[Essexboy]

No problem .. Sleep tight.

This fix can be run from safe mode

[Advertisements]

Hi,

just as an update, I succesfully rebooted the computer twice with no apparent problems (no IE automatically opening) and managed to find the attached Combofix file on the c drive (not sure if it's complete).

I was so surpised I leaned back and played a game of spider solitaire to see if everything was back to normal. About ten minutes into the game the madness began again and I had endless IE everywhere. Never mind.

Do your last set of instructions still stand?

RSP

Attached Files

•  ComboFix.txt   919bytes   215 downloads

[RedSuedePump]

Hi,

just as an update, I succesfully rebooted the computer twice with no apparent problems (no IE automatically opening) and managed to find the attached Combofix file on the c drive (not sure if it's complete).

I was so surpised I leaned back and played a game of spider solitaire to see if everything was back to normal. About ten minutes into the game the madness began again and I had endless IE everywhere. Never mind.

Do your last set of instructions still stand?

RSP

Attached Files

•  ComboFix.txt   919bytes   215 downloads

[Essexboy]

Yes please continue, combofix did not quite complete though

[RedSuedePump]

Hi,

I've followed your instructions with OTL. It generated a report at the end of the 'run fix', which I have attached but it didn't generate anything at the end of the quick scan. Is this what you were expecting?

Unfortunately, after rebooting, I still have 49 versions of IE open on the screen.

Something that occurred to me is that the computer has two user accounts - should I have clicked on 'Scan all users' before running it?

Look forward to hearing from you.

RSP

Attached Files

•  07242012_204358.log   5.77KB   188 downloads

[Essexboy]

OK next step is a clean boot to see if it is an IE problem or something else

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

If you are prompted, log on to Windows.
When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

You have used the System Configuration Utility to make changes to the way Windows starts.
The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.
Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.

[RedSuedePump]

Hi,

This is quite frustrating - I can follow nearly all of your instructions in msconfig, but the computer won't let me clear the Load Startup Items check box. The other two boxes you wanted ticked were ok.

I don't know if the virus has changed Windows to stop me from doing this or there is another reason.

will keep trying, but would appreciate your help.

RSP

[Essexboy]

Were you able to stop the services ?

If so then reboot .. As this will again narrow the area down

[RedSuedePump]

Sadly no.

I wasn't sure what would happen if I didn't follow your instructions exactly, so I closed down.

Tried again and now it's virtually impossible to do anything. Can't change any of the check boxes and the other tabs have all disappeared. It's like it finds out what I want to do and one try later it won't let me.

Scandisk doesn't run any more on safe mode start up (some how it gets cancelled), which used to give me some breathing space before.

Think I'll have a break and try again tomorrow.

RSP

[Essexboy]

Do you recognize these files :

[2011/12/23 10:30:49 | 000,001,138 | ---- | M] ()(C:\Documents and Settings\All Users\Bureau\????-??????.lnk) -- C:\Documents and Settings\All Users\Bureau\迅雷看看-免费高清电影.lnk
[2011/03/19 12:04:00 | 000,001,138 | ---- | C] ()(C:\Documents and Settings\All Users\Bureau\????-??????.lnk) -- C:\Documents and Settings\All Users\Bureau\迅雷看看-免费高清电影.lnk


If not then do the following

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  [2011/12/23 10:30:49 | 000,001,138 | ---- | M] ()(C:\Documents and Settings\All Users\Bureau\????-??????.lnk) -- C:\Documents and Settings\All Users\Bureau\迅雷看看-免费高清电影.lnk
  [2011/03/19 12:04:00 | 000,001,138 | ---- | C] ()(C:\Documents and Settings\All Users\Bureau\????-??????.lnk) -- C:\Documents and Settings\All Users\Bureau\迅雷看看-免费高清电影.lnk
  
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[RedSuedePump]

Hi,

I've no idea what they are - certainly not files I have saved myself.

On that basis, I will give your instructions a go.

RSP

[RedSuedePump]

Hi,

Unfortunately the last two options you have suggested have been impossible as the second the computer was up an running, it was full of IE screens and frozen for any other purpose.

Might not have been the right thing to do, but in the Windows safe mode set up I saw an option to do a system restore. So I took the option, returning back to 14 July (before the problem arose). I don't think this worked completely successfully, but Firefox was back on the computer (I deleted it subsequent to 14 July) and I was able to follow your instructions using msconfig.

The computer has restarted again and I now have 187 Mozilla Firefox applications running.

Apologies for going 'off track' but I was pulling my hair out and saw no other option at the time.

I hope this tells you something useful.

Shall I go ahead with your OTL instructions now?

RSP

[Essexboy]

Yes please.. That also is a clue as it has jumped from IE to FF showing it is related to the default browser

When you re-run OTL after the fix could you set the following custom scan

hklm\software\clients\startmenuinternet|command /rs

Copy and paste the above into the custom scans and fixes box and press Run Scan

[RedSuedePump]

Hi,

Sorry for the delay, been unwell last couple of days.

Mysteriously, I switched the computer on this morning and it automatically did a Chkdsk - something I've not managed to get it to do for some time. It's also well behaved, as yet, not a single Firefox has opened.

I've run OTL with your custom fix, which generated the file 'End Report' as attached. I then did the 'Quick Scan', followed by the 'Custom Scan'.

Hope this is useful, I'm feeling optimistic about this now.

RSP

Attached Files

•  End Report.rtf   25.05KB   253 downloads
•  Quick Scan.rtf   41.74KB   207 downloads
•  Custom Scan.rtf   39.13KB   232 downloads

[Essexboy]

I hope you are feeling better now

OK lets remove the bad toolbars and the like now

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [String data over 1000 bytes]
  IE - HKCU\..\URLSearchHook: {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No CLSID value found
  IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...000944452de4965
  IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3061355
  IE - HKCU\..\SearchScopes\{B56FA67D-5373-4CB0-A88F-C9683997D01A}: "URL" = http://start.funmood...q={searchTerms}
  IE - HKCU\..\SearchScopes\{BFFED5CA-8BDF-47CC-AED0-23F4E6D77732}: "URL" = http://search.iminen...q={searchTerms}
  IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.smile...DS&a=6PQh63d2rY
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Iminent\[email protected] [2012/07/26 17:43:20 | 000,000,000 | ---D | M]
  [2012/04/13 15:16:13 | 000,000,000 | ---D | M] (Funmoods.com) -- C:\Documents and Settings\Sarl York Edward\Application Data\Mozilla\Firefox\Profiles\8dnsjj4m.default\extensions\[email protected]
  O2 - BHO: (TBSB01620 Class) - {58124A0B-DC32-4180-9BFF-E0E21AE34026} - C:\Program Files\IMinent Toolbar\tbcore3.dll ()
  O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll (Funmoods BHO)
  O2 - BHO: (no name) - {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No CLSID value found.
  O2 - BHO: (IMinent WebBooster (BHO)) - {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} - C:\Program Files\Iminent\Iminent.WebBooster.InternetExplorer.dll (Iminent)
  O3 - HKLM\..\Toolbar: (IMinent Toolbar) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - C:\Program Files\IMinent Toolbar\tbcore3.dll ()
  O3 - HKLM\..\Toolbar: (Funmoods Toolbar) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\Program Files\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll (Funmoods)
  O3 - HKCU\..\Toolbar\WebBrowser: (IMinent Toolbar) - {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - C:\Program Files\IMinent Toolbar\tbcore3.dll ()
  O16 - DPF: {DD5BF6D1-6663-47E0-9DFA-5C343CAF178E} http://xmp.down.sand.../xinstaller.cab (xoliimpl Class)
  [2012/07/26 17:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarl York Edward\Application Data\Iminent
  [2012/07/26 17:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Iminent
  [2012/07/26 17:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Iminent
  [2012/07/26 17:43:15 | 000,000,000 | ---D | C] -- C:\Program Files\IMinent Toolbar
  [2012/07/26 17:43:06 | 000,000,000 | ---D | C] -- C:\Program Files\Iminent
  [2012/07/26 17:41:58 | 000,000,000 | ---D | C] -- C:\Program Files\Funmoods
  [2012/07/26 17:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarl York Edward\Application Data\Toolbar4
  
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[RedSuedePump]

OK, done that and I have attached two files, one that generated at the end of the fix (End Scan) and also the quick scan after that.

RSP

Attached Files

•  End Scan.rtf   8.07KB   238 downloads
•  Quick Scan.rtf   41.79KB   198 downloads