Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine links all being hijacked


  • This topic is locked This topic is locked
20 replies to this topic

#1 AnnaSB

AnnaSB

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 11 December 2009 - 11:06 AM

Hello. All the links generated by any search engine I run are being redirected. This also appears to be independent of which browser I am using (IE or Firefox). I have installed and run Spyware Doctor (found and removed 3 viruses), Malwarebytes' Anti-Malware (found and removed 2 viruses) and Ad-Aware (found nothing). All my scans all currently coming up clean but the hijacking problem is as persistent as ever. I have run HijackThis and am posting the log below. Thank you in advance for any help you can provide, this thing is making me crazy. I am also very worried that any online banking information, passwords, etc, have been or are being compromised. I also don't seem to be able to boot up in safe mode (the computer crashes), not sure if that is related or not. Log is below, thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:22 PM, on 12/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Anna Borenstein\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://activation.sympatico.ca/wizlet/Repo...?embedded=false
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.11.cab?
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SMServer - SMServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12299 bytes

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 17 December 2009 - 04:52 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 17 December 2009 - 03:48 PM

Thank you so much for getting back to me! Yes, I still desperately need help fixing this problem.

I downloaded dds.scr and tried to run it several times. It popped up a window saying something to the effect that it was a diagnostic tool and would perform a scan that should take no longer than 3 minutes. The window then closed, but nothing else happened. I had disabled my anti-virus software to run the tool (PC Tools Spyware Doctor), and am not aware of anything else I could disable that might function as a script blocker. I don't know why this tool did not seem to complete its task.

I was able to run the GMER scan as instructed. I tried to post the log below but received an error saying my post was too long. I then tried to add it as an attachment, but got the message that the file was larger than the available space.

I don't know if it's supposed to be so long, I hope I didn't so something wrong. It did seem to find at least one suspicious file, but I don't really know how to interpret the results.

Could you please provide some suggestions as to how I can get this file to you?

Thanks again for any help you can provide.

Regards,
Anna

#4 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 17 December 2009 - 03:55 PM

Thank you so much for getting back to me! Yes, I still desperately need help fixing this problem.

I downloaded dds.scr and tried to run it several times. It popped up a window saying something to the effect that it was a diagnostic tool and would perform a scan that should take no longer than 3 minutes. The window then closed, but nothing else happened. I had disabled my anti-virus software to run the tool (PC Tools Spyware Doctor), and am not aware of anything else I could disable that might function as a script blocker. I don't know why this tool did not seem to complete its task.

I was able to run the GMER scan as instructed. I tried to post the log below but received an error saying my post was too long. I then tried to add it as an attachment, but got the message that the file was larger than the available space.

I don't know if it's supposed to be so long, I hope I didn't so something wrong. It did seem to find at least one suspicious file, but I don't really know how to interpret the results.

Could you please provide some suggestions as to how I can get this file to you?

Thanks again for any help you can provide.

Regards,
Anna

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 18 December 2009 - 12:56 AM

Hi,

Give DDS some time to work after disabling protection software first. If it still doesn't work try to run in safe mode. Did you try to archive GMER log into a zip file and then attach it?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 18 December 2009 - 12:28 PM

Hi Blade81,

Thanks again for getting back to me. I tried to run DDS again after disabling Spyware Doctor, but nothing happened after waiting 30 minutes from the the initial window popped up to say the scan should take more than 3 minutes. (By the way, that window only remained open for a few seconds before closing automatically, I don't know if that means anything.)

I tried to start up in safe mode, but have been unable to start in safe mode since this whole thing started. Then again, I have never tried to start up in safe mode before this, so I don't know how long that particular problem has been going on. When I try to start in safe mode, I get the message "A problem has been detected and windows has been shut down to prevent damage to your computer." The stop message displayed at the bottom of the screen is:

STOP: 0x0000007E (0XC0000005, 0x80537009, 0xF7A2A508, 0xF7A2A204)

The only way to get my computer (a laptop) to shutdown so it can be restarted after this happens is to unplug it and remove the battery.

I have zipped my GMER log and have attached it to this post. Also, it may help you to know that most of my search engine links seem to be hijacked to r9237242.cn (Spyware Doctor blocks access when this happens, saying it is a bad website).

I'm hoping that the info above and the GMER log attached can help you to help me. I don't know if this is just an inconvenience or if my confidential data (banking info, passwords, etc) is being compromised.

Thanks so much for your help!

Anna

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 18 December 2009 - 05:03 PM

Hi Anna,

See if you're able to run RSIT.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

Edited by Blade81, 18 December 2009 - 05:04 PM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 18 December 2009 - 07:15 PM

Hi Blade81,

I was able to run RSIT as directed. I have attached the two logs (log.txt and info.txt) that were generated.

Thanks again for your ongoing assistance!!!

Anna

Attached Files

  • Attached File  log.txt   42.82KB   13 downloads
  • Attached File  info.txt   28.77KB   3 downloads


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 19 December 2009 - 04:58 AM

Hi,

1. Download combofix and save it to Desktop
2. Run it & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & fresh rsit log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

If you have problems with Combofix usage, see here

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 19 December 2009 - 01:05 PM

Hi Blade81,

I ran combofix (log attached), followed by RSIT (logs attached).

From the little I can decipher, combofix seems to have cleaned an infected atapi.sys file. This file kept popping up as comprised in a number of previous scans, so a few days ago (before you replied to my post), I had tried replacing it with the atapi.sys fil in my windows\servicepackfiles\i386 directory. This fixed the problem for a day but then it came right back. The problem seems fixed again now, so I'm hoping it's more permanent!

The other thing is that I thought I had completely disabled Spyware Doctor before running combofix. I shut it down and it told me my computer would have to be rebooted before Spyware would be completely disabled so I did that too, all before running combofix. When I ran combofix, it told me that Spyware was still operating in the background and that I needed to disable it before continuing. But there were no icons being displayed on my desktop at that stage and I had no way to access Spyware or any other program, so I had no choice but to let combofix continue regardless. I hope this did not diminish its effectiveness, but please let me know if I need to run it again.

Please let me know if there is anything else I need to do. Otherwise, I will let you know within the next 24 hours if the hijacking problem stays resolved or if it comes back.

Thanks SO much for all your help this far!!!

Anna

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 19 December 2009 - 01:29 PM

Hi,

That does look better :(

Do you recognise C:\WINDOWS\hunter.exe file? If not, upload it to http://www.virustotal.com and post back the results.

Do you use Adobe Acrobat for other duties than to convert documents to pdf files?


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Uninstall this vulnerable Java:
J2SE Runtime Environment 5.0 Update 6


If you use Firefox then update it too.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & fresh RSIT log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 20 December 2009 - 11:17 PM

Hi Blade81,

Sorry it has taken me so long to get back to you. It was a struggle trying to get the Kaspersky scan to run. I finally figured out how to turn off Spyware Doctor completely but then I seemed to have issues with Java not being enabled for the browser. After several hours of trying this, that and the other thing I got it to run. Good thing, it seems, as it found another whack of worms and trojans and whatnot (sigh).

I have attached the Kaspersky log, along with a updated logs (log and info) from RSIT.

BEFORE I ran Kasperky and RSIT, I performed the following tasks:

Hunter.exe was a renamed regedit.exe file, which I deleted. That was a failed experiment from early on in this whole mess.

I use Adobe Acrobat to manipulate PDF files as well as converting other documents to PDF. I removed earlier versions of Acrobat reader (at least I think I did, I'm not completely sure) and installed the latest version.

I checked to see if my Flash Player was up to date. It was not, so I unstalled it (after downloading the uninstaller) and installed the most recent version.

I uninstalled the version of Java that you specified.

I downloaded and ran ATF cleaner.

So that's where I'm at. Please let me know if there is any way to now get rid of the infectons identified by the Kaspersky scan.

As always, thanks a million for all your time and effort. I have idea how I would be getting through this without you!

Anna

Attached Files



#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 21 December 2009 - 01:26 AM

Hunter.exe was a renamed regedit.exe file, which I deleted. That was a failed experiment from early on in this whole mess.

But you do have original regedit.exe file left there, right?

Delete these files:
C:\Documents and Settings\Anna Borenstein\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000006
C:\Documents and Settings\Anna Borenstein\My Documents\Downloads\unconfirmed 86099.download

Check email messages in this pst file and delete suspicious looking ones:
C:\Documents and Settings\Anna Borenstein\Local Settings\Application Data\Microsoft\Outlook\archive.pst

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 AnnaSB

AnnaSB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 21 December 2009 - 10:56 AM

Hi there,

Yes, the original regedit.exe file is still there.

I deleted everything in:
C:\Documents and Settings\Anna Borenstein\Local Settings\Application Data\Google
as I had uninstalled these programs a long time ago (supposedly) so I didn't think they would contain anything I needed.

I deleleted:
C:\Documents and Settings\Anna Borenstein\My Documents\Downloads\unconfirmed 86099.download

You said to:
Check email messages in this pst file and delete suspicious looking ones:
C:\Documents and Settings\Anna Borenstein\Local Settings\Application Data\Microsoft\Outlook\archive.pst

but I couldn't figure out how to access these emails (if you haven't been able to tell yet, I am very much a novice at some computer tasks). If I just delete this file in it's entirety will Outlook just create a new one or will the function of Outlook be compromised if it can't find this file?

Thanks,
Anna

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:54 PM

Posted 21 December 2009 - 02:35 PM

Hi,

Access the .pst file in Outlook and delete suspicious looking email messages (if any) that way :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users