Computer Infected (HJT report inside)

By MHarrisFTW
Apr 6, 2008
Topic Status:
Not open for further replies.
  1. My computer started showing signs of adware and stuff a few weeks ago with random pop-ups from Internet Explorer (even though I use Firefox).

    This was strange for me because I consider myself to be fairly good with computers, so I'm not going around downloading from shady sites or anything.

    Anyways, it has gotten much worse with programs running and pop-ups and even the desktop warning thing.

    I've ran AdAware 2007. It deleted 81 things but I'm still having trouble.

    So, here is my HJT report. Let me know if you would like me to run anything else to give you more information.

    I appreciate your help, thanks a bunch ahead of time! :)
  2. kritius

    kritius TechSpot Guru Posts: 2,087

    DELDOMAINS

    Download Deldomains.
    • Save it to your desktop.
    • Right-click DelDomains.inf and select: Install (no need to restart)
    • You may not see any noticeable changes or prompts; this is normal.
    Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.


    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  3. MHarrisFTW

    MHarrisFTW Newcomer, in training Topic Starter

    Both are attached because Malware was too big to paste. Hope that's okay. Things seem to be clear now though, so thank you very much and I'll await your evaluation of the logs. :)
  4. kritius

    kritius TechSpot Guru Posts: 2,087

    Will post later with results. and yes sorry I meant to say to attach it anyway.
  5. kritius

    kritius TechSpot Guru Posts: 2,087

    P2P Warning!

    • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

      Limewire and uTorrent

      Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
      Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

      I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

      References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
      http://www.techweb.com/wire/160500554
      http://www.internetworldstats.com/articles/art053.htm
      See Clean/Infected P2P Programs here

      I would recommend that you uninstall LimeWire,Shareaza, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

      If you wish to keep it, please do not use it until your computer is cleaned.

    What can you tell me about this?
    C:\Program Files\ooVoo\ooVoo.exe

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\uprjiefj
      C:\Documents and Settings\All Users\Application Data\xovshodk.dll
      C:\WINDOWS\wdyzobof.dll
      C:\WINDOWS\rypqpurq.dll
      C:\RErE.exe
      C:\WINDOWS\TWFyayBIYXJyaXM\nqIVuV1KsrLVurg.vbs
      C:\WINDOWS\system32\jsxcrijg.exe
      C:\Documents and Settings\Mark\Application Data\W?nSxS\??xplore.exe
      C:\WINDOWS\wdyzobof.dll
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\fgtebifi
      C:\WINDOWS\TWFyayBIYXJyaXM
      C:\Documents and Settings\Mark\Application Data\W?nSxS
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "pfyqbezu"=-
      "Eiz"=
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
      "q48QyLRDke"=-
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    ATF Cleaner

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:

      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.
      if you use Firefox:

      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
      if you use Opera:

      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program

    Rename HijackThis.exe to MHarrisFTW.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to MHarrisFTW.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.