(Another) Redirect Virus

[D-FRED-BROWN]

Send me the current report

[Glinthi]

The "Save Report" option under File is faded/inoperative. The Quick Report > Save Info from current page" option is there. What shall I do?

[D-FRED-BROWN]

Hmmm... Before we move on to any other tools, we need to temporarily uninstall Norton as its conflicting with our fixes- I'll let you know when its safest to reinstall it .

Please download and run the Norton Uninstaller Tool from here: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

Let me know once you've uninstalled it and I'll give you the next set of steps.

[Glinthi]

Norton was removed. Restarted. Then our good ol' friend, "IDVaultSvs.exe...encountered problem" window popped up AND immediately tried to open Internet Explorer. IE, however, is hung up and not fully openning. Next steps?

[Glinthi]

Also, I didn't notice this right away, but another window also popped up: PresentationFontCache.exe...encountered problem". Down at the bottom that window is labelled: "SmartWebPrinting"

[D-FRED-BROWN]

Try this. I want to see what exactly may be causing those errors:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  
  :filefind
  IDVaultSvs.exe
  IDVault.exe
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found at on your Desktop entitled SystemLook.txt

[Glinthi]

OK, check the last post. The SmartWebPrinting window is not related to PresentationFontCache. The SmartWebPrinting window also says "The feature you are trying to use is on a CD-ROM or other removable device that is not available. Insert the 'SmartWebPrinting' disk and click OK"

Then below that window is another window that looks like a process has begun to download with blue bars (3).

I'm totally clueless about what this is.

[D-FRED-BROWN]

OK, check the last post. The SmartWebPrinting window is not related to PresentationFontCache. The SmartWebPrinting window also says "The feature you are trying to use is on a CD-ROM or other removable device that is not available. Insert the 'SmartWebPrinting' disk and click OK"

Then below that window is another window that looks like a process has begun to download with blue bars (3).

I'm totally clueless about what this is.

It sounds legit - probably related to HP printing or something along those lines. I wouldn't worry about it.

Can you run SystemLook so we can see what the other file may be?

[Glinthi]

Every time I try to get on IE this SmartWebPrinting file download box/process begins. I managed to get to our forum and clicked on the link, but it all started again. Should I download it to my laptop and transfer it to my desktop with a memory stick?

[D-FRED-BROWN]

No need to

Microsoft made a handy tool for disabling it: http://support.microsoft.com/gp/ie_freezes_or_crashes

Download and run it. Let me know if that resolved the issue

[Glinthi]

Fix worked. Here is SystemLook Log:

SystemLook 04.09.10 by jpshortstuff

Log created at 17:12 on 08/07/2011 by USER

Administrator - Elevation successful

========== filefind ==========

Searching for "IDVaultSvs.exe "

No files found.

Searching for "IDVault.exe"

C:\Program Files\Constant Guard Protection Suite\IDVault.exe --a---- 3231816 bytes [19:24 14/06/2011] [19:24 14/06/2011] 5FA1E460A53A9DDC55949040DE95DC76

-= EOF =-

[D-FRED-BROWN]

Making progress

Please follow these instructions for removing Comcast Constant Guard Protection Suite: http://customer.comcast.com/%28S%28bdfptbieik054pb25yi0njyq%29%29/Pages/FAQViewer.aspx?Guid=bb3333d7-51a4-40d4-94f4-041a0461ad45

Before we move on, let me know if you encounter the IDVault.exe errors again

[Glinthi]

After clicking "Remove" from Add/Remove Programs, the IDVault.exe...encountered problems" window popped up. After clicking "Don't Send" IE tried to open, but could only open partially then got hung up. Constant Guard was NOT removed.

[D-FRED-BROWN]

Please download and install Revo Uninstaller (Freeware) from here. Then please run Revo Uninstaller and select Constant Guard Protection Suite.

Please click Uninstall icon to uninstall the selected program.

Please choose Advanced.

Then click Next and follow the prompts.

Please click Select All (1.) and Delete (2.)

to delete all registry items, folders and files listed by Revo.

If asked to restart the computer, please do so immediately.

[Glinthi]

When I tried to close the Add/Remove Programs box, it was frozen. Then I right clicked it on the bottom, and the following message came up: "You must restart your computer to complete the uninstall. We strongly recommend you restart now to enable normal operation of your keyboard. Would you like..."

Restart or ignore and proceed with above instruction?

[Glinthi]

For what it's worth, the Constant Guard icon on my desktop is gone. . . But it really looked like no process whatsoever took place to remove it (when I hit the "remove" button; the IDVault error window popped up instantaneously.)

[D-FRED-BROWN]

Go ahead and restart. I've never seen that message before

[D-FRED-BROWN]

Are you getting any issues upon restart?

[Glinthi]

I'm really suspicious of this Restart... The box says "Notice" at the top in the blue. You sure?

[D-FRED-BROWN]

I'm really suspicious of this Restart... The box says "Notice" at the top in the blue. You sure?

Go ahead and restart. I believe it is related to Constant Guard

[Glinthi]

Upon Restart "PresentationFontCache.exe encounterd problem" box popped up. In addition it said: "This error occurred on 7/8/2011 at 4:03:15 PM. I sent the error report.

Immediately the same box/message appeared, saying the problem occured at 7/82011 at 6:41:10 PM. I sent error report.

Those error messages are gone, and I await further instruction.

[Glinthi]

For what it's worth, I ran the RKUnhooker scan again. I still can't use the "Save Report" option, but looking at the log, none of the "service names" are labelled as "hooked." Whereas last time I ran it, something like 36 were.

Also, it appears that Constant Guard was uninstalled: no longer on the desktop nor in the Add/Remove Programs tool.

[D-FRED-BROWN]

Glad to hear the other issues are resolved.

Let's see if we can take care of the Font Cache error:

1. Click on Start -> Run.

2. Type in services.msc and hit enter.

3. In the services window, scroll down to check “Windows Presentation Foundation Font Cache 3.0.0.0” service is started.

4. If it is not started, right click on that and select start.

5. Check if the issue is resolved.

Let me know if that helps

--------------

Let's run GMER :

Please do the following:

• Download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
• Disconnect from the Internet and close all running programs while scan is running.
• Make sure all antivirus and other real-time security programs are disabled. See here for directions.
• Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
• If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)

  [*]Click the Scan button to begin. (Please be patient: this can take some time.[*]When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.

Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.

[Glinthi]

Could not "Start" the PResentation Foundation Cache service. Error 1053: The service did not respond to the start or control request in a timely fashion."

About 20 seconds after the GMER scan began (which for me was named: bpg4m76u.exe) an error window popped up that said: "bpg4m76u.exe encountered problems..."

Do you want the Error Report (if I can get it to you)?

[Glinthi]

Perhaps it's worth noting that a new program has appeared on my computer: Windows Power Shell 1.0. When I hit the Start button it tells me "a new program has been installed." Anything to worry about here? Was this from the Fix It download?

One other random item. One of the scans yesterday revealed an out of date Java. I opened Java from Control Panel and tried to update it and was unable to do so. . .