Link to home
Start Free TrialLog in
Avatar of levinlawfirm
levinlawfirmFlag for Afghanistan

asked on


Network administrator here. This site has saved my bacon more times than I can count but this time im stumped. Ive ran Malwarebytes,Super antispyware,hyjack this,combo fix, cw shredder, checked host files, looked in system 32 for rouge files and been all through the regestry and cant find what is blocking these sites. Malwarebytes removes some rouge fake alert programs but it did not identify exactly what it was. Just a generic hit basically. Usually if it is identifyable I can search for manual removal instructions but no luck this time. Im thinking this is something new. Any help would be apreciated.
Avatar of Dan  Cooper
Dan Cooper
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Peter Hart
if that's true andyou have successfully run all those anti-spyware programs I suggest a clean install.
but first have you tried  a system restore to when it was working  then re-run those programs.
start-all prgrams-accessories-system tools-system restore  and follow the wizard and choose a date that it really last work. restore it and then re-install malware bytes and run (in safe mode)
Avatar of levinlawfirm


3 computers, no domain, ive tried firefox and IE and both are being blocked from going to Windows update/spyware removal sites. all other webpages load no problem. this is my bosses home computers and he went weeks being infected. looks like geek squad gave it a shot with no luck. all in all they are in pretty decent shape except the websites being blocked somehow.
One other thing to try - if you have gotten this far (and you are not using Internet Explorer).  You can uninstall completely the browser, and re-install, just check to see if you have a lot of bookmarks to backup.

I did this in a similar scenario as you have described, and uninstalled Firefox and Chrome.  It fixed the issue in Firefox (I was being redirected to strange sites when searching on google, sometimes just dead pages), and left me with a problem opening attachments.  I had to delete a registry entry that the Google Chrome Uninstall didn't hand back to I.E. and all worked perfectly.

System restore is hosed. It fails on any date i try. This is a easy setting somewhere I just know it but ive not got lucky yet. Ill wipe and reload if i must but id hate to for some obscure regestry entry or something. desktop is not hijacked or anything, no admin rites have been changed so I think its been disabled with this one issue being ellusive.
ill add my hijack this log. maybe someone can see something I cant.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:31:12 PM, on 2/18/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

End of file - 4977 bytes
BTW thanks for the prompt help...
There is alway something new coming out like Kneber botnet is out and the news are all over the rss feeds today. I had a few systems with similar issues, I ended up reimaging them as it was just taking to long to address it and issues just kept coming back...
Have you tried MS Malicious Software removal tool ? You listed a few awesome spyware removal tools but did you run something like Symantec Antivirus ? Mcaffe has a tool called Stinger that might be helpful.
Are you running XP or Vista ? Vista will do the closest to true restore.
Never mind my comment on restore, didn't refresh  my browser while others were posting...
Have you tried emptying out the temp files with utilities like ATF-Cleaner or CleanCache. Restore IE setting to default and reset the browser if you are using IE.
Also, take a look at the startup services to see if there is anything questionable Start > Run> msconfig
Running Vista, I think thats what im going to do. just bite the bullet and do a wipe and reload. What do you mean by Vista doing the closest restore? I was going to manually back all personal files to an external and just wipe and reload and replace. Is the an easer way with Vista? We are a total XP pro network at work so ive not had to dig into Vista too much yet other than disabling the securrity controll crap etc. for friends and employees.
XP does a restore but Vista actually rewrites evereything including data. Have you tried booting of the Vista disc to try and restore ?
yeah, did all of that.

Well guys i really apreciate the help but i think ill just do the wipe instead of wasting anymore time. I sure would like to know how to fix this one though cause i know its going to come up again on the network.
Getting data and reimaging was what I did a few times as it was just taking too long to eliminate the problem....
No havent tried that yet. ill give it a shot.
might be worth it, shouldn't take too long before you find out. Take a look at this, might be helpful with the restore