BleepingComputer.com: Am I...still infected?

Well there's a small backstory to my problem involving a lot of outright stupidity.

A few days ago, I noticed that my internet connection was a little slower than usual (maybe this isn't because of the infection, I still don't know), certain sites/flash games wouldn't load (I thought it was because my java/shockwave/flash was outdated), and streaming would either not work or take a really long time to buffer. I then went to google this, and after much frustration, it was pretty clear I had the google redirecting virus (whether or not this impacted the previous events, I don't know); but I was infected. I spent a few hours per day for about 2 days, googling ways to fix this (I have a pretty good idea of what can be trusted and what can't).

I started with my "default" scanner, which was VAIO care. It detected a few problems and said that they were removed. Updates for maintenance were recommended (it's usually just a click->done process) but they didn't work (error box). Then I moved on to spybotS&D. It found quite a few problems and removed them all. Then I went to google to test things out, but I was still redirected on occasions.

After a lot more googling and annoyance, I came across an answer at a forum, which recommended combofix. Being me, I followed that person's recommendation and installed combofix. Now oddly enough, without even having run the program, the google redirect was gone (as far as I know), videos were working, and flash sites/images were working properly........but I ran combofix anyways. I followed the steps on the guide/tutorial and skimmed over most of the introduction part. It did it's thing, and removed what I had suspected all along weren't "normal" files in my drive. Then I came back to this site, saw there was a forum, clicked it, saw the 50000 warnings about using combofix without the recommendation of a moderator here, and died a little inside.

Did I just make things way worse/more complicated than they had to be?

PS: I noticed that the thing that caught my attention the most in the files that combofix "removed" was a game that a friend had sent me, involving a crack. When I was about to install it, my antivirus detected a trojan, but my friend said he'd had it for a long time and didn't have any problems (it was an actual conversation, not a BOT or anything). Not sure if that helps...

Quote

And it may have been. Your friend was probably using a different anti-virus which may not have detected it.

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Quote

trendmicro.com/vinfo

Quote

Keygen and Crack Sites Distribute VIRUX and FakeAV

Quote

University of Washington spyware study

Quote

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

I strongly recommend that you remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites visited to get them is very likely how your computer got infected!!


Lets double-check to make sure.

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• When the program opens, click the Start Scan button.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process. <- Important!!
  Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  
• A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Step 7 instructs you to scan your computer using Malwarebytes Anti-Malware and remove any traces that may still be present. If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware. After performing that step, please post the complete results of your scan for review.

I didn't even know there was a crack involved until I got the folder then opened it =(. That's the last time that's gonna happen though.
Anyways, here's what I got from the scan, and thank you in advance.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5419

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/29/2010 6:13:28 PM
mbam-log-2010-12-29 (18-13-28).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 324868
Time elapsed: 50 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
c:\program files (x86)\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> 2172 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\activex.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Registry Helper Service (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
c:\program files (x86)\registry helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Files Infected:
c:\Qoobox\quarantine\C\Users\AppData\Local\uzutolet.dll_old.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Users\AppData\Local\wms32gt.dll.vir (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Users\AppData\Roaming\microsoft\conhost.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Desktop\.url (Malware.Trace) -> Quarantined and deleted successfully.
c:\program files (x86)\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

This post has been edited by Xertol: 29 December 2010 - 09:30 PM

Did you scan with TDSSKiller? If not, please do so and post the results.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.


Please perform a scan with Eset Online Anti-virus Scanner.

• This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  
• Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

• Click the green button.
  
• Read the End User License Agreement and check the box:
• Check .
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  
• Click the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer.
  
• If offered the option to get information or buy software at any point, just close the window.
  
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  
• When the scan completes, push
  
• Push , and save the file to your desktop as ESETScan.txt.
  
• Push the button, then Finish.
  
• Copy and paste the contents of ESETScan.txt in your next reply.

Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt

• Click Ok and the scan results will open in Notepad.
  
• Copy and paste the contents of log.txt in your next reply.

-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Oh sorry I didn't post the results for the TDSSKiller scan. It said 0 threats were found.
Here's the results for the Malwarebytes quick scan:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5420

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/30/2010 12:30:27 AM
mbam-log-2010-12-30 (00-30-27).txt

Scan type: Quick scan
Objects scanned: 166820
Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here's the results for the ESET scan:
C:\Qoobox\Quarantine\C\Users\AppData\Roaming\dwm.exe.vir a variant of Win32/Kryptik.JFX trojan cleaned by deleting - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-43f4c7e3 multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\63ff10c2-4aafec59 multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\170f55e-27bbdfb5 multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\508d6175-660a0bd2 a variant of Java/TrojanDownloader.Agent.NAE trojan deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\4ea1e4b6-68d9922f multiple threats deleted - quarantined
C:\Users\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\55d09f87-77ba43b2 multiple threats deleted - quarantined
C:\Users\AppData\Roaming\Auslogics\Rescue\Sony Maintenance\101224144418150.rsc multiple threats deleted - quarantined
C:\Users\AppData\Roaming\Auslogics\Rescue\Sony Maintenance\101226235953905.rsc multiple threats deleted - quarantined
C:\Users\AppData\Roaming\Auslogics\Rescue\Sony Maintenance\101227002145638.rsc a variant of Win32/Kryptik.JFG trojan deleted - quarantined

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:

• Clear the Java cache
  
• Clear the browser cache in Internet Explorer
  
• Safely Delete the Temporary Internet Files <- for Internet Explorer 8
  
• How to Clear Your Browser's Cache <- for other versions of Internet Explorer, Firefox and different browsers
  
• Clean out Windows temporary files

Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. That's why it is important to always use the most current Java Version and remove outdated Java components.

• Microsoft: ‘Unprecedented Wave of Java Exploitation’
  
• Drive-by Trojan preying on out-of-date Java installations
  
• Ghosts of Java Haunt Users
  
• Hole in Patch Process

Even Java advises users to always have the latest version of the Java since it contains security updates and improvements to previous versions.

Quote

Why should I upgrade to the latest Java version?
Why should I upgrade to Java 6?

You can verify (test) your JAVA Software Installation & Version here.

Also let me know how your computer is running and if there are any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects.

Alright I finished doing all of that. Everything seems perfectly fine (and I think my internet's running way faster now lol).
Thank you sooo much! You're amazing!

Ok then we are just about done so lets do some final cleanup.

To uninstall ComboFix, click > Run... and type in the run dialog box: ComboFix /Uninstall

• Press OK.
  -- Vista/Windows 7 users refer to these instructions: How to Enable Run Command in Windows 7 or Vista
  
• If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
  
• This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.

Please download OTC by OldTimer and save to your Desktop.

• Connect to the Internet and double-click on OTC.exe to start the program.
  
• Click on the green CleanUp! button.
  
• If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.
  
• When it has finished, OTC will ask you to reboot so it can remove itself.

-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.

Okay just finished all that. OTC was saved to my desktop and it removed itself after reboot, but I didn't notice any other changes (TDSS, mbam, ESET, malwarebyte is still on my desktop). Is that normal, and should I delete those now? Thanks again! =]

OTC only removes certain specialized tools that have been added to its removal list. You can delete anything else on your desktop which you no longer want.

I recommend taking advantage of the Malwarebytes Anti-Malware (Pro) Protection Module in the full version which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology runs at startup where it monitors every process and helps stop malicious processes before they can infect your computer. The database that defines the heuristics is updated as often as there is something to add to it. Keep in mind that Malwarebytes does not act as a real-time protection scanner for every file like an anti-virus program so it is intended to be a supplement, not a substitute. Enabling the Protection Module feature requires registration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as the program utilizes few system resources and should not conflict with other scanners or anti-virus programs. If you choose the free version, you can just use it as a stand-alone scanner, however, Malwarebytes' service (mbamservice.exe) will still show in Task Manager which is normal.