8 step results, need help

By oates
Dec 26, 2009
Topic Status:
Not open for further replies.
  1. A little background first. I got infected with the Security Tool malware. I used malwarebytes to remove it. That was a couple days ago. From that point on, I am having problems with anything related to google. Gmail gives me a "data transfer interrupted" error before even loading the login page. I can get to google.com but if I do a search the page goes white and nothing happens. I just completed the 8 step virus/spyware removal instructions and have included my logs. Thanks in advance for the help.
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,748   +156

    You're going to need more in-depth help. Try running the ESET On-Line Scanner and see if you pick up anything else:
    ESET Scanner
  3. oates

    oates Newcomer, in training Topic Starter

    I just ran ESET scanner and found one threat. It was win32/rootkit.kryptik.AFtrojan.
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,748   +156

    Turn off System Restore, rerun the 8-Steps and post the scan results. Turn System Restore back on
  5. oates

    oates Newcomer, in training Topic Starter

    Just completed the second 8-step with system restore off this time. None of the scans found anything malicious.
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,748   +156

    You have a DNS hijacker active according to your new hijackthis log. A router reset and Combofix may be needed now... Stay tuned
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, oates. I';d like to get you back on track. Unfortunately, the information you've had so far is useless and incorrect.

    Your searches are going to a website in Poland- your Host files have been hijacked.

    Please reopen Hijackthis to 'do system scan only'. Check each of the following if present: Note: the 2 Optional Removals are in green. Check all others:

    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.227 antiviraprof-2009.microsoft.com
    O1 - Hosts: 91.212.127.227 antiviraprof2009.com
    O1 - Hosts: 91.212.127.227 www.antiviraprof2009.com
    O1 - Hosts: 78.159.110.41 www.google.com
    O1 - Hosts: 78.159.110.41 www.google.de
    O1 - Hosts: 78.159.110.41 www.google.fr
    O1 - Hosts: 78.159.110.41 www.google.co.uk
    O1 - Hosts: 78.159.110.41 www.google.com.br
    O1 - Hosts: 78.159.110.41 www.google.it
    O1 - Hosts: 78.159.110.41 www.google.es
    O1 - Hosts: 78.159.110.41 www.google.co.jp
    O1 - Hosts: 78.159.110.41 www.google.com.mx
    O1 - Hosts: 78.159.110.41 www.google.ca
    O1 - Hosts: 78.159.110.41 www.google.com.au
    O1 - Hosts: 78.159.110.41 www.google.nl
    O1 - Hosts: 78.159.110.41 www.google.co.za
    O1 - Hosts: 78.159.110.41 www.google.be
    O1 - Hosts: 78.159.110.41 www.google.gr
    O1 - Hosts: 78.159.110.41 www.google.at
    O1 - Hosts: 78.159.110.41 www.google.se
    O1 - Hosts: 78.159.110.41 www.google.ch
    O1 - Hosts: 78.159.110.41 www.google.pt
    O1 - Hosts: 78.159.110.41 www.google.dk
    O1 - Hosts: 78.159.110.41 www.google.fi
    O1 - Hosts: 78.159.110.41 www.google.ie
    O1 - Hosts: 78.159.110.41 www.google.no
    O1 - Hosts: 78.159.110.41 search.yahoo.com
    O1 - Hosts: 78.159.110.41 us.search.yahoo.com
    O1 - Hosts: 78.159.110.41 uk.search.yahoo.com
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) (AVG)

    O15 - Trusted Zone: http://*.somethingcool.com (HKLM)>> See Optional 1
    O17 - HKLM\Software\..\Telephony: DomainName = lesterville.wan>> See Optional 2


    Optional 1: Trusted Zone: somethingcool.com
    I would encourage removing this from the Trusted sites. It is a legitimate entry, but no reason for it to be able to pass the lower security for this zone-

    Optional 2: unidentified> lesterville.wan
    I can't identify this. Do you have a network set up in the Lesterville area or group> If not, check for removal.

    Close all Windows except HijackThis and click on "Fix Check."

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Include Combofix report in next reply.

    You have 2 out of date Adobe Reader entries. These are vulnerabilities: Acrobat 5.0 and Acrobat 7.0
    Visit this Adobe Reader site get the most current version, v9.xx Uninstall any earlier updates as they are vulnerabilities.

    Rescan with HijackThis and include a new log.
  8. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,748   +156

    "Unfortunately, the information you've had so far is useless and incorrect"...
    There you go again Bobbye! Insulting and rude... I am trying to help, and all you can say is this?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Tmagic, You're just running up your post count.
  10. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,748   +156

    ... and you're insulting and narcissistic by nature. You think the World revolves around you. Let me be the first to tell you, it doesn't
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    oates, I hope you will continue to attempting to clean the system.
     
  12. oates

    oates Newcomer, in training Topic Starter

    I have ran the first hijackthis, and I am ready to run combofix. When you said to disable internet connection, did you want me to close browsers or were you talking about shutting down router or what?
  13. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,748   +156

    Yes Oats,
    just turn off the router disabling the Internet temporarily. Good luck. Sorry about the Bobbye stuff
  14. oates

    oates Newcomer, in training Topic Starter

    Here is the logs for the combofix and hijackthis.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please update and run the Eset Online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Attach the new log to your next reply.

    Reset your Host Files:
    MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    Scroll down to right below "Editors Note" for the download.

    This isn't the 'catch all' Google Redirect. Has this stopped since we removed the hijacked host files?

    Your Adobe Reader is way out of date> v5. The current version is v9.xx. Having the earlier program presents a vulnerability to your system.
    Visit this Adobe Reader site and get the most current update. Uninstall any earlier updates as they are vulnerabilities.

    Leave the Eset log and let me know your status.

    Edit: I strongly suggest that you install a Recovery Console. This site will walk you through doing it:
    http://www.bleepingcomputer.com/tutorials/tutorial117.html
  16. oates

    oates Newcomer, in training Topic Starter

    I thought that I had already taken care of the Adobe Reader problem as I have version 9.2 installed. I thought that installing the new version would get rid of the old one. I think I have version 5 uninstalled now. The google problem is now fixed. The eset scan did not find any threats. I have attached the log.
    I will install a recovery console.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Unfortunately, Adobe doesn't overwrite earlier versions. Java didn't either, but appears to be doing so now.

    Since the problem has resolved and the online scan is clean (it's nice to see a clean one once in a while!) I'll have you remove the cleaning tools and old restore points:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    Please follow these simple steps to keep your computer clean and secure:

    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know.

    Wishing you a Happy New year!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.