Something Redirecting Internet Browser

[felhet]

Mbam log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.10.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Linda :: LINDA-HP [administrator]

1/9/2014 7:23:07 PM
mbam-log-2014-01-09 (19-23-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208931
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\MyWordTool (PUP.Optional.MyWordTool.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MyWordTool (PUP.Optional.MyWordTool.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Page_URL (PUP.Optional.FindWide) -> Bad: (http://search.findwide.com/?guid={73D1392E-2602-4038-8E32-E44A1E0B362B}&serpv=22) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Linda\Downloads\ZipOpenerSetup.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.

(end)

[Dakeyras]

Hi.

Everything looks good so far. Definitely much better!

Good.

TFC(Temp File Cleaner):

• Please download TFC to the desktop,
• Save any unsaved work. TFC will close all open application windows.
• Right-click on TFC.exe and select Run as Administrator to run the program.
• Click the Start button in the bottom left of the GUI(graphical user interface)'
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

I advise you keep TFC on the desktop after I give the all clear and run it say at least once per week as it is a very effective piece of software for cleaning out temp' files etc.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here to run the scan...
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then right click on it and select Run as Administrator to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the log file first!
• Now click on:
• Use notepad to open the log file located at C:\Program Files (x86)/ESET/ESET Online Scanner/log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

My friendly advice is you consider keeping the online scanner installed then run it say once per month as a extra check. A quick easy way to do so would be via:-

Click on Start(Windows 7 Orb) >> Computer >> C: >> Program Files (x86) >> ESET >> ESET Online Scanner >> then right click on OnlineScannerApp and select Run as Administrator.

[felhet]

OK, so I ran the TFC and ESET. Below is the ESET log:


ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=56d8557de55ffa4f85efb8be58e52ee3
# engine=16610
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-01-11 01:50:53
# local_time=2014-01-11 08:50:53 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3591 16777213 100 95 26419372 151954838 0 0
# compatibility_mode=5893 16776573 100 94 0 140991703 0 0
# scanned=139554
# found=1
# cleaned=0
# scan_time=44323
sh=61DEA641846E5DB2DD372FF047C96A04AE76132A ft=1 fh=44c4be7ead15d39a vn="multiple threats" ac=I fn="C:\ProgramData\Oberon Media\Initiator\3.0.0.0\cache\ecfc00c1e170c5eb589cfad3e811682243c4c619\mumbojumbo_en_toolbar_3.2.0.46.exe"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=56d8557de55ffa4f85efb8be58e52ee3
# engine=16616
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-01-11 05:41:15
# local_time=2014-01-11 12:41:15 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3591 16777213 100 95 26436794 151968660 0 0
# compatibility_mode=5893 16776573 100 94 0 141005525 0 0
# scanned=259367
# found=11
# cleaned=0
# scan_time=13754
sh=61DEA641846E5DB2DD372FF047C96A04AE76132A ft=1 fh=44c4be7ead15d39a vn="multiple threats" ac=I fn="C:\ProgramData\Oberon Media\Initiator\3.0.0.0\cache\ecfc00c1e170c5eb589cfad3e811682243c4c619\mumbojumbo_en_toolbar_3.2.0.46.exe"
sh=0AF40F48A4B7E29A3D1760C373CA23FD064EA311 ft=0 fh=0000000000000000 vn="Win32/BrowseFox.B application" ac=I fn="C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkopijddpkmggacdghppacglggodkcod\1.0.0_0\background.js"
sh=B93E468AC11A1019073C09409377960E8D28FA7F ft=0 fh=0000000000000000 vn="Win32/BrowseFox.B application" ac=I fn="C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkopijddpkmggacdghppacglggodkcod\1.0.0_0\content.js"
sh=167A4D4B879724B84B8AB0131B77C8BA7EC38789 ft=1 fh=323706c69001ead8 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\mysteryofsharkisland-setup(1).exe"
sh=167A4D4B879724B84B8AB0131B77C8BA7EC38789 ft=1 fh=323706c69001ead8 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\mysteryofsharkisland-setup(2).exe"
sh=167A4D4B879724B84B8AB0131B77C8BA7EC38789 ft=1 fh=323706c69001ead8 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\mysteryofsharkisland-setup(3).exe"
sh=167A4D4B879724B84B8AB0131B77C8BA7EC38789 ft=1 fh=323706c69001ead8 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\mysteryofsharkisland-setup(4).exe"
sh=167A4D4B879724B84B8AB0131B77C8BA7EC38789 ft=1 fh=323706c69001ead8 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\mysteryofsharkisland-setup.exe"
sh=5B4E69F6FB3034D70186BFC7AEF22FE6134313AD ft=1 fh=6cfda5acdd1d5989 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\ritajamesandtheracetoshangrila-setup(1).exe"
sh=5B4E69F6FB3034D70186BFC7AEF22FE6134313AD ft=1 fh=6cfda5acdd1d5989 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\ritajamesandtheracetoshangrila-setup(2).exe"
sh=5B4E69F6FB3034D70186BFC7AEF22FE6134313AD ft=1 fh=6cfda5acdd1d5989 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\Users\Linda\Downloads\ritajamesandtheracetoshangrila-setup.exe"

[Dakeyras]

Hi.

OK, so I ran the TFC and ESET. Below is the ESET log

Good, a few things to address and we can check for some software updates also as follows...

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[CreateRestorePoint]

:Files
C:\Users\Linda\Downloads\mysteryofsharkisland-setup(1).exe
C:\Users\Linda\Downloads\mysteryofsharkisland-setup(2).exe
C:\Users\Linda\Downloads\mysteryofsharkisland-setup(3).exe
C:\Users\Linda\Downloads\mysteryofsharkisland-setup(4).exe
C:\Users\Linda\Downloads\mysteryofsharkisland-setup.exe
C:\Users\Linda\Downloads\ritajamesandtheracetoshangrila-setup(1).exe
C:\Users\Linda\Downloads\ritajamesandtheracetoshangrila-setup(2).exe
C:\Users\Linda\Downloads\ritajamesandtheracetoshangrila-setup.exe
C:\Users\Linda\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkopijddpkmggacdghppacglggodkcod
C:\ProgramData\Oberon Media\Initiator\3.0.0.0\cache\ecfc00c1e170c5eb589cfad3e811682243c4c619\mumbojumbo_en_toolbar_3.2.0.46.exe

:Commands
[EmptyTemp]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Software Update check:

• Download and install FileHippo Update Checker from here.
• Once installed(during the installation process deselect the option:- Run at Startup >> Start(Windows 7 Orb) >> All Programs >> right-click on Update Checker and select Run as Administrator >> a browser window will open after the scan is complete.
• Download any updates detected(apart from beta updates) to the desktop >> uninstall anything that requires updating via Uninstall a program or Programs and Features in the Control Panel.
• Re-install the updated software, delete the installers and then empty the Recycle Bin.
• When completed the above let myself know and if any further issues remaining. Plus post the contents of the OTL Log from the Custom Script, thank you.

Note: When I give the all clear my advice would be to consider keeping FileHippo Update Checker installed. Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.

[felhet]

Hi, I am not sure what happened, but I turned the computer back on the other day and it first came up with an error at startup. it said something like, no boot disk press any button to continue.

I had to do a hard reset on the computer. It started back up just fine, but now my mouse is not working. I can move it around the screen, but clicking does nothing, and sometimes it won't register anything when I hover above a link.

I had to use the windows button, tab, shift tab, arrow keys, and the enter button to get anywhere.

[Dakeyras]

Hi.

Did this occur after running the Custom OTL Script in post #14 ? Of after updating some software ? If the latter which software was updated...

[felhet]

Actually, I have not had a chance to run the script yet. I went to turn the computer on to run the script and this happened. It seemed to be running fine for a few days.

[Dakeyras]

Hi.

OK try the below first as follows...

Windows 7 LKGC:

Start-up(or reboot) your computer and during the POST(Power On Self Test) sequence continually depress Function Key 8(F8) to bring up the Advanced Boot Options screen.

Use the arrow keys to scroll down and select Last Know Good Configuration (advanced) and hit the Enter/Return key.

Your machine should now automatically reboot back into Normal Mode. Check if the problem is now resolved, if not proceed to the below.

Invoke a System Restore Point:

Click on Start(Windows 7 Orb) >> All Programs >> Accessories >> System Tools >> System Restore

Once the System Restore Window has loaded >> click on Next> >> click once on the most recent Restore Point to highlight >> Next> >> Finish

Your machine will now begin the System Restore process and will automatically reboot.

Next:

Let myself know if either of the above resolved the problem in your next reply please.

[felhet]

OK, so I tried the first suggestion and it did not seem to do much, but I think the right mouse button started working. I tried the system restore and restored it to the earliest point and nothing changed.

Right now I can move the mouse using the track pad and I can right click. Left click does not work and when I hover over an icon nothing happens i.e. the file name, type, date etc. does not popup.

[Dakeyras]

Hi.

The problem may be hardware related but we can change a few settings/check the driver...also we may have to perform some of the prior malware removal process again but that should not be a problem.

Next:

Note: If you have access to a PS/2 Mouse, feel free to connect it to your laptop to carry out the below.

Click on Start(Windows 7 Orb) >> Control Panel >> Mouse >> the Mouse Properties window will open.

Select the option Switch primary and secondary buttons >> Apply >> OK <-- You will have to use the right button now to do so.

Then undo the changes(using the right button). Is the left mouse button now working ? If it is not, open the Mouse Properties window again...

And click on the Hardware tab >> next to Device status if This device is working properly is not denoted, click on the Properties tab >> Driver

Now click on Update Driver... >> follow the prompts etc.

Next:

Let myself know the outcome in your next reply please.