another mydomainadvisor

[longbeachlouise]

The ESET Online Scanner found one virus, when I had checked, Remove found threats . . . in 7 1/2 hours of run time. But it didn't get the mydomainadvisor, as you see from the screenshot, taken after running the ESET online scanner.

Another issue with this laptop is the update mechanism of Windows. View attached. It says, the last updates were in March, but I was able to update some things since, according to the update history. I couldn't update the defender.

[screen317]

Hi,

We'll return to those other steps after we figure out the source of this!

Can you confirm for me whether or not IE is the only affected browser?

I want you to try running IE without add-ons as follows:

http://www.killertechtips.com/2008/04/14/run-internet-explorer-and-firefox-without-addons/

See if you get redirected in that mode.

[longbeachlouise]

Hi, May I ask a question? First of all - two questions:

1) Done uninstalling the list you posted. Should I uninstall Adobe Flash Player 11 AcitveX as well?

2) Look at this screenshot! Look at the "Anti Phishing Domain Advisor." The redirect that interferes with both IE AND Firefox, goes to mydomainadvisor - are they related?

[screen317]

Give uninstalling it a try. Reboot after.

[longbeachlouise]

Ever since I downloaded an image size software from CNET, the myDomainAdvisor problem appeared. That's what I am afraid of - I downloaded it myself! But I uninstalled the image software, and the redirect problem stayed.

[longbeachlouise]

Give uninstalling it a try. Reboot after.

I'm scared! Look at what popped up. Please tell me to uninstall it again. It's happened before to me, that uninstalling a software I upload more bad things. Should I unplug the internet while uninstalling?

[screen317]

Yes proceed with the uninstallation.

[longbeachlouise]

Okay. I did the uninstall for that.

[longbeachlouise]

Hi,

We'll return to those other steps after we figure out the source of this!

Can you confirm for me whether or not IE is the only affected browser?

I want you to try running IE without add-ons as follows:

http://www.killertec...without-addons/

See if you get redirected in that mode.

When I first clicked this very link, it sent me to this site with a download link for 7Zip, which I already have.

[longbeachlouise]

Or is it 7-zip? It's a download link for something!

[longbeachlouise]

This is the installation box. I'm going to kill it using the Windows Task Manager, and not click on anything on this box!

[longbeachlouise]

Okay, do I keep the Babylon Toolbar boxes checked? What do I do? Thanx!

[longbeachlouise]

Okay, it's running.

It's finished.

[longbeachlouise]

These are the two sites your link led me: to download 7zip, and to the reimage site, where I downloaded the PC checker.

[longbeachlouise]

@ Chris, looks like - just as I feared - running the uninstall on "Anti Phishing Domain Advisor" and clicking its uninstall, installed MORE bad things! The link you posted sent me to the two sites you see the screenshot of. Now I just ran a quick Malwarebytes scan, and this is the report:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.07

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Carol :: BILL [administrator]

8/1/2012 7:13:51 AM

mbam-log-2012-08-01 (07-30-29).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 186970

Time elapsed: 15 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 14

HKCR\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} (PUP.Blabbers) -> No action taken.

HKCR\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D} (PUP.Blabbers) -> No action taken.

HKCR\tdataprotocol.CTData.1 (PUP.Blabbers) -> No action taken.

HKCR\tdataprotocol.CTData (PUP.Blabbers) -> No action taken.

HKCR\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531} (PUP.Blabbers) -> No action taken.

HKCR\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A} (PUP.Blabbers) -> No action taken.

HKCR\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03} (PUP.Blabbers) -> No action taken.

HKCR\updatebho.TimerBHO.1 (PUP.Blabbers) -> No action taken.

HKCR\updatebho.TimerBHO (PUP.Blabbers) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531} (PUP.Blabbers) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{963B125B-8B21-49A2-A3A8-E37092276531} (PUP.Blabbers) -> No action taken.

HKCR\PROTOCOLS\HANDLER\BASE64 (PUP.Blabbers) -> No action taken.

HKCR\PROTOCOLS\HANDLER\CHROME (PUP.Blabbers) -> No action taken.

HKCR\PROTOCOLS\HANDLER\PROX (PUP.Blabbers) -> No action taken.

Registry Values Detected: 4

HKCR\protocols\Handler\base64|CLSID (PUP.Blabbers) -> Data: {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} -> No action taken.

HKCR\protocols\Handler\chrome|CLSID (PUP.Blabbers) -> Data: {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} -> No action taken.

HKCR\protocols\Handler\prox|CLSID (PUP.Blabbers) -> Data: {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Browser companion helper (PUP.Blabbers) -> Data: C:\Program Files\BrowserCompanion\BCHelper.exe /T=3 /CHI=gmdfpnpdmnjaffhcdbobdjpolhpacaem -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Program Files\ReImageCompanion\tdataprotocol.dll (PUP.Blabbers) -> No action taken.

C:\Program Files\ReImageCompanion\updatebhoWin32.dll (PUP.Blabbers) -> No action taken.

(end)

20 malicious softwares! Should I check each box and delete them?

[longbeachlouise]

Now I am posting from a different computer. My laptop is running the full Malwarebytes unplugged. At 5 1/2 hours and running, there are two infections.

Back to the drawing board. I still have the all the softwares on my laptop, including: RogueKiller, ComboFix, TFC, DDS, and some others. You tell me what to do here, on the clean server, and I'll go do it on the unplugged one.

[longbeachlouise]

Hi, Here is the report for the full scan:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.07

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Carol :: BILL [administrator]

8/1/2012 7:51:27 AM

mbam-log-2012-08-01 (07-51-27).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 344217

Time elapsed: 6 hour(s), 21 minute(s), 30 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Program Files\ReImageCompanion\BCHelperReImage.exe (PUP.Blabbers) -> Quarantined and deleted successfully.

C:\Users\Carol\AppData\LocalLow\bbrs_006.tb\content\BCHelper.exe (PUP.Blabbers) -> Quarantined and deleted successfully.

(end)

[longbeachlouise]

Then I ran another quickscan. Clean! Here is the report:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.07

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Carol :: BILL [administrator]

8/1/2012 3:04:55 PM

mbam-log-2012-08-01 (15-04-55).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry |

File System | Heuristics/Extra | Heuristics/Shuriken

| PUP | PUM

Scan options disabled: P2P

Objects scanned: 187002

Time elapsed: 22 minute(s),

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[longbeachlouise]

Okay - I am going to wait until I hear from you!

[screen317]

Hi,

You were not supposed to download anything from that page. That was a fake ad. There was text below it..

Uninstall any of the programs you just downloaded. Please don't do anything that I don't ask you to..

This was the text on that page that you were supposed to read. My fault for sending you to a dubious site.

Here’s how you can disable all addons/extensions and run IE 7 or even IE 8 without them:

• Go to Start > Run
  
• Type iexplore -extoff
  
• Press Enter
  

If you're unsure of something, you need to ask and wait for clarification.

[longbeachlouise]

Hi, No, I'm sorry. It was my fault. I thought it redirected because you posted an affililate link. That would be silly on a security forum. I'll start fresh tomorrow, and delete the redirected link. That was part of the "domain advisor" issue, just redirecting the links. The link you posted redirected the 2nd time to:

Reimageplus.com

and I ran the PCScan - maybe that is what added the booboos . . . It looks like a credible site.

[screen317]

It looks very credible, but I will ask you to run any scans needed. Rule of thumb: if I didn't ask for it, please don't run any additional scans.

[longbeachlouise]

Hi, In the meantime, I took a day off last week to do some work. It's too early to tell, but mydomainadvisor redirects are gone! This is what I did:

Uninstalled:

ReimagePlus

updated:

javascript

adobeReader

adobeFlash

This was after I "uninstalled" mydomain advisor then ran the Malwarebytes scans and deleted 20 bugs on the quickscan, then 2 more bugs on the thorough scan. Then I did the two steps, above.

My laptop seems to be running better and faster, even with no defrag!

Now, I just disabled the addons, as you suggested:

• Go to Start > Run
  
• Type iexplore -extoff
  
• Press Enter
  

Awaiting your next instructions - thanx!

[screen317]

Great news!

Let's run these again just to be sure. Feel free to run Internet Explorer normally now.

Run TFC by OldTimer to clear temporary files:

• Please download TFC from here and save it to your desktop.
  
• Close any open programs and Internet browsers.
  
• Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  
• Please be patient as clearing out temp files may take a while.
  
• Once it completes you may be prompted to restart your computer, please do so.
  
• Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.
  

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[longbeachlouise]

Hi, I still have: TFC, SecurityCheck, and all the others on my desktop. May I run TFC and Security Check that's already there?

If not, may I have instructions to uninstall them?

That is, I have all the softwares from July 30th. May I run those same ones?