google/yahoo results hijacked

[gamorg02]

Hello. I had visited this site once in the past to help out with a random error I was getting which i attributed to spyware and was helped greatly. I had a new problem as of last night. I went to a website last night (www*familywatchdog*us) which seemed to open an acrobat page, but then i started getting pop ups and messages from antivirus system pro. I was able to kill the processes and registry entries from that. I then realized my google and yahoo (and maybe more) results on both firefox and ie were being hijacked and thrown to websites like egotvonline and theyellowpages*com

Ran some antivirus along with ad-aware and search and destroy. Most issues seem to be gone, but still having some residual stuff I was hoping to get some help on.

Logs are below and attached:


DDS (Ver_09-10-26.01) - NTFSx86
Run by gamorg02 at 18:41:18.70 on Fri 10/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.300 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gamorg02\Desktop\virusfix\neww\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://calendar.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe --ports
StartupFolder: c:\docume~1\gamorg02\startm~1\programs\startup\monitor.lnk - c:\program files\802.11g wireless lan\Monitor.exe
StartupFolder: c:\docume~1\gamorg02\startm~1\programs\startup\nvidia~1.lnk - c:\program files\nvidia corporation\ntune\NVMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - hxxp://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117171479702
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v42/paint/paint.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ccon.futuremark.com/global/msc34.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://emcsupport2.webex.com/client/T24L/support/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gamorg02\applic~1\mozilla\firefox\profiles\qr6vrqrp.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\gamorg02\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_0303001D.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-16 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-29 28544]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2006-4-11 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2006-4-11 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-29 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-3-31 98304]
S2 CoachCap;Concord EyeQ Go 2000 USB Video Capture V1.00;c:\windows\system32\drivers\coachcap.sys [2002-3-3 93068]
S3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys --> c:\windows\system32\drivers\axvbusx.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
S3 RivaTunerEx;RivaTunerEx;c:\program files\rivatuner v2.0 rc 15.5\RivaTunerEx.sys [2005-5-6 2560]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-3-31 14976]

=============== Created Last 30 ================

2009-10-30 04:18:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-10-30 04:18:39 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-30 04:18:38 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-10-30 04:18:38 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

==================== Find3M ====================

2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:39:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00:46 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13:32 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-07-23 18:09:57 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:43:55.43 ===============



I should also have access to a windows XP install disk. very old tho, prior to SP1

[Carolyn]

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. The logs that you will be posting can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please download Malwarebytes' Anti-Malware and save it to a convenient location.

1. Double click on mbam-setup.exe to install it.
2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
   • Update Malwarebytes' Anti-Malware
     Launch Malwarebytes' Anti-Malware
3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
5. Leave the default options as it is and click on Start Scan.
6. When done, you will be prompted. Click OK, then click on Show Results.
7. Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Next,
Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

Please post the following:

• The Malwarebytes' log
• The OTL.txt logfile
• The Extras.txt logfile

[gamorg02]

Thanks so much for your help Carolyn. I have run all the scans and have the results. One other symptom I am seeing right now, although the search hijacking is gone via firefox, is random cookies being created. If I go into IE and prompt for each cookie it just keeps poping up for random cookies. I had to stop after about 30.

The forum kept timing out if I tried to copy all 3 logs here so I have attached the two from OTL and copied the MBAM log below:

Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 2

11/5/2009 7:15:47 AM
mbam-log-2009-11-05 (07-15-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 478853
Time elapsed: 1 hour(s), 53 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\_qbothome (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\u (Trojan.Qakbot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\_qbothome\_qbot.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\_qbot_installed (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\crontab.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\ps_dump_gamorg02.txt (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\seclog.txt (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\si.txt (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\updates.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\updates1.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\_qbothome\~efd9452.tmp (Trojan.Qakbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{42906ED3-5BAB-40F9-B5DA-6965927447D9}\RP207\A0264381.dll (Trojan.BHO) -> Not selected for removal.
C:\System Volume Information\_restore{42906ED3-5BAB-40F9-B5DA-6965927447D9}\RP208\A0264640.dll (Trojan.BHO) -> Not selected for removal.
C:\System Volume Information\_restore{42906ED3-5BAB-40F9-B5DA-6965927447D9}\RP208\A0264642.exe (Trojan.FakeAlert) -> Not selected for removal.
C:\System Volume Information\_restore{42906ED3-5BAB-40F9-B5DA-6965927447D9}\RP208\A0264647.dll (Search.Hijacker) -> Not selected for removal.
D:\System Volume Information\_restore{9700C861-BB73-439E-87C1-2053607E4F50}\RP176\A0035689.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[Carolyn]

Hello,

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Kazaa Lite, LimeWire, BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/...D-theft_1.html

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.

I would recommend that you uninstall Kazaa Lite, LimeWire, BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Note:
If you have malware cleaned from your system by one of our Security Team/Malware Hunters and then later return with more infections....and these P2P programs are still installed, you maybe refused help.

================================

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, your computer may be afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.

[gamorg02]

I realize I should format, but with that being said I would like to try to clean. I will prepare for a reformat in the upcoming months with all my software and whatnot. I understand the risks associated with this however.

I Only use bittorrent and download known good files, so that shouldn't be a problem. I know when these issues started occurring, was going to a site and it tried to open adobe, and since then there was these issues.

in good news since running some of the tools, the cookies being requested looks normal from ie now.

[Carolyn]

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.

=========================

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

[gamorg02]

here are the combo fix results.

thnx in advance.

[Carolyn]

Hello,

Your logs indicate that Windows Firewall is disabled and you are not using another Firewall. Please enable Windows Firewall now.

==================

Update Java Runtime and Run JavaRa

• Download Java Runtime
• Go to HERE to download Java Runtime Environment Version 6 Update 17
• Click on the link named Java Runtime Environment (JRE) 6 Update 17
• Click on the radio button to Accept License Agreement
• Click on Windows Offline Installation Multi-language and save the downloaded file to your desktop

• Run JavaRa
• Please download JavaRa and unzip it to your desktop.
• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

• Install Java
• Install the new version of Java by running the newly-downloaded file ( jre-6u17-windows-i586-p.exe) with the java icon which will be at your desktop, and follow the on-screen instructions.
• Reboot your computer

==================

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with the log from JavaRA.

[gamorg02]

Thanks for the info. Is there another download site for JavaRa? That link is saying 403 forbidden.

[Carolyn]

Sorry about that. Please give this site a try:

JavaRA

[gamorg02]

here are the kaspersky and javara logs.

[Carolyn]

Hi,

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code:

@echo off
For %%a in (
C:\Documents and Settings\gamorg02\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-63a2bfe6.zip
C:\Documents and Settings\gamorg02\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1643a20b.zip
C:\Documents and Settings\gamorg02\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6fe62ae5.zip
D:\Download\Applications\Media Apps\wma-to-mp3.exe
D:\SLU\Semester 4\CS348\Project\Office Space\DivXPro511Adware.exe
) do (
del %%a \
)
del %0

Click on File > Save As....

In the File Name box, copy and paste in removal.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on removal.bat to run it. Command Prompt will open and close quickly - please do not be alarmed.

================

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

Please delete DDS.exe from your computer

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.


CleanUp! with OTL

• Double click OTL.exe to launch the program.
• Click on the CleanUp! button.
• OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• When finished exit out of OTL
• The tool will delete itself once it finishes, if not delete it by yourself.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

• Set correct settings for files
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under Hidden files and folders if necessary select Do not show hidden files and folders.
  • If unchecked please check Hide protected operating system files (Recommended)
  • If necessary check Display content of system folders
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
• Make sure that you keep your antivirus updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  
• Security Updates for Windows, Internet Explorer & Microsoft Office
  Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  
• Update Non-Microsoft Programs
  Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  
• Make Internet Explorer More Secure
  You are using Internet Explorer v. 6. I recommend that you upgrade to Internet Explorer v. 8

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
• Malwarebytes' Anti-Malware or SuperAntiSpyware
  These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
  You can download SuperAntiSpyware from HERE.
  
• Hosts File
  For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  
  Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
  If this isn't done first, the next reboot may take a VERY LONG TIME.
  This is how to do it. First be sure you are signed in as a user with administrative privileges:
  
  Quote:

  Stop and Disable the DNS Client Service
  Go to Start, Run and type Services.msc and click OK.
  Under the Extended Tab, Scroll down and find this service.
  DNS Client
  Right-Click on the DNS Client Service. Choose Properties
  Select the General tab. Click on the Stop button.
  Click the Arrow-down tab on the right-hand side at the Start-up Type box.
  From the drop-down menu, click on Manual
  Click the Apply tab, then click OK

• Use an alternative Internet Browser
  Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
  Firefox
  Opera

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

[gamorg02]

Hi Carolyn, I appreciate your help so much. I see what the batch file is trying to do, in just deleting those files. Can i just do it manually?

I have a concern with the batch file, maybe you can help me with it. I have written quite a few batch files, but when i double click it, the prompt reads:

C:\*, Are you sure (Y/N)?

That doesn't seem right to me. Thoughts?

i commented out the echo off and here is the full output. Definitely glad i didn't hit Y!

-----------

C:\Documents and Settings\gamorg02\Desktop\virusfix\neww>For %a in (C:\Documents and Settings\gamorg02\Application Data\
Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-63a2bfe6.zip C:\Documents and Settings\gamorg02\Applicat
ion Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1643a20b.zip C:\Documents and Settings\gamorg02
\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6fe62ae5.zip D:\Download\Applications\
Media Apps\wma-to-mp3.exe D:\SLU\Semester 4\CS348\Project\Office Space\DivXPro511Adware.exe) do (del %a \ )

C:\Documents and Settings\gamorg02\Desktop\virusfix\neww>(del C:\Documents \ )
C:\*, Are you sure (Y/N)?

[Carolyn]

Any thoughts... yes, I messed up badly. I'm glad you did not hit Y too. Very, very sorry - I should have placed quotes around that the file paths. Thank you for letting me know... that mistake will not happen again.

By all means, delete the files manually, and thanks again.

[Carolyn]

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.