Looks ok, but it's not

[abl983]

hi, i've followed the 8-step procedure for the past week or so, trying to get my pc working smoothly again, but there's something that was able to bury itself pretty deep that causes: a) firefox to get hijacked occasionally, b) pages to load at a much slower speed than before. the attached log files contain both the initial and most recent logs for each program recommended, as well as an additional SAS log from last night that found several tracking cookies. any help would be much appreciated. thank you.

 

[Bobbye]

The Tracking Cookies are the least of your worries! I see you installed Avira sometime between 1/7 and 1/14. You should run a scan with the new, updated program.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {52C6322C-4049-403E-ACB0-B7FE44E3C1F3} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byXQIYrq.dll
O2 - BHO: (no name) - {7FA625A8-195A-4617-91E9-53E6DFC71827} - C:\WINDOWS\system32\urqRHbAP.dll
O18 - Filter: text/html - {9bc6db65-00e4-4a6e-9185-2d21efa597ff} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll ysqvom.dll
O20 - Winlogon Notify: byXQIYrq - C:\WINDOWS\SYSTEM32\byXQIYrq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Open IE> Tools> Internet options> Security tab> Trusted Zone> Sites> remove all of the following sites from the Trusted Zone:

O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)O20 - AppInit_DLLs: lxddrr.dll
gomyhit.com has been reported as an "attack site". It is not secure and presents a danger to your system.

Reboot into Normal Mode
Run ComboFix:
Please download ComboFix. HERE:

1. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
2. Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

3. Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis when through and attach both ComboFix and HijackThis logs.

 

[abl983]

thanks a lot. here are the logs.

 

[Bobbye]

Open IE> Tools> Internet options> Security tab> Trusted Zone> Sites> remove all of the following sites from the Trusted Zone:
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)

Then click on Restricted Sites> Sites> type the following in> click on Add after each:
*.antimalwareguard.com
*.gomyhit.com
(use the * as it acts as a wild card)

Then run SDFix:

Download SDFix from HERE and save it to your Desktop.

1. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
2. Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
3. Run SDFix
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
4. Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
5. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

Follow with rescan with HijackThis. Attach new log.

Both Java andf Adobe Reader need to be updated:
Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Remove the older versions of Java:

Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Remove older versions of Adobe.

 

[abl983]

thanks again, bobbye.

had to remove the two sites manually from the registry, since they weren't showing up as 'trusted' in IE, but were obviously there because of the error message i got when i tried to restrict them.

updated adobe; java was apparently already the latest version.

relevant logs are attached. no trojans found, apparently. how does it look to you?

 

[Bobbye]

had to remove the two sites manually from the registry, since they weren't showing up as 'trusted' in IE, but were obviously there because of the error message i got when i tried to restrict them.

Did you reboot after you restricted the sites, then run HijackThis?

The AppInit_DLLs: lxddrr.dll entry is still coming up. I had that checked to removed, but see I put it on a line with another process and you might not have seen it. So:
1. Did you have HijackThis remove AppInit_DLLs: lxddrr.dll?
2. Did you get the sites into the Restricted Zone?
3. Did you reboot after restricting the sites?

If these are all Yes, I will find someone to write code for the removal- I don't write code, so give me then answers and we'll go from there. The logs are okay except for this one stubborn entry!

 

[abl983]

you're right, i did miss it. just removed it with HJT.

yes, i was able to add the sites to the restricted zone. i then installed sdfix and booted into safe mode. not sure if that technically qualifies as rebooting after restricting the sites though...

overall, haven't seen any hijacking attempts since you've helped me out, but pages are still loading slower than before the infection. i'm wondering if this is just due to something innocuous like avira and SAS slowing things down (had no AV prog installed before, i figured just using firefox would be enough to guard against attacks - wishful thinking, i guess).

here's the newest HJT log, btw. thanks!

 

[Bobbye]

i figured just using firefox would be enough to guard against attacks ]

Firefox is "only" a browser. While it does have some security settings within it, in itself, it is not a security program. You need the following to have layered protection:
1. Antivirus program
2. Firewall
3. Two or more spyware/adware programs.

Your HijackThis log is clean so we will remove the cleaning tools:

Download OTCleanIt HERE & save it to your desktop.
1. Double click on OTCleanIt.exe.
2. Click on CleanUp!.
3. It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
4. You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
1. Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
2. Select the *More options* tab
3. Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Your 'speed' is influenced by programs and processes that are starting on boot. I have prepared the following for you. These are all "nuisance startups"- they do nothing important, use resources and can be UNCHECKED on the Startup menu:

RANDOM STARTUPS
Stop all these Global Startups: Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK each:

1. HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2. InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Registration Manager for WinDVD)
3. Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog)
4. Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
(monitors for a Nikon CoolPix camera being connected via USB port.)
5. NeroFilterCheck= C:\WINDOWS\system32\NeroCheck.exe
6. DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
7. OEM05Mon.exe] C:\WINDOWS\OEM05Mon.exe
8. HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
9. AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
10.TunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

JAVA

1. UNCHECK all Java entries on the Startup menu: Start> Run> msconfig> enter> Selective Startup Startup tab.
2. Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
3. Start> Run> services.msc> right click on JavaQuickStarterService)> Properties> Change Startup Type to Disabled> Stop the Service
4.[SunJavaUpdateSched] Stop as follows:
Control Panel> Java> Update tab> UNCHECK 'check automatically for updates>> Answer Yes when asked to confirm

QUICK TIME

1. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
2. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
3. Rename the qttask.exe file:
Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.

ITUNES Big resource user!

iTunesHelper.exe
Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
1. UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.

BONJOUR/MDSRESPONDER:

Usually installed by Apple for iTunes. But also 'pre-checked' to load with the new Adobe CS3 applications, "mDNSResponder.exe" is installed somewhere in the install process. Used in iTunes files sharing
IF you do not use this process, it is best to stop and unintall it: Here’s how to safely uninstall Bonjour and remove mDNSResponder.exe
1. Go to Start > Run > type the command below and hit OK.
“%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove
2. Right click on Start> Explore> Programs> Bonjour> right click on mdnsNSP.dll> rename to> mdnsNSP.old
3. Restart your computer**** see note regarding reboot
5. Delete the Program Files\Bonjour folder

The first command will stop and remove Bonjour Service from your computer. To confirm, go to Start > Run and type services.msc. Look for Bonjour Service name. If it’s not there, you’ve successfully removed it.

ADOBE READER SPEED LAUNCHER:

1. Use msconfig to remove from Startup

These are all based on your particular startups. Taking the off of Startup does not mean you can't use the program or application. Just start it manually from All Programs when needed.

Any Services (in the 023 section) that correspond to the processes you have stopped should be set to Manual Startup type:
Start> Run> services.msc> right click on the Service> Properties> Change to Manual> Stop the Service.

Let me know if you notice an improvement.