[Inactive] Unknown malware redirecting web search results + poor PC performance

By Lorelei
Mar 15, 2010
Topic Status:
Not open for further replies.
  1. Hello there.

    Problems have been increasing in the last few days.

    It started with my web search results being redirected to websites such as MyLocalHero, regardless of what browser or search engine I use.

    Now:

    My PC is running really slow while in Normal Mode.

    The Just-In-Time feature has been popping up an awful lot lately.

    Everytime I open Google, I get the following message:

    "www.google.com:443 uses an invalid security certificate. The certificate is not trusted because it is self-signed." (Says something about it having expired.)

    To make matters worse, I can't open Task Manager at all. I know it's not disabled; I checked the registry. In a, presumably, foolish move that could've worsened the situation, I tried to reinstall it by logging in as Administrator in Safe Mode, but the related dll file seems to be corrupted; can't be too sure, though.

    I've run Spybot - S&D— it detected 44 problems, but I don't want to take action until I get more information—, Malwarebytes', and ran Disk Cleanup; problem remains there.

    While running the HijackThis scan, I got the following message:

    "For some reason your system denied write access to Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

    "If that happens, you need to edit the file yourself. To do this, click Start, Run and type: notepad C:\WINDOWS\System32\drivers\etc\hosts and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot."

    I was hoping someone could help me out by reading my HijackThis log and giving me instructions on what actions to take.

    I really don't know what else to do.

    Thanks in advance.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 45,317   +243

  3. Lorelei

    Lorelei Newcomer, in training Topic Starter

    Having problems with steps 3 and 6.

    Step 3- I downloaded Avira Antivir, and since it appears on the list of common real time monitoring programs that you have in some other thread, I tried to find it so I could disable it, but it's nowhere to be located. The only trace of its existence is the desktop icon avira_antivir_personal_en.exe; when I double-click it, it will only repeat the installation process.

    Step 6- I downloaded the latest version of Java. However, when I try to install it, I get this message:

    "The system administrator has set policies to prevent this installation."

    Then another one with the following:

    "To restart the Java(TM) installer, please refresh the web page."

    Did the latter; no result.

    Any ideas?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Just helping out until Broni starts his day.

    1. IF you already have a functioning, updating antivirus program, you do nit need to put Avira on.
    2. These preliminary programs only require you to stop the Real Time Protections such as TeaTimer, AdWatch and a couple of others. As far as I know, Avira does not have a resident running.
    3. Skip Java for now. complete the rest and leave the logs.

    Now the information he needs will be available. It's all yours Broni.
  5. Lorelei

    Lorelei Newcomer, in training Topic Starter

    Completed the 8 steps.

    PC still presenting the above-mentioned symptoms, as well as the HijackThis message that I told you about.

    Most recent logs below.

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Loreile, you have signs of a Vundo infection. I think Broni would have you run Combofix next:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Even though you mention the system is slow in Normal Mode, unless otherwise directed, it would be best to run the scans in Normal Mode. I notice you used Safe Mode with networking in HJT. There are many entries showing with 'no file'. I don't know if this is because of the mode.

    Repeat HJT after Combofix. Leave both the Combofix report and new HJT log for Broni.
  7. Lorelei

    Lorelei Newcomer, in training Topic Starter

    New PC behavior

    Task Manager is functioning again, but flash videos have no audio, and I can't listen to music online either. It's not muted and I have it on full volume, so I'm wondering if this could be related to whatever is messing with my computer and internet. I'm hoping this fix helps me in that aspect, but if there's anything else I should be doing, I'd be grateful for any suggestions.

    Also, while running Combofix, a message popped up telling me that Security Guard was running. I read a thread on this site informing that it's a rogue and I've been following the removal procedures on said thread. So far, it has detected 4 infected objects, except that I'm left unsure if I should go on with the Malwarebytes' full scan process mentioned in that thread and post the log here.

    Thanks for reading and sorry for showing up with new inconveniences in every reply :eek:
  8. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Please, post Combofix and HJT logs.
  9. Lorelei

    Lorelei Newcomer, in training Topic Starter

    Combofix log and latest HijackThis log below.

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Before you proceed with my Combofix fix listed below, please go to Add\Remove and uninstall SpyZooka and Registry Mechanic (if listed/doable).
    If something doesn't work, let me know.

    You're running two AV programs, Avast and Norton.
    One of them has to go, preferably Norton.
    If so, use Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
    Turn Windows firewall on.

    Next...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\76A0946BB3.sys
    c:\windows\system32\B36B94A076.sys
    c:\windows\system32\lfvnsmli.tmp
    c:\documents and settings\All Users\Application Data\7bc67\SG6eb.exe
    c:\progra~1\SpyZooka\spyguard.dll
    
    
    
    Folder::
    c:\documents and settings\NetworkService\Application Data\Security Guard
    c:\documents and settings\All Users\Application Data\SGRAKPD
    
    
    Driver::
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Security Guard"=-
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyZooka]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000000
    
    
    RegLockDel::
    
    SecCenter::
    {9E24F96E-46E1-4212-BBA1-EBD1B33BFD2B}
    {372E9C14-EA98-43F3-A3B3-2A768DBA90FB}
    
    RegNull::
    [HKEY_USERS\S-1-5-21-2003803947-2740744539-4106348815-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{778C369F-F696-51E5-EC21-CBC33B91DAA3}*]
    [HKEY_USERS\S-1-5-21-2003803947-2740744539-4106348815-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D3931BA3-02F0-2292-7206-A37607B6E735}*]
    
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  11. Lorelei

    Lorelei Newcomer, in training Topic Starter

    Latest ComboFix and HijackThis logs...

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\edacded0.dat
    c:\program files\5_keygen.exe
    c:\program files\uninstall.dat
    c:\program files\Uninstall.exe
    c:\program files\0x040c.ini
    c:\program files\0x040a.ini
    c:\program files\0x0407.ini
    c:\program files\0x0410.ini
    c:\program files\0x0413.ini
    c:\program files\0x0409.ini
    
    
    
    Folder::
    c:\program files\Common Files\Symantec Shared
    c:\program files\Symantec
    c:\documents and settings\All Users\Application Data\Symantec
    c:\program files\SpyZooka
    
    
    Driver::
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnligDu]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommnnl]
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  13. Lorelei

    Lorelei Newcomer, in training Topic Starter

    ComboFix and HijackThis logs: Below.

    Attached Files:

     
  14. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Looking good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.