Kaelkitty
Posts: 84 +0
Hi,
I was directed here by Chuck (of Software by Chuck fame). I have yet another case of the Search engine redirect virus lurking in my system. I gather from reading and searching online that I am not alone! I have read all of the stickies here and printed out the 8-step program but I think I need a bit of hand holding to complete it successfully.
This is a summary of my efforts so far.
Step 1: I have both AVG Free 9 and Spybot S&D. Both programs are always on, always running with daily updates - S&D updates and runs at 2AM and AVG at 4AM. Windows XP Auto Update runs at 3AM - I figured that SHOULD do. I have other AV software on my system to try if those fail but those are the two mainstays.
Step 2: Downloaded and Ran TFC - removed 186 MB of temp files.
Step 3: Checked with Microsoft: I have Microsoft Windows XP Home Edition Version 2002
Service Pack 3 with all the latest Security Updates.
Checked with Java - I have the latest Java installed (Version 6 Update 20).
I had trouble with Adobe Reader. I hadn't used it for ages (This system is a bit old and slow and PDFs tend to hang on it) I downloaded from the link on the 8-steps page but when I tried to install it I repeatedly got the following error message.
Error 1316. A network error occurred while attempting to read from the file
C:\Documents and Settings\User_2\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\AdbeRdr930_en_US.msi
Clicking on OK gave
Setup Completed
Setup was interrupted before Adobe Reader 9.3.2 could be completely installed.
Your System has not been modified. To complete installation at another time please run setup again.
Click Finish to exit Setup.
After 3 repeats of that I gave up and went to Add and Remove Programs and removed the Adobe Reader entirely then I re-installed Reader from the Adobe Download page.
I do know whether this was just a peculiarity of my own system or not, but you might want to get someone to check that link and the download it links to!
I have checked in add or remove programs - there are only these versions of Java and the Reader installed.
Step 4: Installed and ran MBAM - Annoyed to find 5 things which I followed your instructions, checked and acted on. Here is the MBAM Log Info.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4245
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
27/06/2010 3:29:58 PM
mbam-log-2010-06-27 (15-29-58).txt
Scan type: Quick scan
Objects scanned: 135321
Time elapsed: 12 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I got the restart prompt - (I hate restarting my system by the way it takes forever because I have a lot of utilities in my Startup which I need because I have disability issues due to visual problems and other things associated with my Aspeger's/Autism Syndrome Disorder)
When the system came back on line things got interesting - Windows had a fit and said my firewall was down and basically kept bugging me about it until I re-enabled it. I found this odd, because I thought it was OFF before I started this process and it had ALWAYS been off, because AVG and S&D were doing that job for me - WEIRD!
Now I am up to step 5 Which is where I think I need a bit of help
I have downloaded and saved the GMER file to my desktop
Question 1: # Disconnect from the Internet and close all running programs.
Does this include closing the Notepad file I am using to document this debugging process
Does this include all the stuff in the System Tray?
I permanently have the following in my Systems Tray
Spybot-SD Resident
OpenOffice.org 3.0 Quickstarter
Kodak Easyshare Starter
Sharp Button Manager A
DU Meter
Date in Tray Calendar
Wake Me Up! State
Roboform
Atomic Clock Sync
AVG Anti-Virus Free
ATI Control Panel
Volume Control
Ebay Alerts
Question 2: # Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
I know how to Exit SD Resident and AVG, but I am not sure how to kill the windows firewall that it just made me enable!
I await a replay at your convenience
Yours Sincerely, Kaelkitty.
I was directed here by Chuck (of Software by Chuck fame). I have yet another case of the Search engine redirect virus lurking in my system. I gather from reading and searching online that I am not alone! I have read all of the stickies here and printed out the 8-step program but I think I need a bit of hand holding to complete it successfully.
This is a summary of my efforts so far.
Step 1: I have both AVG Free 9 and Spybot S&D. Both programs are always on, always running with daily updates - S&D updates and runs at 2AM and AVG at 4AM. Windows XP Auto Update runs at 3AM - I figured that SHOULD do. I have other AV software on my system to try if those fail but those are the two mainstays.
Step 2: Downloaded and Ran TFC - removed 186 MB of temp files.
Step 3: Checked with Microsoft: I have Microsoft Windows XP Home Edition Version 2002
Service Pack 3 with all the latest Security Updates.
Checked with Java - I have the latest Java installed (Version 6 Update 20).
I had trouble with Adobe Reader. I hadn't used it for ages (This system is a bit old and slow and PDFs tend to hang on it) I downloaded from the link on the 8-steps page but when I tried to install it I repeatedly got the following error message.
Error 1316. A network error occurred while attempting to read from the file
C:\Documents and Settings\User_2\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\AdbeRdr930_en_US.msi
Clicking on OK gave
Setup Completed
Setup was interrupted before Adobe Reader 9.3.2 could be completely installed.
Your System has not been modified. To complete installation at another time please run setup again.
Click Finish to exit Setup.
After 3 repeats of that I gave up and went to Add and Remove Programs and removed the Adobe Reader entirely then I re-installed Reader from the Adobe Download page.
I do know whether this was just a peculiarity of my own system or not, but you might want to get someone to check that link and the download it links to!
I have checked in add or remove programs - there are only these versions of Java and the Reader installed.
Step 4: Installed and ran MBAM - Annoyed to find 5 things which I followed your instructions, checked and acted on. Here is the MBAM Log Info.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4245
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
27/06/2010 3:29:58 PM
mbam-log-2010-06-27 (15-29-58).txt
Scan type: Quick scan
Objects scanned: 135321
Time elapsed: 12 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I got the restart prompt - (I hate restarting my system by the way it takes forever because I have a lot of utilities in my Startup which I need because I have disability issues due to visual problems and other things associated with my Aspeger's/Autism Syndrome Disorder)
When the system came back on line things got interesting - Windows had a fit and said my firewall was down and basically kept bugging me about it until I re-enabled it. I found this odd, because I thought it was OFF before I started this process and it had ALWAYS been off, because AVG and S&D were doing that job for me - WEIRD!
Now I am up to step 5 Which is where I think I need a bit of help
I have downloaded and saved the GMER file to my desktop
Question 1: # Disconnect from the Internet and close all running programs.
Does this include closing the Notepad file I am using to document this debugging process
Does this include all the stuff in the System Tray?
I permanently have the following in my Systems Tray
Spybot-SD Resident
OpenOffice.org 3.0 Quickstarter
Kodak Easyshare Starter
Sharp Button Manager A
DU Meter
Date in Tray Calendar
Wake Me Up! State
Roboform
Atomic Clock Sync
AVG Anti-Virus Free
ATI Control Panel
Volume Control
Ebay Alerts
Question 2: # Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
I know how to Exit SD Resident and AVG, but I am not sure how to kill the windows firewall that it just made me enable!
I await a replay at your convenience
Yours Sincerely, Kaelkitty.