sites when searching on google, sometimes just dead pages), and left me with a problem opening attachments.  I had to delete a registry entry that the Google Chrome Uninstall didn't hand back to I.E. and all worked perfectly.

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
levinlawfirm

ASKER
System restore is hosed. It fails on any date i try. This is a easy setting somewhere I just know it but ive not got lucky yet. Ill wipe and reload if i must but id hate to for some obscure regestry entry or something. desktop is not hijacked or anything, no admin rites have been changed so I think its been disabled with this one issue being ellusive.
levinlawfirm

ASKER
ill add my hijack this log. maybe someone can see something I cant.
levinlawfirm

ASKER
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:31:12 PM, on 2/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 4977 bytes
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
levinlawfirm

ASKER
BTW thanks for the prompt help...
technomic

There is alway something new coming out like Kneber botnet is out and the news are all over the rss feeds today. I had a few systems with similar issues, I ended up reimaging them as it was just taking to long to address it and issues just kept coming back...
Have you tried MS Malicious Software removal tool ? You listed a few awesome spyware removal tools but did you run something like Symantec Antivirus ? Mcaffe has a tool called Stinger that might be helpful.
Are you running XP or Vista ? Vista will do the closest to true restore.
technomic

Never mind my comment on restore, didn't refresh  my browser while others were posting...
Have you tried emptying out the temp files with utilities like ATF-Cleaner or CleanCache. Restore IE setting to default and reset the browser if you are using IE.
Also, take a look at the startup services to see if there is anything questionable Start > Run> msconfig
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
levinlawfirm

ASKER
Running Vista, I think thats what im going to do. just bite the bullet and do a wipe and reload. What do you mean by Vista doing the closest restore? I was going to manually back all personal files to an external and just wipe and reload and replace. Is the an easer way with Vista? We are a total XP pro network at work so ive not had to dig into Vista too much yet other than disabling the securrity controll crap etc. for friends and employees.
technomic

XP does a restore but Vista actually rewrites evereything including data. Have you tried booting of the Vista disc to try and restore ?
levinlawfirm

ASKER
yeah, did all of that.

Well guys i really apreciate the help but i think ill just do the wipe instead of wasting anymore time. I sure would like to know how to fix this one though cause i know its going to come up again on the network.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
technomic

Getting data and reimaging was what I did a few times as it was just taking too long to eliminate the problem....
levinlawfirm

ASKER
No havent tried that yet. ill give it a shot.
technomic

might be worth it, shouldn't take too long before you find out. Take a look at this, might be helpful with the restore
http://vistaultimate.windowsreinstall.com/repairsystemrestore/repairsystemrestore.htm
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck