Not sure where my problem is

[marwen]

Win XP Professional version

Open Explorer
type in "anything" - results will show up
No matter what I type in, - I choose my search - results ALWAYS open up to something called "trafficposter" - sometimes, it will switch to something else but definetaly NOt to what I had directed it to go to

marwen

 

[zombine210]

my apologies. i jumped teh gun

 

[johnb35]

Win XP Professional version

Open Explorer
type in "anything" - results will show up
No matter what I type in, - I choose my search - results ALWAYS open up to something called "trafficposter" - sometimes, it will switch to something else but definetaly NOt to what I had directed it to go to

marwen

Please disregard zombine210's post of too many programs to download and run. All you need to do is follow the procedure here. Only 2 programs needed.

http://www.computerforum.com/131398-important-please-read-before-posting.html

Post both logs back here and we'll go from there.

 

[marwen]

Malware?

Well, I have both MALWAREBYTE'S ANTI-MALWARE and avast! Antivirus.

I have run both the quick & full scans with everything I have and nothing shows up. Now What?

marwen

 

[johnb35]

Please post the logs that I asked for in my last post. The malwarebytes log and the hijackthis log.

 

[marwen]

hijackthis

As I said earlier, malwarebytes anti-malware there was nothing found - consequently, no log. however, hijackthis had four pages of items.

also,
I'm sorry to say but when I attempted to upload and the forum software said that it was an illegal file type.

The ext says .log

marwen

 

[johnb35]

Do not attach the file. Just copy and paste the file into a reply.

 

[marwen]

log file

lets try again
marwen

 

[marwen]

log to txt file

well, it looks like i managed to get it on the board

marwen

 

[TFT]

You have a lot of O1 redirection host files in your log

An example in your log

O1 - Hosts: 78.159.125.44 www.google.com

when you use www.google.com you get redirected to 78.159.125.44
a tick needs to be placed against all the O1 entries.

Wait until John answers, although I'm correct I'm no expert in this.

 

[johnb35]

Your host file is infected with redirects. You may try fixing these but sometimes the infection doesn't allow you access to the hosts file. So do another hijackthis this scan and place a check next to these items.

O1 - Hosts: 78.159.125.44 www.google.com.mx
O1 - Hosts: 78.159.125.44 www.google.com
O1 - Hosts: 78.159.125.44 www.google.co.jp
O1 - Hosts: 78.159.125.44 www.google.com.au
O1 - Hosts: 78.159.125.44 www.google.it
O1 - Hosts: 78.159.125.44 www.google.pt
O1 - Hosts: 78.159.125.44 www.google.at
O1 - Hosts: 78.159.125.44 www.google.fr
O1 - Hosts: 78.159.125.44 www.google.fi
O1 - Hosts: 78.159.125.44 www.google.ch
O1 - Hosts: 78.159.125.44 www.google.dk
O1 - Hosts: 78.159.125.44 us.search.yahoo.com
O1 - Hosts: 78.159.125.44 www.google.ie
O1 - Hosts: 78.159.125.44 search.yahoo.com
O1 - Hosts: 78.159.125.44 www.google.nl
O1 - Hosts: 78.159.125.44 www.google.es
O1 - Hosts: 78.159.125.44 www.google.com.br
O1 - Hosts: 78.159.125.44 www.google.gr
O1 - Hosts: 78.159.125.44 uk.search.yahoo.com
O1 - Hosts: 78.159.125.44 www.google.de
O1 - Hosts: 78.159.125.44 www.google.co.uk
O1 - Hosts: 78.159.125.44 www.google.no
O1 - Hosts: 78.159.125.44 www.google.be
O1 - Hosts: 78.159.125.44 www.google.ca
O1 - Hosts: 78.159.125.44 www.google.co.za
O1 - Hosts: 78.159.125.44 www.google.se

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe

Now click on fixed checked at the bottom. If you aren't allowed access to the hosts file then we have a hidden infection and we'll use a different program to see whats on your system. AFter doing those fixes, please reboot your system and post a fresh hijackthis log.

And as far malwarebytes not finding anything, I wanted you to post the log so i know that you are running the latest database version. There might not be no infections in the log but there is a log with pertinent data. So please post the log so i can look what database version you have. Most poeple make the mistake of not updating their programs before running. Also did you run a quick scan or a full scan? The latest database as of 12-21-09 is 3402.

 

[marwen]

redirects

HAH! I couldn't stand it any longer. I "had" to at least try to fix one of them.

I highlighted one of the 01-Host and VOILA -- they are ALL gone. MY 'puter is back to normal.

Much thanks to all of you.

Like I say, I've been on a MAC since '92 all of a sudden this PC stuff is a whole new learning curve

marwen

 

[marwen]

Malware

Thanks again John. BTW the MALWARE I use was only downloaded about a month ago.

Gott another question for you though, in the process of "trying" to do a self-repair. I trashed all of my browsers - i.e. uninstall --- when I reinstalled explorer, the program opened up but all of my OLD bookmars wer there. What happenned?

marwen

 

[johnb35]

You may have only downloaded it a month ago, but do you realize that malwarebytes updates almost daily... So you must always update manually before running any scans. So I suggest you open malwarebytes, click on the update tab, click on check for updates and then run a full scan on your system.

What do you mean by doing a self repair? And your old bookmarks would still be there because they are stored in a separate file away from the browser. IE favorites are stored in c:\documentsandsettings\username\favorites

 

[marwen]

second scan of hyjackthis

OK John I have gone thru ALL of the checkmarks and rescanned.
labelled it 2hijackthis.txt

Just noticed the after comments.

Should I UNINSTALL Malware and reinstall it?

marwen

 

[johnb35]

There is no need to uninstall and then reinstall, just update it how I told you.

open malwarebytes, click on the update tab, click on check for updates and then run a full scan on your system.

 

[marwen]

2nd scan malwarebyte

Hi again John:

aLMOST 2 HOURS LATER - A FULL SCAN ON mALWAREBYTE

from what I see "nothing" also, I had just updated prior to scanning

marwen

 

[johnb35]

Sorry, but your malwarebytes is outdated you are running 3289. THe latest database version is now 3406. Please continue to update malwarebytes until you get the message that you have the latest version....and then rerun your scan.

 

[marwen]

malware

If I just -today downloaded an upgrade, should I not naturally think that I have the "latest"?

marwen

 

[johnb35]

Nope. I told you not to redownload anything, all you had to was update by using the procedure I described.