Ran 8 Steps, please see logs attached

[ghostal]

Hi,

I seem to have some rather nasty virus going on. The main symptoms I've noticed are:

1.) Randomly closing out IE (sparingly used anyway) and Firefox with no error message during normal use (i.e., just sending me back to the desktop randomly)
2.) Sending me to malware/random search sites when clicking on seemingly harmless Google search result links

Any input you could give me on helping me remove this stuff would be helpful. Please let me know if more info is needed or if I should run a certain scan again. Thank you very, very much!

Jim

 

[kritius]

Hi,

You seem to be running Avira and Symantec, unistall one of them.

If you have paid for a subscription for Symantec then I suggest that you keep it.

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please attach these files with your next reply.

 

[ghostal]

Hi,

Thank you for your quick reply. Attached are the OTL logs, per your request. Please let me know what you think the next steps might be. I appreciate your help.

 

[kritius]

Hi,

Uninstall the following,

BitTorrent DNA
BitTorrent

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
  PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
  O2 - BHO: (no name) - {B8A28E60-65F9-1E5F-DA2C-3BE674820DE4} - C:\WINDOWS\System32\eja.dll File not found
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
  O4 - HKCU..\Run: [Aiq] C:\WINDOWS\system32\ѕystem32\wυauclt.exe File not found
  O4 - HKCU..\Run: [Chtphcb] "C:\Program Files\Common Files\Fοnts\tаskmgr.exe" File not found
  O4 - HKCU..\Run: [Ddgmllu] C:\WINDOWS\Fοnts\аttrib.exe File not found
  O4 - HKCU..\Run: [Nqkhbbep] "C:\Program Files\ѕystem\wυauboot.exe" File not found
  O4 - HKCU..\Run: [Qfzdvyp] C:\WINDOWS\Міcrosoft\еxplorer.exe File not found
  O4 - HKCU..\Run: [Ourfhfdy] C:\WINDOWS\Таsks\dνdplay.exe File not found
  O4 - HKCU..\Run: [Qyx] "C:\Program Files\Common Files\sуstem32\dеxplore.exe" File not found
  O4 - HKCU..\Run: [RecordNow!]  File not found
  O4 - HKCU..\Run: [Ulo] C:\WINDOWS\ѕуmbols\nοpdb.exe File not found
  O4 - HKCU..\Run: [Ueolnyso] C:\WINDOWS\system32\Міcrosoft.NET\mѕdtc.exe File not found
  O4 - HKCU..\Run: [Ulo] C:\WINDOWS\ѕуmbols\nοpdb.exe File not found
  O4 - HKCU..\Run: [Uoqfo] C:\Documents and Settings\Owner\My Documents\Μicrosoft.NET\eхplorer.exe File not found
  O4 - HKCU..\Run: [Vipi] "C:\Documents and Settings\Owner\My Documents\Μіcrosoft\ѕрoolsv.exe" File not found
  O4 - HKCU..\Run: [Vjgdk] "C:\Program Files\Common Files\Μicrosoft.NET\ѕсanregw.exe" File not found
  O4 - HKCU..\Run: [Yva] C:\WINDOWS\Ѕуmantec\сhkntfs.exe File not found
  [2005/04/25 00:42:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\jxfhg.dll
  [2005/04/21 15:39:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\win.inihttp
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files\BitTorrent
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done

Combofix
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
Link 3

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
  
  
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
  
  Click on Yes, to continue scanning for malware.
  
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[ghostal]

Hello again,

Quick question regarding Combofix: it's popping up with an error advising that I turn off Symantec/Norton. I right-clicked it in the tray and disabled Auto-Protect, but it still doesn't look like Combofix likes this. Do you have any suggestions regarding this, or is it not really a big deal? As a sort of side note, I think it's possible that my Symantec is damaged by the malware anyway, but...

Anyway, thank you again for your assistance, I do appreciate it.

 

[kritius]

Lets try it this way,

Run CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

KillAll::

File::

Folder::

Driver::

DirLook::

Registry::

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[ghostal]

Thanks. ComboFix was still giving me an error regarding Symantec ("ComboFix has detected the following real-time scanner(s) to be active..."), even after I had disabled the Auto-Protect feature, but I ran it anyway in Safe Mode. Attached are the logs for review. Thanks yet again.

 

[ghostal]

Update: Google search result click-throughs are still redirecting to random search/spam sites. Stuff like "c.php," "click.php" and "findwhat.dll" show up in Firefox's immediate browsing history. Thanks again for your help...let's kick this thing!

 

[kritius]

Did you do the OTL script?

NORTON ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a

sign.

• right-click it -> chose "Disable Auto-Protect."
• select a duration of 5 hours (this assures no interference with the cleanup of your pc)
• click "Ok."
• a popup will warn that protection will now be disabled and the sign will now look like this:
  

You succesfully disabled the Norton Antivirus Guard.

Run CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

KillAll::

File::
c:\windows\system32\drivers\avgntflt.sys

Folder::

Driver::

DirLook::

Registry::
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ltri"=-
"Kqg"=-
"Icdvjad"=-
"Mts"=-
"Etzz"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[ghostal]

I'm almost certain that I did run that OTL script you posted--should I run it again?

Attached are some new logs. The Kaspersky scan took 3.5 hours to complete, but unfortunately when I went to save the report I am getting an "error on page" message at the bottom-left of IE when I click the Save Report As... button. It won't let me save it --pretty frustrating. It picked up a lot of infected objects. I'll try running it again and hopefully be able to save the log.

 

[ghostal]

Success with saving the Kaspersky scan--it is attached. Thanks!

 

[kritius]

This should remove the remaining infected entries,

Note:- one of the items was a pst file that was infected with a few items, it would be best to remove this but if you have e mails that you want then this is up to you.

Empty the quarantine folder for Symantec.

OTL by OldTimer

Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Processes
  explorer.exe
       
  :OTL
  C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\huskymail.pst
  C:\Documents and Settings\Owner\My Documents\programfiles\mirc616.exe
  C:\Documents and Settings\Owner\My Documents\programfiles\OiUninstaller.exe
  C:\WINDOWS\system32\AWM226.exe
       
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log (check the boxes beside LOP Check and Purity)

 

[ghostal]

Thanks for the reply--looks like we're almost finished.

One quick question, though--I don't mean to get off track here, but do you know if it's possible to clean the infected .pst file? Is there a way to identify which message(s) are infected and delete them separately, as opposed to deleting the entire file (as there may be some messages inside worth saving)?

 

[kritius]

unfortunately no.

It could be any of them. Best chance at getting clean is to delete it.

 

[ghostal]

OK; I've attached the OTL log. Unfortunately, I didn't check the boxes beside LOP Check and Purity before running the script, because I forgot about/didn't see that step until after I had pasted in and ran the custom fix--is that OK? Thanks again.

 

[ghostal]

kritius, thanks for your help. Do you think I'm in the clear now?

(If anyone else wants to jump in and give their thoughts on my last OTL log, be my guest...I had been working with kritius, though, as you can see. Thanks!)