Searchab.com virus

Hello Naichi

I would like to see a report that combofix makes.

extra combofix report

C:\Qoobox\Add-Remove Programs.txt

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box
  • click ok
• copy and paste the report into this topic for me to review
  
  Gringo
• 
  
• 
  

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

• FBI Cyber Education Letter
  File sharing infects 500,000 computers
  USAToday
  infoworld
• 
  

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

• Programs to remove
  • 
    
  • Java™ 6 Update 22
    Java™ 6 Update 39
    Vuze
  • 
    
  • 
    

• Please download and install Revo Uninstaller Free
• Double click Revo Uninstaller to run it.
• From the list of programs double click on The Program to remove
• When prompted if you want to uninstall click Yes.
• Be sure the Moderate option is selected then click Next.
• The program will run, If prompted again click Yes
• when the built-in uninstaller is finished click on Next.
• Once the program has searched for leftovers click Next.
• Check/tick the bolded items only on the list then click Delete
• when prompted click on Yes and then on next.
• put a check on any folders that are found and select delete
• when prompted select yes then on next
• Once done click Finish.
• .
  
  
  
  Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.
    
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

• Double-click mbam icon
• go to the update tab at the top
• click on check for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis program
• Save HijackThis to your desktop.
• Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
• Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
• copy and paste hijackthis report into the topic

"information and logs"

• In your next post I need the following
  • Log From MBAM
    • report from Hijackthis
      • let me know of any problems you may have had
        • How is the computer doing now?
      Gringo
      
      
      
      
      
      
      

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis (rightclick and run as admin)
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  • 
    
  • O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Spotify] "C:\Users\Omitted \AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
    O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Omitted \AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
  • 
    
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.
  • NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]
  • 
    

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• click on the Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
  • Click Start
• When asked, allow the add/on to be installed
  • Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • 
    
• Click Scan
• wait for the virus definitions to be downloaded
• Wait for the scan to finish
• When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
• Gringo

• 
  

Hello Naichi

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened and the that I need posted back here
  • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
• Please post the contents of OTL.txt in your next reply.
• Gringo
• 
  
• 
  

Hello Naichi

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the text box.

  :OTL
  FF - user.js - File not found
  FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
  FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
  FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll File not found
  FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
  O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
  O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
  O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
  O16:64bit: - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
  O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Reg Error: Key error.)
  O18:64bit: - Protocol\Handler\livecall - No CLSID value found
  O18:64bit: - Protocol\Handler\msnim - No CLSID value found
  O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
  O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
  IE:64bit: - HKLM\..\SearchScopes\{D27FD577-2531-4439-AC6A-6C615F669F1C}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
  IE - HKLM\..\SearchScopes\{D27FD577-2531-4439-AC6A-6C615F669F1C}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
  IE - HKU\S-1-5-21-3282786387-1925507497-2433245905-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://lavasoft.blekko.com/ws/?source=f439e2c0&tbp=rbox&toolbarid=adawaretb&u=266B475D10998276E702AA512442284D&q={searchTerms}
  IE - HKU\S-1-5-21-3282786387-1925507497-2433245905-1000\..\SearchScopes\{D27FD577-2531-4439-AC6A-6C615F669F1C}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
  IE - HKU\S-1-5-21-3282786387-1925507497-2433245905-1000\..\SearchScopes\{F94551AA-D449-4913-B185-B97B040268DE}: "URL" = http://searchab.com/?aff=7&uid=de632978-7717-11e2-9510-78acc03ffef7&q={searchTerms}
  FF - prefs.js..browser.search.selectedEngine: "Privitize VPN"
  FF - prefs.js..browser.search.defaultenginename: "Privitize VPN"
  FF - prefs.js..browser.search.defaultengine: "Privitize VPN"
  FF - prefs.js..browser.search.order.1: "Privitize VPN"");
  FF - prefs.js..browser.search.defaultenginename: "Privitize VPN"
  FF - prefs.js..browser.search.defaultengine: "Privitize VPN"
  FF - prefs.js..browser.search.order.1: "Privitize VPN"");
  FF - prefs.js..browser.search.defaultenginename: "Privitize VPN"
  FF - prefs.js..browser.search.defaultengine: "Privitize VPN"
  FF - prefs.js..browser.search.order.1: "Privitize VPN"");
  FF - prefs.js..browser.search.defaultenginename: "Privitize VPN"
  FF - prefs.js..browser.search.defaultengine: "Privitize VPN"
  FF - prefs.js..browser.search.order.1: "Privitize VPN"
  FF - prefs.js..browser.search.selectedEngine: "SecureSearch"
  FF - prefs.js..browser.startup.homepage: "http://securesearch.lavasoft.com/?source=f439e2c0&tbp=homepage&toolbarid=adawaretb&v=2_5&u=266B475D10998276E702AA512442284D"
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [PURITY]
  [emptyjava]
  [EMPTYFLASH]
  [reboot]
  

• Then click the Run Fix button at the top.
• Click .
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
  
  Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles
  
  It will be named - mmddyyyy_hhmmss.log
  
  Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.
  
  
  
• Let me know How things are doing
  
  Gringo
• 
  
• 
  

========== OTL ==========

In which browser does this happen in

Internet explorer and Google Chrome

Hello Naichi

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737


Then I want you to do the following

• Start Internet Explorer.
• click on "safety"
• click on "Delete Browsing History"
• make sure all boxes are checked
• click on "Delete"
• click on "Tools",
• click "Internet Options".
• On the "Advanced" tab, click "Reset"
• put a check mark next to "Delete Personal Settings"
• click "Reset" to confirm
• when complete click the "Close" button
• restart IE
• Gringo
• 
  
• 
  

Hello. I cannot find the tools option in internet explorer.

see if anything here will help

http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/ie8-tools-menu-missingcant-find/74ff7564-5fd6-4051-8028-d2561ee9b844