Horrible case of spyware, hijacked Opera browser

Hi everyone,

I'm usually pretty good with this stuff but this case has really baffled me.

So I clicked on a link a couple days ago (in Opera), and got a whole load of popups... I could tell I caught something. Nod32 didn't seem to block it for some reason. Opening the task manager revealed a few new processes (I forget the file names, but they were all 3 letters, like ???.exe) which I promptly ended. I also found their source (I think somewhere in a temp folder), which I deleted.

I did scans with Super Antispyware, MalwareBytes, PCTools Spyware Doctor, Spybot S&D (including immunizations), Sophos Anti-Rootkit, TrendMicro's online virus scanner, Avira, and so forth. Before doing the scans, I had to delete an Opera temp folder, since it had 8.8gb of junk in there suddenly (even after my normal cache/temp file deletion I do through Opera), and had to go through a similar process with an IE temp folder. I also had to re-do my hosts file, which was edited. I then deleted a bunch of suspicious registry keys, had to re-do an options file in my Opera folder which had spam website links in it, and delete a new file that appeared in a /appdata/Opera folder which was a Chinese character. I also got rid of some things through HijackThis. I also had to manually delete the hidden virus folder "comment.htt" from my C:\, among other suspicious files in my C:\.

After all this, I am still getting re-directed to random spam sites when visiting browsing with Opera! Furthermore, when I'm web browsing, I get multiple instances of Opera and IE in my process list. Sometimes it happens because it takes me multiple tries to open Opera. My computer also gets sluggish when opening multiple processes. Also, my cookies folders fill up with spam junk instantly whenever I'm browsing, even if I haven't been re-directed yet. It also changes my Google search results when I search anti virus related queries on Google. I don't believe Opera even uses the hosts file, so I guess thats why fixing that didn't help. My HijackThis list is below. If anyone here can help, I'd be truly grateful!

----

LLogfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:51:28 PM, on 08/03/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Phil\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe
C:\Users\Phil\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SansaDispatch] C:\Users\Phil\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: Look 'n' Stop Service (lnssvcVista) - Soft4Ever - C:\Program Files\Soft4Ever\looknstop\LnsSvcVista.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe

--
End of file - 4905 bytes

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
• Please Do not Attach logs or put in code boxes.
• Tell me about any problems that have occurred during the fix.
• Tell me of any other symptoms you may be having as these can help also.
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

• Please download DeFogger to your desktop.
  
  Double click DeFogger to run the tool.
  
• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

• Please download DDS by sUBs from one of the links below and save it to your desktop:
  
  
  Download DDS and save it to your desktop
  
  Link1
  Link2
  Link3
  
  Please disable any anti-malware program that will block scripts from running before running DDS.
  
  
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

• In your next post I need the following
  
  
• .logs from DDS
• log from RKUnHooker
• let me know of any problems you may have had

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.