Tech Support Forum - View Single Post

Blade81 · 11-18-2008, 12:29 AM

Yes, you did it right :)

Start hjt, do a system scan, check (if found):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., <-- if not set by yourself

Close browsers and fix checked.

Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
lnzjwenu

File::
c:\windows\system32\atioglx.dll
c:\windows\system32\sav950231.sys
c:\windows\system32\drivers\lnzjwenu.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1875BD2-5F88-4C1F-ABA3-77A4096763F0}]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

11-18-2008, 12:29 AM	#6 (permalink)
Blade81 Visiting Teacher/Analyst, Security Team Join Date: Jun 2008 Location: Finland Posts: 763 OS: Win XP, Vista 32-bit, Win7 64-bit	Re: Search Engine Redirect Problems Yes, you did it right :) Start hjt, do a system scan, check (if found): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., <-- if not set by yourself Close browsers and fix checked. Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here. Open notepad and copy/paste the text in the quotebox below into it: Code: Driver:: lnzjwenu File:: c:\windows\system32\atioglx.dll c:\windows\system32\sav950231.sys c:\windows\system32\drivers\lnzjwenu.sys Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1875BD2-5F88-4C1F-ABA3-77A4096763F0}] Save this as CFScript A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use. Refering to the picture above, drag CFScript into ComboFix.exe Then post the resultant log. Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache The other boxes are optional Then click the Empty Selected button. If you use Firefox: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you use Opera: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. Post back its report, a fresh hjt log and above mentioned ComboFix resultant log. __________________ Microsoft MVP Consumer Security 2008 2009 ASAP & UNITE member since 2006