Hi Solarscool,

As per the Hijackthis file you have posted, there is only 2 entries which you need to fix:

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)

I think, you have already tried SuperAntiSpyware. Now, download/install Malwarebytes Antimalware program, reboot your computer to Safe mode and then run a full system scan from Malwarrebytes. Click Malwarebytes AntiMalware to download it, it's a free download software which may help you in detecting removing such threats.

Let us know the results.

Yogesh

When I ran HijackThis, and checked the two entries:

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)

The Filter hijack entry did not go away.  I have downloaded the Anti-malware software and will try running that in safe mode.  Do I need to run SuperAntispyware in safe mode, too?  I think I only ran it in regular mode?

Thanks

Yes probably, You could try in Normal mode first, Also as a full scan.

It could also be that the entries for the sites are in your HOSTS file, that will come later 

Quads 

Please send the hosts files info for my own education, and to save me time if the safe mode Anti-malware scan doesn't work.

Thx

Hi SolarsCool,

I have send a private message to you with instructions to check Hosts file. Please look for the in the upper right hand corner of any community (forum) page.

Yogesh

You can use this program to delete entries, add, etc or completely replace your whole HOSTS file

http://www.funkytoad.com/index.php?option=com_content&task=view&id=13

Generally you have to get rid of the Malware first then clean the HOSTS file. 

Quads 

I STILL get my searches redirected.  I've run Malware and SuperAntispyware.  Below is my hosts file.  It looks normal to me.

HELP!

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Hi SolarsCool,

Is it still redirecting you to the same Windows Security program Web page?

As you said, the Hosts file seems to be normal. So, run Update from both malwarebytes program and SuperAntispyware until no more updates are required. Then restart the computer in Safe Mode and run a quick scan as well as full system scan. You can also try the Combofix tool from this LINK.

Also, check the Add-ons installed with your Internet Explorer and disable the unwanted ones(Publisher showing unknown). Then check in Add/remove programs and uninstall the unknown toolbars/programs listed there.

Let us know the results.

Yogesh

I had done everything except ComboFix which seemed to do the trick.  I can send the log if you want, I’d be curious to know what it did to fix it.  Let me know.  Thanks for your help.

You can send me the Combofix log, click on my name .

I will at least attempt to see what was removed or changed and see if I can figure another way, just because some people will struggle with Combofix.

Quads 

Thanks again for your help.  Are you guys from Symantec?  If not, someone should tell them that their software should handle this stuff.  I continue to be surprised at how Symantec and McAfee have such holes. 

Hi

Only the people in RED are from Symantec.

Now, looks as though you had remanants of 3 infections

A TDDS...........sys file   (TDDS family)

WDMAUD.SYS.vir     belongs to "Rootkit.Win32.Agent.fwt" 

and the Need2Find Toolbar  

http://www.bleepingcomputer.com/uninstall/900/Need2Find-Bar.html

http://vil.nai.com/vil/content/v_134739.htm

Quads 

My browser seems to have been hijacked by Yahoo.  any search and all I get is the Yahoo browser.  when I click on the item that was found it never goes to that site.  It just comes back to the Yahoo browser.

I downloaded the Hijack program off of one of Quads reply's to someone, now what.  I have the log file.

Thanks in advance,

Bob

Just click on my name and you will see where to send it as a Personal message.

Quads 

Please post the log file in this thread or send it as a Private message to me or Quads. Also try running Malwarebytes AntiMalware program or SuperAntiSpyware. You can find the instructions in this same thread

I think I have the same prob.

Yahoo is my home page. I search for say Star Trek planets and the results are not right. Like the link for Memory Alpha's web site will come out to be some free anti-virus scanner site or maybe a shopping site.

I have downloaded Hijack this, Malwarebytes (which found 4 things) and superspyware. I will do the scans soon. Funny thing after I ran Malwarebytes the yahoo searched worked 3 times (all the links were right) the 4th time they were back to being wrong. I also did a Norton update and a full system scan in safe mode,nothing was found. Also the second scan I did with Malwarebytes in safe mode found nothing also.

Thanks,

Tim

Hi willy800

You sent me a log created in "Safe Mode" which will not show everything running, also if you un checked anything in "msconfig" 

If you un checked anything in "msconfig" please recheck (re tick) it, then do a hijackthis log in normal mode (not safe mode)  

I can see a couple of undesirables 

Thanks

Quads 

Hi

I know you don't want to start the items in msconfig that infections or might be infections 

What you can do is tick them, then restart the pc run Hijackthis, This allows the Registry entries to show in Hijackthis.

Then when you tick the corrosponding entries in Hijackthis that removes the entries from the registry. Restart the PC after using Hijackthis to "Hijack" the infections, Now the entries in Msconfig should be GONE.

The Hijackthis log won't be complete without those ticked, or done in normal mode. See this post where eventually I had the person re tick the msconfig entry(once I realised), then could use Hijackthis to remove the entry(ies) etc.

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=31150

Quads 

Hi

Start Hijackthis again and tick (check) these items

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Owner\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded                  (adware updater)

O4 - HKLM\..\Run: [SpyHunter] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"            (spyhunter using Norton??)

O4 - HKLM\..\Run: [Windoxs Update Center] W32RfSA.exe                 (SDBOT worm)

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe                      (Dialer)

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe           (180solutions  Search/Adware)

O4 - HKLM\..\Run: [qs9X37T] inemxs.exe                                       (Trojan)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto  (Not needed on startup)

O4 - HKCU\..\Run: [bBq7RXf2O] iedtmon.exe                             (Trojan)

O24 - Desktop Component 2: (no name) - C:\Program Files\HomeSeer\html\poop.html

Now click "Fix Checked"

Now Download, Install, Update the defintions, and Run a Full Scan of

Malwarebytes  http://www.malwarebytes.org/mbam.php

Quads 

Well I want to thank you for all the help and suggestions, but the links that show up when I use Yahoo search are still messed up.

Anything else I can try or do?

Thanks,

Tim