Solved Google redirects and popups

[PK3]

Had a problem with one of those fake antivirus trojans.

managed to clean that out, but the redirects and pop ups remain.

Firefox seems more affected by it than IE. I've run SAS a few times before I ran the 8 steps, and it kept finding the same cookies even after removing them.

I've posted the logs.

Please help.

Thank you very much in advance for your help.

 

[Bobbye]

Welcome to TechSpot, PK3. I'll help with the malware.
Tracking Cookies will get on the system again anytime you visit a page that has them embedded. The best way to prevent them is like this:

Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Have you set these 2 pages to display blank?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

If you did set them, no problem. If you did not, I'll have you remove them.

Let's see if Combofix can find the rest of WeatherBug!
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Please attach this report to your next reply.

 

[PK3]

Bobbye:

Thanks for the quick response!

I never set those pages to display blank. Don't know how it got that way.

I've also set the cookies as instructed in IE and added the add-ons to Firefox as instructed.

I've followed your directions, and I'm attaching the CF log.

Thanks for your help with this.

 

[PK3]

Bad development.

I followed the steps and I think combo fix took me back to a bad restore point as Ave.exe ended up rearing its ugly head right after the comp rebooted.

I ran mbam again and got it out but I'm afraid we may be at square 1 again.

 

[Bobbye]

Combofix does not take you back to a restore point. Please tell me more clearly what you are experiencing.

I see additional entries that need to be removed. Possible causes of ongoing or additional problems:

1. c:\winnt\system32\Drivers\sptd.sys>> Driver used by the CD Rom emulation program, Daemon Tools Version 4. There have been some reports of problems with this driver.
   
2. You are running Cacheman: Cacheman is a performance enhancement and memory recovery utility. Many of these types of processes consume more system resources than they save.
   
3. Do you know what either of the following processes are?
   S3 I80ciame;I80ciame; (there is a malware program named 180 Solutions.)
   S4 Cbidontta;Cbidontta;
   
4. You have a questionable entry for a Microsoft DDE+ server This can cause a shutdown problem.

I can move these processes. But you need to have some confidence in what I'm doing. Sometimes it takes more steps and/or more programs to find and remove all malware entries.

Do you want to continue?

Consider also this file sharing:

c:\program files\uTorrent
c:\documents and settings\Administrator\Application Data\uTorrent

P2P or 'file sharing Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[PK3]

Absolutely trust you

Thanks for the reply.

Okay, I have no idea what those are. Feel free to move them where ever you feel.

I uninstalled utorrent when I followed the 8 steps.

So here's what happened: After running Combofix, I just left the computer on, and then after about an hour or so the windows security alerts popped up, and then the XP security center (false program)started running, and when I closed it all down the alert that came up was that ave.exe stopped responding.

I had this before, so I cleared the registry entries for ave.exe (something messing with all executable files) then I erased a preftech file that had ave.exe in it.

I won't touch that machine until you tell me what to do next.

 

[Bobbye]

Well I left my Rule 1 off, so I can't rant at you-but-My Rule would have read- in part-don't make any Registry changes!

had this before, so I cleared the registry entries for ave.exe (something messing with all executable files) then I erased a preftech file that had ave.exe in it. I won't touch that machine until you tell me what to do next.

Let's check this out:" (something messing with all executable files)"

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

Let me have that log and I'll either give you very bad new or better news! There is a polymorphic file infector named Virut that infects ..exe, .scr, .rar, .zip, .htm, .html. There are bugs in the code and it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker[/B]

This scan should either rule it out or show it. I will give you more information accordingly. But since you say that 'it' has affected the executable files, I recommend that you change all of your passwords and monitor any online transactions.

 

[PK3]

Okay, here's the first one:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/07 19:17:30 (PDT)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://virscan.org/report/0c71af4f15b24d4024662ef3d063b633.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100408050136 2010-04-08 4.93 -
AhnLab V3 2010.04.08.00 2010.04.08 2010-04-08 1.08 -
AntiVir 8.2.1.210 7.10.6.41 2010-04-07 0.25 -
Antiy 2.0.18 20100407.4151698 2010-04-07 0.12 -
Arcavir 2009 201004071818 2010-04-07 0.03 -
Authentium 5.1.1 201004071206 2010-04-07 1.27 -
AVAST! 4.7.4 100407-1 2010-04-07 0.01 -
AVG 8.5.720 271.1.1/2797 2010-04-08 0.21 -
BitDefender 7.81008.5595934 7.31134 2010-04-08 3.56 -
ClamAV 0.95.3 10714 2010-04-08 0.01 -
Comodo 3.13.579 4535 2010-04-08 0.89 -
CP Secure 1.3.0.5 2010.04.02 2010-04-02 0.00 -
Dr.Web 5.0.2.3300 2010.04.08 2010-04-08 6.45 -
F-Prot 4.4.4.56 20100407 2010-04-07 1.25 -
F-Secure 7.02.73807 2010.04.07.15 2010-04-07 9.49 -
Fortinet 4.0.14 11.671 2010-04-07 0.19 -
GData 19.10963/19.871 20100407 2010-04-07 6.61 -
ViRobot 20100407 2010.04.07 2010-04-07 0.41 -
Ikarus T3.1.01.80 2010.04.08.75576 2010-04-08 5.59 -
JiangMin 13.0.900 2010.04.07 2010-04-07 1.20 -
Kaspersky 5.5.10 2010.04.07 2010-04-07 0.13 -
KingSoft 2009.2.5.15 2010.4.7.22 2010-04-07 0.62 -
McAfee 5400.1158 5943 2010-04-06 0.02 -
Microsoft 1.5605 2010.04.08 2010-04-08 6.49 -
Norman 6.04.11 6.04.00 2010-04-07 6.01 -
Panda 9.05.01 2010.04.07 2010-04-07 2.27 -
Trend Micro 9.120-1004 6.978.05 2010-04-07 0.00 -
Quick Heal 10.00 2010.04.07 2010-04-07 1.48 -
Rising 20.0 22.42.03.00 2010-04-08 1.07 -
Sophos 3.06.0 4.52 2010-04-08 3.33 -
Sunbelt 3.9.2412.2 6149 2010-04-07 4.70 -
Symantec 1.3.0.24 20100407.002 2010-04-07 0.05 -
nProtect 20100405.01 7907880 2010-04-05 5.23 -
The Hacker 6.5.2.0 v00257 2010-04-07 0.38 -
VBA32 3.12.12.4 20100406.2034 2010-04-06 2.92 -
VirusBuster 4.5.11.10 10.122.36/2039118 2010-04-07 2.37 -

Here's the next one:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/07 19:20:41 (PDT)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 1033728 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
Online report : http://virscan.org/report/7c683eedc038f34d1fcb6726da9c7147.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100408050136 2010-04-08 4.86 -
AhnLab V3 2010.04.08.00 2010.04.08 2010-04-08 1.11 -
AntiVir 8.2.1.210 7.10.6.41 2010-04-07 0.25 -
Antiy 2.0.18 20100407.4151698 2010-04-07 0.12 -
Arcavir 2009 201004071818 2010-04-07 0.08 -
Authentium 5.1.1 201004071206 2010-04-07 2.31 -
AVAST! 4.7.4 100407-1 2010-04-07 0.05 -
AVG 8.5.720 271.1.1/2797 2010-04-08 0.22 -
BitDefender 7.81008.5595934 7.31134 2010-04-08 3.58 -
ClamAV 0.95.3 10714 2010-04-08 0.18 -
Comodo 3.13.579 4535 2010-04-08 0.89 -
CP Secure 1.3.0.5 2010.04.02 2010-04-02 0.00 -
Dr.Web 5.0.2.3300 2010.04.08 2010-04-08 6.67 -
F-Prot 4.4.4.56 20100407 2010-04-07 2.21 -
F-Secure 7.02.73807 2010.04.07.15 2010-04-07 10.70 -
Fortinet 4.0.14 11.671 2010-04-07 0.24 -
GData 19.10963/19.871 20100407 2010-04-07 6.54 -
ViRobot 20100407 2010.04.07 2010-04-07 0.41 -
Ikarus T3.1.01.80 2010.04.08.75576 2010-04-08 5.59 -
JiangMin 13.0.900 2010.04.07 2010-04-07 1.20 -
Kaspersky 5.5.10 2010.04.07 2010-04-07 0.08 -
KingSoft 2009.2.5.15 2010.4.7.22 2010-04-07 0.62 -
McAfee 5400.1158 5943 2010-04-06 0.02 -
Microsoft 1.5605 2010.04.08 2010-04-08 6.48 -
Norman 6.04.11 6.04.00 2010-04-07 6.01 -
Panda 9.05.01 2010.04.07 2010-04-07 1.88 -
Trend Micro 9.120-1004 6.978.05 2010-04-07 0.00 -
Quick Heal 10.00 2010.04.07 2010-04-07 1.77 -
Rising 20.0 22.42.03.00 2010-04-08 1.08 -
Sophos 3.06.0 4.52 2010-04-08 3.34 -
Sunbelt 3.9.2412.2 6149 2010-04-07 4.73 -
Symantec 1.3.0.24 20100407.002 2010-04-07 0.08 -
nProtect 20100405.01 7907880 2010-04-05 4.62 -
The Hacker 6.5.2.0 v00257 2010-04-07 0.39 -
VBA32 3.12.12.4 20100406.2034 2010-04-06 2.90 -
VirusBuster 4.5.11.10 10.122.36/2039118 2010-04-07 2.74 -

and the last:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/07 19:27:22 (PDT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
Online report : http://virscan.org/report/d696975f489cad6ff9e5cb228d7294f2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100408050136 2010-04-08 6.50 -
AhnLab V3 2010.04.08.00 2010.04.08 2010-04-08 1.53 -
AntiVir 8.2.1.210 7.10.6.41 2010-04-07 0.25 -
Antiy 2.0.18 20100407.4151698 2010-04-07 0.15 -
Arcavir 2009 201004071818 2010-04-07 0.03 -
Authentium 5.1.1 201004071206 2010-04-07 1.27 -
AVAST! 4.7.4 100407-1 2010-04-07 0.00 -
AVG 8.5.720 271.1.1/2797 2010-04-08 0.22 -
BitDefender 7.81008.5595934 7.31134 2010-04-08 3.57 -
ClamAV 0.95.3 10714 2010-04-08 0.01 -
Comodo 3.13.579 4535 2010-04-08 1.92 -
CP Secure 1.3.0.5 2010.04.02 2010-04-02 0.00 -
Dr.Web 5.0.2.3300 2010.04.08 2010-04-08 6.59 -
F-Prot 4.4.4.56 20100407 2010-04-07 1.26 -
F-Secure 7.02.73807 2010.04.07.15 2010-04-07 0.12 -
Fortinet 4.0.14 11.671 2010-04-07 0.50 -
GData 19.10963/19.871 20100407 2010-04-07 11.61 -
ViRobot 20100407 2010.04.07 2010-04-07 0.82 -
Ikarus T3.1.01.80 2010.04.08.75576 2010-04-08 5.58 -
JiangMin 13.0.900 2010.04.07 2010-04-07 1.63 -
Kaspersky 5.5.10 2010.04.07 2010-04-07 0.07 -
KingSoft 2009.2.5.15 2010.4.7.22 2010-04-07 0.69 -
McAfee 5400.1158 5943 2010-04-06 0.02 -
Microsoft 1.5605 2010.04.08 2010-04-08 9.57 -
Norman 6.04.11 6.04.00 2010-04-07 6.01 -
Panda 9.05.01 2010.04.07 2010-04-07 1.83 -
Trend Micro 9.120-1004 6.978.05 2010-04-07 0.00 -
Quick Heal 10.00 2010.04.07 2010-04-07 1.50 -
Rising 20.0 22.42.03.00 2010-04-08 1.09 -
Sophos 3.06.0 4.52 2010-04-08 3.38 -
Sunbelt 3.9.2412.2 6149 2010-04-07 6.52 -
Symantec 1.3.0.24 20100407.002 2010-04-07 0.05 -
nProtect 20100405.01 7907880 2010-04-05 4.85 -
The Hacker 6.5.2.0 v00257 2010-04-07 0.43 -
VBA32 3.12.12.4 20100406.2034 2010-04-06 2.90 -
VirusBuster 4.5.11.10 10.122.36/2039118 2010-04-07 2.35 -

 

[PK3]

I tried to post the results in the message body, but it wouldn't let me.

I've attached the results in a text file with this post.

Thanks again.

 

[Bobbye]

That is good news!

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\Administrator\Local Settings\Application Data\2186891745.dll
c:\documents and settings\Administrator\Application Data\uTorrent
c:\winnt\system32\Drivers\sptd.sys 
c:\program files\Cacheman\CachemanServ.exe
c:\winnt\system32\.4c235752\4c235752.exe 
c:\windows\system32\blank.htm
Folder::
c:\program files\uTorrent
c:\program files\Cacheman

RegLock::
[HKEY_USERS\S-1-5-21-3632597231-3036299706-1829074340-500\Software\Microsoft\Internet Explorer\User Preferences]
RegNull::
[HKEY_USERS\S-1-5-21-3632597231-3036299706-1829074340-500\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_USERS\S-1-5-21-3632597231-3036299706-1829074340-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{58292BDF-C0C2-9469-BEB5-334543A966B7}*]

Driver::
sptd
CachemanService
I80ciame
Cbidontta
4c235752

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Then run this onkline AV scanner:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Follow with rescan and new log for HijackThis. Include all logs and reports in next reply.

 

[PK3]

Alrighty, here is the next crop of logs.

I ran the eset and it found stuff and I've run HJT as instructed.

As I started HJT I got that fake XP Security thing popping up again, so I used task manager to end that program (ave.exe) and then HJT ran fine.

The logs are attached.

I'm keeping my fingers crossed here and saying prayer to avoid reinstall.

 

[Bobbye]

[QUOTEI got that fake XP Security thing popping up again, so I used task manager to end that program (ave.exe)][/QUOTE]
But unfortunately, ending the process does not remove the malware! Please refrain for registry changes, ending tasks, etc. All that does is mask what we are attempting to get rid of!

See if this helps:
Right click and save the Registry file trojan_fakerean_exe_fix.reg

NOTE: Make sure that you are saving the file with a .reg extension.

• Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file.
• Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
• Reopen MalwareBytes> Go to the Update tab and check for updates.
• Once the update is completed, open the Scanner tab and choose a full-scan.
• Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are checked and then click “Remove Selected” to delete them.
• If prompted restart immediately to complete the removal process.

Now run TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

The Eset log has one entry in Qoobox- this is okay- that's the quarantine folder for Combofix. the other entries, for System Volume, are restore points. I will have you drop those when the system is clean. In the meantime, please do not use this feature.

Where is the log that was produced after you ran the CF Fix? I need to see what was successfully removed. This is still running:
C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe

 

[PK3]

Sorry, I thought I attached the Combo Fix log.

Here it is.

I've also attached the MBAM log from this morning.

I followed your steps and ran the TFC as directed.

Thanks,

pk

 

[Bobbye]

Oh no! How did you get malware in Firefox?! Have you updated or added anything to Firefox since the last scan?

There was one locked registry file that didn't open in CFFix. Let's try again. Give me the new fix log after and I'll compare the Firefox entries:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

RegNull::
[HKEY_USERS\S-1-5-21-3632597231-3036299706-1829074340-500\Software\Microsoft\SystemCertificates\AddressBook*]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

 

[PK3]

No, I didn't add anything to firefox. I've been avoiding even opening firefox if I can help it.

I've run the script as instructed. here is the log.

 

[Bobbye]

Please do a new scan with the Eset online scanner. I want to see if there is anything new there. Don't worry about those entries for System Volume and Qoobox- I explained these.

I'd also like a new scan with HijackThis. There are some entries that I want to remove if they are still there.

You can paste both logs into your next reply.

Are you still having the original problem- pop-ups and redirects? Any new problem?

 

[PK3]

Okay, here's the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=22ce2b31eec64a4aa40ba7470c6665ae
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-09 04:34:27
# local_time=2010-04-08 09:34:27 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 5649156 5649156 0 0
# compatibility_mode=1024 16777215 100 0 10909433 10909433 0 0
# compatibility_mode=1797 16775145 100 94 0 36143811 299965 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=96171
# found=8
# cleaned=0
# scan_time=6854
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\2186891745.dll.vir a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069723.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069724.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069725.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069726.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069727.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0070759.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0071867.dll a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=22ce2b31eec64a4aa40ba7470c6665ae
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-10 05:43:04
# local_time=2010-04-09 10:43:04 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 5739011 5739011 0 0
# compatibility_mode=1024 16777215 100 0 10999288 10999288 0 0
# compatibility_mode=1797 16775145 100 94 0 36233666 389820 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=96392
# found=10
# cleaned=0
# scan_time=7515
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\2186891745.dll.vir a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069723.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069724.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069725.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069726.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0069727.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0070759.exe a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP532\A0071867.dll a variant of Win32/Kryptik.DMR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP533\A0072024.exe a variant of Win32/Kryptik.DLI trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP533\A0073023.exe a variant of Win32/Kryptik.DLI trojan 00000000000000000000000000000000 I

The HJT log is attached because it won't fit in the post.

Same problems. XP Security Center keeps coming back up after keeping the machine on for a while.

ESET found something called Kryptik Trojan as you can see. I set the ESET scanner not to remove as instructed before, so I'm guessing it's still there.

Thanks for sticking with me through this.

 

[Bobbye]

Entries in Eset have all been handled. The Qoobox is where Combofix sends a quarantined file and System Volume is where the Restore points are kept. These are not active in your system and will be removed at the end. There is nothing new in the Eset log.

Please reopen HijackThis to 'do system scan only.' Check each of the following entries if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)>> AVG LinkScanner
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

Close all Windows except HJT and click on "Fix Checked."

Questions:
You have an Active X entry for NaverFileControl Control: I can't find any English sites for this. Are you familiar with this? Did you install it?
You have an Active X entry for kdfense8 Control: This appears to be related to online games, but no other info was available. Is this something you have installed.

Please check these settings:
Control Panel> Security Center> Automatic Updates> which of the 3 choices have you checked?
Control Panel> Add/Remove Programs> Check 'Show Updates'> What is the date of the last Windows Update?

 

[PK3]

I know the NAVER entry, but the kdefense entry is foreign to me.

I've run HJT as instructed and removed what you told me.

Automatic Updates is set to Automatic.

The last Windows XP update was on 08/15/2009 Hotfix for Windows XP KB954550-v5

That's kind of strange because I recall this thing updating regularly.

Do you think I should remove firefox and reinstall it because of the malware that was in it?

Thanks again!

 

[Bobbye]

Automatic Updates is set to Automatic.
The last Windows XP update was on 08/15/2009 Hotfix for Windows XP KB954550-v5

I asked you to check this because I thought the update notice you're getting 'might be/could be' for the MS updates. And it sounds like it is. If there was a failed update, later updates wouldn't have loaded, go to the Microsoft Download Site Manually update any since you the last date you show.

When finished, reboot the computer, let installations complete. See if that stops the notices.You should get All updates marked Critical and the current SP updates.

The only security program indication in the Combofix heading is:
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

This indicates 1. You have an outdated version of AntiVir and 2. It wasn't disabled to run Combofix. Please bring the AV program up to date now. Reboot the computer after installation. Then disable it and run Combofix again: Attach new report to next reply along with a new HijackThis scan log:

Summary:
1. Bring Windows Updates current
2. Bring antivirus program up to date.
3. Disable all security programs per instruction and run Combofix again: leave new report.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
4. Rescan with HJT -leave new log

Hold off on uninstalling/reinstalling Firefox.

 

[PK3]

little snag

I've updated Avira, but Windows won't update.

I have tried to update Windows using the link you gave me and the windows update shortcut, but the page won't access. It says that the page is unavailable.

I've tried to get in to the updates through the main site at www.microsoft.com but no luck.

FYI, I ran combofix last time in Safe Mode with Networking, and Avira wasn't on. I don't know why it came up as "enabled". All the same, I'll run it Combofix again and HJT as soon as I figure out how to update Windows.

Thanks

 

[Bobbye]

PK, I tried to check the update site for you but Microsoft won't let me in with Firefox.

 

[PK3]

I tried accessing it using IE8. I've also tried using the Windows Update under the start menu, but that just pulled up the same site that says I cannot connect to the site. It behaves as if my internet connection is off altogether.

I've attached the CF and HJT logs that were just run.

Thanks

 

[Bobbye]

PK, I don't think the update problem is related to malware. If you re-post about not getting updates, the security notice- which I think is for these updates- someone in the other tech Support forum for BSOD and other Windows problems might be able to help with the update problem. I got you to find that problem but I can't fix it.

IF you pop-up original problem has been resolved:
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of further help.

 

[PK3]

thanks. you've been a huge help.

last thing and I'll leave you alone: Should I remove and reinstall firefox?