03-14-2013, 11:20 PM   #1
Registered Member

Join Date: Apr 2010
Posts: 73
OS: Windows XP

My mom accidentally clicked on some pop ups and her computer got infected. At first I couldn't even get online, but after running rkill(i have log ready if requested), I could, but I could still see the fake anti-virus programs icons. Anyways, I did a system restore to see if that would work, but it didn't.

Right now there's not many symptoms, only that my homepage isn't what I assign it to be. I don't even see the fake anti-virus programs anymore.. but here are the logs required anyways

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 7.0.6001.18639 BrowserJavaVersion: 10.17.2
Run by buibui at 19:34:09 on 2013-03-14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2596 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2BEBF449-D8D4-488A-A42D-E834DE74EE3F} : DHCPNameServer = 192.168.1.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\System32\drivers\HCW85BDA.sys [2009-7-14 1708800]
S3 hcw85cir;Hauppauge Consumer IR 3;C:\Windows\System32\drivers\hcw85cir3.sys [2009-7-14 32768]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-6-28 93184]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2013-03-10 21:49:33 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-10 21:49:32 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-03-10 21:49:32 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-10 21:49:32 262560 ----a-w- C:\Windows\SysWow64\javaws.exe
2013-03-10 21:49:32 174496 ----a-w- C:\Windows\SysWow64\javaw.exe
2013-03-10 21:49:32 174496 ----a-w- C:\Windows\SysWow64\java.exe
2013-03-02 05:16:38 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-02 05:16:38 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-13 22:01:36 70004024 ----a-w- C:\Windows\System32\mrt.exe
2013-01-17 09:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 19:35:41.14 ===============

I attached ark as a print screen of the finished scan because I couldn't save it, and when i copied and paste it looked fine, but when I tried to reopen it, it came out all cryptic. Thank you for the help. I'm running Windows XP and don't have access to resintallation CDs
 attach.txt (2.5 KB, 28 views)

 03-18-2013, 10:52 AM #2
 03-18-2013, 09:41 PM #3
Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time.
03-22-2013, 07:08 AM   #6
Security Team
Analyst

Join Date: Jun 2010
Location: California
Posts: 971
OS: Windows XP Service Pack 3

Hello again! Thank you for those logs.
• Please go to Start -> Control Panel -> Programs -> Programs and Features.
• Look for the following in the list of installed programs; if they are present, uninstall them one at a time by selecting them and clicking Uninstall:
• Yontoo 1.10.02
Next:

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
 Folder:: C:\Program Files (x86)\Ask.com c:\programdata\Ask C:\Program Files (x86)\Yontoo c:\users\buibui\AppData\Local\Smartbar c:\program files (x86)\DefaultTab C:\Users\buibui\AppData\Roaming\DefaultTab c:\program files (x86)\OApps c:\users\buibui\AppData\Local\SwvUpdater c:\program files (x86)\24x7Help c:\users\buibui\AppData\Roaming\PCFixSpeed c:\programdata\PCFixSpeed c:\program files (x86)\PCFixSpeed c:\users\buibui\AppData\Local\Solid Savings c:\program files (x86)\Solid Savings c:\program files (x86)\MixiDJ_V1 c:\program files (x86)\SearchProtect c:\users\buibui\AppData\Roaming\SearchProtect Registry:: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{00000000-6E41-4FD3-8538-502F5495E5FC}"=- [-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "ApnUpdater"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- DirLook:: c:\users\buibui\AppData\Local\CRE c:\users\buibui\AppData\Local\APN
Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
03-22-2013, 08:53 PM   #8
Security Team
Analyst

Join Date: Jun 2010
Location: California
Posts: 971
OS: Windows XP Service Pack 3

Quote:
 Originally Posted by beancurd89 I can't uninstall Yontoo though. "Error 2 while loading archive: The system cannot find the file specified"
That's all right, it looks like ComboFix took care of it.
Does it still appear in your Installed Programs list in the Control Panel?

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
• Scroll down to where it says Java SE 7u17
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-7u17-windows-i586.exe to install the newest version.
• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are three options in the window to clear the cache - Leave these two Checked
• Trace and Log Files
Cached Applications and Applets
• Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.
NOTE: Java is a security risk, as it is a vulnerable application often exploited by malware. You may want to consider uninstalling it for this reason. However, some programs and websites require Java in order to run, so you may not want to uninstall it if you frequently use such programs/websites. If that is the case, we recommend at least disabling Java in your browsers and enabling it only when it is needed. Please see here: Disable Java in browsers

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run the online scannner from ESET.
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.
03-24-2013, 05:51 PM   #10
Security Team
Analyst

Join Date: Jun 2010
Location: California
Posts: 971
OS: Windows XP Service Pack 3

Quote:
 I cannot complete the Java step. I was able to uninstall, but I'm not able to find the Java Icon under Control Panel, classic view. Basically I only go to the link, then click on Download under "JRE" right? So only one thing I need to download? Well, I did and it didn't work. I can find the folder it installed into, but even with the search function, I can't find anything with Java in it except the installer..
I'm not quite sure what you mean by this. It sounds like you were having trouble with these steps:
Quote:
 After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are three options in the window to clear the cache - Leave these two CheckedTrace and Log Files Cached Applications and Applets Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel.
Does this mean that you already ran the installer you downloaded? If so, we should be able to do the rest with another ComboFix script.

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
 ClearJavaCache:: Folder:: C:\ProgramData\Tarma Installer C:\Users\All Users\Tarma Installer c:\users\buibui\AppData\Local\APN c:\users\buibui\AppData\Local\CRE
Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please also include the contents of the following file in your next post:

After running the script, check again to see if Yontoo is still listed as an installed program. If it is, try this:
• Click the green Run Now button and save the file to your Desktop
• Double-click the Microsoft Fix It icon on your Desktop to run the tool
• Click Accept
• Click Detect problems and apply the fixes for me (Recommended)
• When asked if you are having a problem installing or uninstalling a program, select Uninstalling
• The tool will provide a list of programs; select Yontoo 1.10.02 if it is listed
• The tool should attempt to fully uninstall Yontoo; follow any further prompts
After running this tool, check again to see if Yontoo still appears in your list of installed programs and let me know.
 03-26-2013, 07:57 AM #12
Let's see if we can get a better look as to why Yontoo is still listed as an installed program. Please download SystemLook from here and save it to your Desktop.Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: Code: :reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall :regfind Yontoo Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found at on your Desktop entitled SystemLook.txt
03-27-2013, 07:48 PM   #14
Security Team
Analyst

Join Date: Jun 2010
Location: California
Posts: 971
OS: Windows XP Service Pack 3

Thank you for the log!
Let's try running ComboFix again:

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Does Yontoo still appear in your program list after running the above script?
 03-29-2013, 06:53 PM #16
I'm glad to hear that Yontoo is gone! We're almost finished, but your logs are not quite clean yet. Please run SystemLook again.Copy the content of the following codebox into the main textfield: Code: :filefind Ask.com AskToolbar Ask Toolbar :folderfind Ask.com AskToolbar Ask Toolbar :regfind Ask.com AskToolbar Ask Toolbar {D4027C7F-154A-4066-A1AD-4243D8127440} Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found at on your Desktop entitled SystemLook.txt
03-30-2013, 02:28 PM   #18
Security Team
Analyst

Join Date: Jun 2010
Location: California
Posts: 971
OS: Windows XP Service Pack 3

Thanks for the SystemLook log, it revealed quite a bit! Let's run ComboFix one more time to take care of what it found.

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
