BleepingComputer.com: VERY slow, browser pages redirecting, goes black for a few seconds

Hello, Teamaker.

IT looks like we had a trojan, but nothing too major from looking at it. We'll see if the redirects stay gone.

Now, a few things to go.

Step 1

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.

• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  
• Check (highlight) any item with Adobe Reader in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/download/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 2

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 26 32-bit version. Note that if you have 64-bit windows, the default is to use a 32-bit browser. If you modified your IE to use the 64-bit version, make sure to also download the 64-bit version.
  
• Save it to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java version(s) shown below:
  Java™ 6 Update 23
  Java™ SE Runtime Environment 6 Update 1
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u26-windows-i586-s.exe to install the newest version. If you downloaded the 64-bit version, make sure to install that as well.

Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script

• Please download OTL from one of the following mirrors if you do not still have it.
  • This is first Mirror
    
  • This is the second mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Paste the following code under the Custom Scans/Fixes box at the bottom.
  

  :OTL
  SRV - File not found [On_Demand | Stopped] -- -- (LiveUpdate)
  SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
  SRV - File not found [Auto | Stopped] -- -- (Automatic LiveUpdate Scheduler)
  O2 - BHO: (IEHlprObj Class) - {8CA5ED52-F3FB-4414-A105-2E3491156990} - File not found
  O3 - HKU\S-1-5-21-1666486622-773751984-4264904424-1003\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
  O3 - HKU\S-1-5-21-1666486622-773751984-4264904424-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O4 - HKLM..\Run: [] File not found
  O4 - HKLM..\Run: [DXDllRegExe] File not found
  MsConfig - StartUpReg: Aim6 - hkey= - key= - File not found
  MsConfig - StartUpReg: HP Health Check Scheduler - hkey= - key= - File not found
  MsConfig - StartUpReg: HPADVISOR - hkey= - key= - File not found
  @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:5C12E68D
  @Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:92D18A5E
  @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:3DA64F2C
  @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:34FC1C45
  :Commands
  [EmptyTemp]
  

  
  
• Click the Run Fix button at the top.
  
• let the program run unhindered and reboot when it is done.
  
• You will get a log when it is done, please post that in your reply.
  
• Please then create a new OTL report....
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• A report will open, copy and paste it in a reply here.

Step 4

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 5

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Windows\is-4O4IC.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares

Hello Etavares,

I received the email from Bleeping Computer that said you had posted however, when I went to the Bleeping Computer website your reply doesn't show up.
I have finished the first two steps successfully. When I got to the third step I opened OTL and pasted the code under the Custom Scans/Fixes box at the bottom. I clicked the Run Fix button at the top and let the program run unhindered, however after only a few minutes it grayed out and a window popped up that said:

OTL has stopped working. A problem caused the program to step working correctly. Windows will close the program and notify you if a solution is available.

When I clicked the Close Program button, on that window, the screen went black. I waited a few minutes and then clicked Ctrl / Alt / Delete and picked switch user to see if the other accounts on the computer were affected. They came up just fine. I went back into the admin account and it was still black. I again clicked Ctrl / Alt / Delete and then clicked Log off from the list. I then logged back into the admin account and everything seemed fine.

I tried running the OTL fix again and the same thing happened. The only difference was that instead of a black screen it was just the desktop picture. I once again clicked Ctrl / Alt / Delete and logged off then logged back in and there was a Notepad window that said:

Files\Folders moved on Reboot...
File\Folder C:\Users\Admin\AppData\Local\Temp\Low\~DF4839.tmp not found!
C:\Users\Admin\AppData\Local\Temp\Low\~DFE1BE.tmp moved successfully.
File\Folder C:\Users\Admin\AppData\Local\Temp\~DFB713.tmp not found!
File\Folder C:\Users\Admin\AppData\Local\Temp\~DFB71F.tmp not found!
File\Folder C:\Users\Admin\AppData\Local\Temp\~DFBB50.tmp not found!
File\Folder C:\Users\Admin\AppData\Local\Temp\~DFBB6D.tmp not found!
File\Folder C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XPQCGZR8\default[1].htm not found!
File\Folder C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XPQCGZR8\page__pid__2361184[1].htm not found!

Registry entries deleted on Reboot...

Of course I haven't done step four or five because three couldn't be finished. I do have Malwarebytes on this computer and it is updated for when we need to use it.

I will be leaving for home and won't be able to work on this computer until this upcoming weekend (August 27-28) so, if you don't hear from me until then, I'm not ignoring your messages. Thanks again for your valuable time and expertise.

Sincerely,
Teamaker

PS. Here are two things it wasn't doing before:

1. The screen will go black for about 5 seconds and then it will come back to normal and there is a balloon at the bottom of the screen that says Display driver stopped responding. This has happened four times since yesterday.

2. When playing the Solitare game (that came preinstalled on the computer) everything will freeze after a few minutes. When you click Alt / F4 it closes the game and then everthing is unfrozen and the game needs to be restarted.

Ok, I feel silly now . I do see your reply. I didn't realize there was a second page. Have a great day!

For now, continue with steps 4 and 5 and we'll dig into the other errors after we get those 2 scans. ANd no worries about the 2nd page. If we're lucky we won't need a third!

Good evening Etavares

It's Friday and I'm back to working on the computer. My Mom said the computer still hesitates when using it (online and off). There are alot of games downloaded on this computer, could that affect it as well? She also said that yesterday when she would try to load one of her games the computer would sometimes freeze and sometimes shut itself down. Today, I logged into the admin account and twice the computer shut itself down, and then started itself back up with a window saying Windows Error Recovery (I clicked start normally).
The third time I clicked start in safe mode and it shut down again, then there was a window that said "Launch Startup repair. Your computer was unable to start", then after running for about a minute it asked me if I wanted to restore the computer using System restore and I clicked "restore". After it went through that process a window said to shutdown the computer for it to go into effect but before I could do that, it shut itself down. So, I don't know if it shut itself down after so many seconds and then it is restored OR if it did the shutdown process that it had been doing for two days. I'm sorry, it just seems to be getting more complicated. I'm trying not to give you unnecessary information.
Anyway, I have completed step 4 and 5, they are listed below:

Step 4 / Malwarebytes updated / Quick Scan:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7583

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

8/26/2011 6:34:40 PM
mbam-log-2011-08-26 (18-34-40).txt

Scan type: Quick scan
Objects scanned: 211229
Time elapsed: 28 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Step 5 / All files unhidden / Jotti results:

Filename:

is-4CR4U.exe

Status:

Scan finished. 0 out of 19 scanners reported malware.

Scan taken on:

Sun 26 Dec 2010 17:10:20 (CET) Permalink





　

File size:

711168 bytes

Filetype:

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5:

296a2fac6a99515a8a57d6af147890e6

SHA1:

44e5e5bedf8527fd15a25ff0fab1cd8cd34b82a8

Scanners



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-25 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



2010-12-25 Found nothing



2010-12-26 Found nothing



2010-12-26 Found nothing



No result available



2010-12-24 Found nothing



2010-12-26 Found nothing






Thank you again

Hello, Teamaker.

You have plenty of free space, so too many games isn't an issue. The system restore does mean that our logs are now outdated as that changes a lot of things in the registry.

Let's see what is going on with the errors.



Step 1

Please download BlueScreenView and save it to your desktop. Extract the ZIP file to your computer, then run BlueScreenView.exe.

After it's done scanning, please select Edit --> Select All from the menu.
Select File --> Save Selected Items and save it to your desktop as BSVLog.txt or a similar name.
Please open the logfile with Notepad copy/paste the contents here.

Step 2

Please post an OTL quick scan so we have a current status of your computer after the system restore.


EDIT: PS> you should also back up anything important on this computer. There are signs of hard drive failure we'll investigate as well.


etavares

This post has been edited by etavares: 28 August 2011 - 05:36 AM

still with me?

Hello,
Yes I am still with you. I am home now and not able to work on the computer until the weekend of September 9, 10, 11. This is my weekend away. As soon as I get there I will complete the steps in your last email. Thank you for your time and patience. I hope you have a nice holiday weekend
Teamaker

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.