Overclick.CN redirect driving me crAzY-Please help!

[sunmb]

I see some other folks here are having this problem too, but it appears I would have to run some kind of diagnostic first. I am a newbie, so I'm not sure what I need to do. Is it the program called HiJack This? I know I must sound like an idiot in this forum, but that's OK, I accept that. Can you please help. The problem started a few days ago and it has been difficult to even get to a site to help because I keep getting redirected! So, whew, I'm finally here. I ran so many programs, AdAware, SpyBot, Stinger, Malware Bytes, Microsoft tool...nothing can locate it. The only thing I found suspicious was a file called ctfcom.exe, but apparently that was not related. It sounds like a very complicated fix here, but anyone has the patience to explain in layman terms, I'd really appreciate it. Thanks!

[sunmb]

I see some other folks here are having this problem too, but it appears I would have to run some kind of diagnostic first. I am a newbie, so I'm not sure what I need to do. Is it the program called HiJack This? I know I must sound like an idiot in this forum, but that's OK, I accept that. Can you please help. The problem started a few days ago and it has been difficult to even get to a site to help because I keep getting redirected! So, whew, I'm finally here. I ran so many programs, AdAware, SpyBot, Stinger, Malware Bytes, Microsoft tool...nothing can locate it. The only thing I found suspicious was a file called ctfcom.exe, but apparently that was not related. It sounds like a very complicated fix here, but anyone has the patience to explain in layman terms, I'd really appreciate it. Thanks!

Oh, I also ran something called CWShredder and I don't know if this means anything:

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (288517 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (680 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)


Oh gosh, after posting my questions, I found the little red "First Steps" link and realized all the instructions were all laid out for me...sorry.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Donald at 0:49:54.34 on Mon 06/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.522 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1222283402\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1222283402\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1222283402\ee\aolsoftware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Intuit\QuickBooks Basic\qbw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Donald\Desktop\dds.scr
C:\Documents and Settings\Donald\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HostManager] c:\program files\common files\aol\1222283402\ee\AOLSoftware.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AOLAspSunset2] c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks basic\components\qbagent\qbdagent2002.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: miscrosoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-06-28 21:08 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-28 20:13 <DIR> --d----- c:\docume~1\donald\applic~1\Uniblue
2009-06-28 18:34 <DIR> --d----- c:\windows\system32\scripting
2009-06-28 18:34 <DIR> --d----- c:\windows\l2schemas
2009-06-28 18:34 <DIR> --d----- c:\windows\system32\en
2009-06-28 18:34 <DIR> --d----- c:\windows\system32\bits
2009-06-28 18:33 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-28 18:31 <DIR> --d----- c:\windows\network diagnostic
2009-06-24 22:48 <DIR> --d----- C:\!KillBox
2009-06-24 22:37 <DIR> --dsh--- c:\documents and settings\donald\PrivacIE
2009-06-24 22:35 <DIR> --dsh--- c:\documents and settings\donald\IETldCache
2009-06-24 22:34 <DIR> --d----- c:\windows\ie8updates
2009-06-24 22:33 <DIR> --d----- c:\windows\Offline Web Pages
2009-06-24 22:32 <DIR> -cd-h--- c:\windows\ie8
2009-06-24 22:30 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-24 22:30 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-24 22:30 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-24 15:37 <DIR> --d----- c:\docume~1\donald\applic~1\Malwarebytes
2009-06-24 15:37 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 15:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-24 15:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 15:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-19 21:59 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-19 21:59 1,409 a------- c:\windows\QTFont.for
2009-06-11 07:42 118 a------- c:\windows\system32\MRT.INI
2009-06-04 19:51 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-06-28 18:37 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-12-21 08:12 31 a------- c:\documents and settings\donald\jagex_runescape_preferences.dat
2008-11-26 11:29 15,083,520 a------- c:\program files\spybotsd160.exe
2008-09-21 19:47 19,153,264 a------- c:\program files\aaw2008.exe
2008-09-21 17:34 14,564,931 a------- c:\program files\ysitebuilder.exe
2007-11-29 13:53 0 a------- c:\docume~1\donald\applic~1\wklnhst.dat
2004-08-10 05:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 17:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 17:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 17:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll
2008-04-13 17:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 17:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 17:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 17:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 17:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 0:51:50.45 ===============

[mas_pogi]

hi.

Welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------------------------------------------------------------------------

I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

-------------------------------------------------------------------------


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  
• Double click on Combo-Fix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

--------------------------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

But don't install it yet. I'll give you instructions later.



Mark

[sunmb]

Hi Mark. First, you have my deepest gratitude for helping me through this. It is such a noble thing you are doing on this forum...thank you! Now, I have completed the first step, i.e, I have downloaded and renamed combo-fix. I have questions regarding the second step and am unsure whether to pose them here, or on the forum link you have attached regarding disabling spyware programs. Spybot instructions were good, but the Adware instructions didn't seem to correspond with the version I have. Also, no instructions for Malwarebytes or Stinger. For Adaware, Malwarebytes & Stinger, I will try to attach a zip file for the pdf screenshot of the settings page for all 3 programs. Everything that is checked, I simply unchecked and am wondering if that will suffice. As far as the CWshredder, I just removed that. Also wondering if I am supposed to disable my firewall - while you did not mention that, instructions were listed in the other forum and I just wanted to make sure? Microsoft recently updated my computer with some kind of malware tool removal and am wondering if that is something for which I should be concerned? Finally, as far as AV software, what can I say. It used to be protected through my AOL Security Version by McAfee, but they stopped that when they stopped charging for membership and I just never purchased anything. Thanks!

[sunmb]

Please see attached PDF (1 page) with screen shots of AdAware, Malwarebytes and Stinger.

[mas_pogi]

hi.

After you disable you Antivirus and Spybot, please continue with remaining step. Just leave the other Antispyware, they have no realtime scanner .

No need to disable the firewall too.

Quote:

Microsoft recently updated my computer with some kind of malware tool removal and am wondering if that is something for which I should be concerned?

If I am not mistaken, you are referring to Windows defender. That one is legit. So no worries.

Quote:

Finally, as far as AV software, what can I say. It used to be protected through my AOL Security Version by McAfee, but they stopped that when they stopped charging for membership and I just never purchased anything. Thanks!

I'll give you free Antivirus later. Maybe better than your mcafee with no fee

Mark

[sunmb]

Hi Mark, I think it was a success?

I am attaching the log...not sure if I need to zip it, but will do it just in case.

I'll wait to hear back. Thank you!!!!

[mas_pogi]

hi.

Lets continue..

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------------------
Download Deldomains.inf from here here
Locate DelDomains.inf right-click it and select: Install

Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones. Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.

-------------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.


Foistware

Viewpoint Media Player
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Please also delete this folder.

c:\program files\Viewpoint


Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0
Java(TM) 6 Update 3

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

------------------------------------------------------------------------

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira AntiVir Personal

When the scan is complete, click on the Report button. A log file will open. Save it to your desktop as Avira.txt. Please attach it in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

------------------------------------------------------------------------

Disable any script blocker then double click dds.scr to run the tool.

• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Please post the content of DDS.txt in your next reply.


-------------------------------------------------------------------------

How's your computer now?

How long have you been using this computer? Seems you haven't activated your Windows yet? Any reasons why?



In your reply, please post

Avira scan result
DDS.txt
Answer to my question

Mark

[sunmb]

OK. First step I downloaded Deldomains.inf. I right-clicked "install" and it prompted me to a screen that said "open," which I did. As you mentioned, I did not see the activity, so was not sure when it was complete; however, I waited a minute and moved on to the next step.

I uninstalled Viewpoint Media Player and deleted the the Program Files. However, I initially received a screen that said "cannot delete AxMetaStream_0305000D.dll" because it was being used by another program. I ended the aol process and was able to delete manually.

I uninstalled Java 5.0 and Java 6 Update 3, no problem.

I installed Avira AntiVir (thank you so much). After the scan, the prompt to "report" did not show up until after I executed the prompt to "repair."
I have attached the report.

I downloaded DDS (I had deleted it after the first use as per their screen instruction). I ran the program and it created a 2 logs: dds.txt and also dds.attach which I was instructed to zip. Since I can only send 2 attachments, I sent the dds.attach zip file.

Finally, I don't really understand your last question about Windows not being activated because I don't understand how it could function if not activated. The fact that I don't understand it doesn't mean any thing of course. I can tell you I inherited this pc from my Uncle a little over a year ago before he passed (you see his name "Donald"). Perhaps something was missed? I believe I have everything (all the discs) for this PC in a box if I need to pull something. There was no MS office at the time and I installed that, and most of the other programs. I hope this answers your questions.

Will await response. Thank you!

[mas_pogi]

hi.

Quote:

How's your computer now?

You didn't answer this one?


Mark

[sunmb]

Oh, I'm sorry. It seems to be great! That nasty overclick.cn redirect is GONE! Whoever did that needs to be strung up by their toes! THANK YOU SO MUCH!!! It really took a lot to get that off! I am eternally grateful!!!!

Does this mean I have the "All Clear"?

[mas_pogi]

hi.

All the malicious file that AVira found are already deleted.

Apart from that, you machine is clean.


Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.
3. Please also delete the Deldomains.inf located at your desktop.
   

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   
   
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

[sunmb]

Thank you for this very valuable information.

I can't believe this computer was so unsecure...now I will take a look at the other family pc's with a bit more knowledge. I have to say, I have learned a lot from this.

These are my final questions:

Secunia is telling me I need to install SunJava before I can download, is that OK to install?

Also, in addition to the software you recommended, I also have AdAware, Spybot and Stinger...are any/all of these worth keeping with the level of security I now have?

[mas_pogi]

hi.

Quote:

Originally Posted by sunmb

Thank you for this very valuable information.

I can't believe this computer was so unsecure...now I will take a look at the other family pc's with a bit more knowledge. I have to say, I have learned a lot from this.

Good.

Quote:

Originally Posted by sunmb

These are my final questions:

Secunia is telling me I need to install SunJava before I can download, is that OK to install?

At what part of the page are you getting that prompt? Can I have a screenshot?

Quote:

Originally Posted by sunmb

Also, in addition to the software you recommended, I also have AdAware, Spybot and Stinger...are any/all of these worth keeping with the level of security I now have?

You may replace Adaware and Stinger. Personally, I am using Malwarebytes and Spybot. Then proceed with other recommendations.

Mark

[sunmb]

I'm attaching a screenshot of the first page from the link above. When you hit "scanner" the message about SunJava pops up. Thanks!

[sunmb]

secunia screen shot

[mas_pogi]

Quote:

Originally Posted by sunmb

I'm attaching a screenshot of the first page from the link above. When you hit "scanner" the message about SunJava pops up. Thanks!

Just "ok" that one. And let it run.

Mark

[sunmb]

I guess this is farewell. Thank you SO SO SO SO MUCH Mark!!!!! I think you are now the go-to guy for all Overclick.cn problems and I think there be more coming, unfortunately. I really don't go to "bad" websites or anything like that. I will say, I remember just before I got this thing, I got a pop-up that said something like my Google Toolbar stopped functioning properly and needs to be fixed, do you want to fix it? (or something like that). The minute I clicked "yes," I kicked myself. It looked so "official" but I just knew a millesecond aftward, it was the wrong choice. Oh well. Thought I would just share that. Again, thank you A MILLIONION!

[mas_pogi]

hi.

You are most welcome.

Surf safely.

Since the problem appears to be resolved, it will now be archived.

Mark

[sunmb]

Mark, I'm sorry, I just ran Secunia and it told me I had 3 programs that needed to be updated - 2 were adobe flash player 9.x (Activex control & gen. plug in) ... when it tries to fix, it says this program is blocked. Wondering if this is blocked by any of my security features for good reason, or if I should do something to change. Hope this message will get to you.