45 replies to this topic

[Tomk]

Let's see if we can stop the redirect to Bing. I don't know if this will effect your quick link issues.

Please download the OTM by OldTimer.

• Save it to your desktop.
• Please double-click OTM.exe to run it.
  (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  :otl
  IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E 04 A3 4B 13 E4 CB 01  [binary data]
  IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.) 
  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[shadow5]

First, AVG did not let OTM run; however it asked for permission to allow running anyhow, to which I agreed, & AVG seemed to allow OTM as an exception.  Seemed to run after that, and below are the contents of that .log file.

Sam

 

All processes killed
========== PROCESSES ==========
Error: Unable to interpret <:otl> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC> in the current context!
Error: Unable to interpret <IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us> in the current context!
Error: Unable to interpret <IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E 04 A3 4B 13 E4 CB 01  [binary data]> in the current context!
Error: Unable to interpret <IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR> in the current context!
Error: Unable to interpret <O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.) > in the current context!
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: admin
->Temp folder emptied: 631443 bytes
->Temporary Internet Files folder emptied: 88592691 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 506 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
->Flash cache emptied: 53632 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28549773 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 502956 bytes
RecycleBin emptied: 291249 bytes
 
Total Files Cleaned = 113.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 03022014_134855

Files moved on Reboot...
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\avg_secure_search.log scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 

[Tomk]

That didn't work because I apparently had a brain cramp and did not proofread my instructions. I intended to give you instructions for the tool you already have on board. Let's try again.

Double click on OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

:Processes

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E 04 A3 4B 13 E4 CB 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.) 


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the OTL log.

[shadow5]

Okay, here is the log that was produced.  Hope it worked as you wished.

Sam

 

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache AcceptLangs| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: admin
->Temp folder emptied: 112649 bytes
->Temporary Internet Files folder emptied: 13468484 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 506 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 38878430 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 50.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03032014_071530

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\avg_secure_search.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

[Tomk]

That's what we wanted.

 

Now how do things seem to be running?

[shadow5]

I cannot access Google either from the "quick-click-bar" where I have about 5-6 often-used sites saved, or from the dropdown list of Favorites, OR even if I type in the url & attempt that way.  Also, when I click on "MAIL", it fails to go there--the only way I've found to get to "MAIL" is to right-click it on my often-used bar & select "Open in New Window".

 

Those 2 sites appear to be the only ones affected.  My other "often-used" icons work as usual, and all my drop down favorites that I tried work fine.

 

BTW: the BING on the quick-click-bar works well; and I can access BING by typing its url.

 

*Remember, that altho' I'm communicating on the forum via my desktop--using Windows XP--my laptop that is giving the problems is using Windows 7 Prof.*

 

Any suggestions?  Thanks again for your patience and your persistence.

Sam

PS: Is Sisters near Beaverton? 

Edited by shadow5, 03 March 2014 - 01:02 PM.

[Tomk]

Sisters is in the middle of the state.  Eastern foothills of the Cascade mountains.  We're in the High Desert.  Bend is the closest large city.  Beaverton is on the west side of the mountains at the northern end of the Willamette Valley.  It's part of the Portland Metro area.  It's about a 3 hr drive.

 

I cannot tell what machine you are typing on.  All I see is text.  The only way I know what operating system we're "working on" is by the information provided in the logs.

 

I'm just not seeing what is blocking Google or your mail.

 

I'm thinking that you normally use FireFox.  Please try using Internet Explorer and let me know if you get the same results.

[shadow5]

On the laptop, we are now using, and always have used Internet Explorer--version running now is ver. 11.  BTW: I have lost the bar that contains "Favorites, File, View, Tools" etc.  I think I can use Bing to find out how to re-enable it, though.  Are we ready to give up?

Thanks,

Sam

[Tomk]

To restore your menu bar... try this.

Hold the ALT key and then press V. Select Toolbars and then make sure there is a check mark in front of Menu Bar.

 

If that doesn't work... let me know.

 

Your logs show that you have FireFox installed so... please try using it and see if it exhibits the same issues.

[shadow5]

Ok, I downloaded/installed Firefox, and it is accessing Google and Mail with the 1-click bar.  There seem to be NO re-directs to Bing, now.  This is great!  All Favorites, imported from IE, appear to function just fine.  Only problem is I downloaded FF from the wrong site, which throws ads at me at most every turn.  I fully believe I can uninstall F'Fox, download it from a better source, and it will be fine.

 

I am otherwise completely happy with its operation.  And I wish to thank you again for your patience and persistence.

Sam

[Tomk]

I'm still confused.  If you look back to the original logs you provided... you will see that firefox is installed. Yet, apparently, it wasn't installed?

 

Also, the only place I know of to get firefox is Mozilla.org.  Where did you get it?  If you choose to continue using firefox, I suggest you install an add-on called Adblock Plus.

 

All that being said, if you are happy how things are working... we can do some housekeeping.

 

• Click START then RUN
• Now type ComboFix /Uninstall in the runbox  and click OK.
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

 

• Double click on OTL to run it.
• Click on CleanUp!
• When done, you will be prompted to restart your computer. Please restart your computer.

 

If you have any tools or logs left - you can simply delete them.

Please re-enable any security that was disabled.

 

The following is my standard advice for the future.  Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing.  Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware" 
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions.  Otherwise, this thread will be closed Resolved. 
 

[shadow5]

I searched for Firefox, originally, found a few files, but no, it was not installed.  I downloaded it from "Download.com", which seemed to have more than one d/l site. Evidently the one I got it from had some added advertising 'gimmicks' hooked on as a rider; must be where all the ads come from.  I added-on the Ad Block Plus which has helped quite a bit, but I still get aggravating, small popup-ads on some sites.  But, at this point, I can live with those.

 

I plan to continue using Firefox.  I'net Exp. still refuses access to "Google.com" regardless of what method I use--clicking on Favorite-method, typing "Google.com" into Bing's search-block, typing in the url trying to access it directly, etc.  So, I have imported my Favorites from IE into F'Fox, and now I can access anything I wish.  I'll just assume IE has an improper 'install' and forget it exists.  Maybe a future update will work correctly.  I use FF on my desktop anyway, which represents about 80% of my computer usage, so that's no problem and no learning curve facing me there.

Your last instructions appear to have cleaned up everything; my desktop looks so empty with all the logs & apps gone.

 

Thank you again for all your help.  This forum really is top-notch!  You guys are great!

shadow5 (Sam)

[Tomk]

When ever possible, always download programs from the authors site.  It is very common for download sites to patch files with adware.

 

I've got one more thing for you to try with Internet Explorer.

 

Open Internet Explorer and select tools, then Internet Options, then advanced, then reset - and OK your way out.  This will reset you Internet Explorer to "factory state".  My hope is to cure whatever is blocking it.  Normally doing this would erase your favorites, but you've already transferred them to FireFox so you still have them.   You can see how to transfer your bookmarks back into Internet explorer here: http://support.mozil...ternet-explorer

[shadow5]

Hey!  That worked.  My Favorites were even saved.  I can access Google via Favorites; no problem.

Sam

[Tomk]

Great!

 

I think we have finally concluded our business together.

 

Good luck and be well.