TechSpot

Ran 8 Steps, please see logs attached

By ghostal
Jun 6, 2009
  1. Hi,

    I seem to have some rather nasty virus going on. The main symptoms I've noticed are:

    1.) Randomly closing out IE (sparingly used anyway) and Firefox with no error message during normal use (i.e., just sending me back to the desktop randomly)
    2.) Sending me to malware/random search sites when clicking on seemingly harmless Google search result links

    Any input you could give me on helping me remove this stuff would be helpful. Please let me know if more info is needed or if I should run a certain scan again. Thank you very, very much!

    Jim
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Hi,

    You seem to be running Avira and Symantec, unistall one of them.

    If you have paid for a subscription for Symantec then I suggest that you keep it.

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please attach these files with your next reply.
     
  3. ghostal

    ghostal TS Rookie Topic Starter

    Hi,

    Thank you for your quick reply. Attached are the OTL logs, per your request. Please let me know what you think the next steps might be. I appreciate your help.
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Hi,

    Uninstall the following,

    BitTorrent DNA
    BitTorrent


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
      PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
      O2 - BHO: (no name) - {B8A28E60-65F9-1E5F-DA2C-3BE674820DE4} - C:\WINDOWS\System32\eja.dll File not found
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
      O4 - HKCU..\Run: [Aiq] C:\WINDOWS\system32\ѕystem32\wυauclt.exe File not found
      O4 - HKCU..\Run: [Chtphcb] "C:\Program Files\Common Files\Fοnts\tаskmgr.exe" File not found
      O4 - HKCU..\Run: [Ddgmllu] C:\WINDOWS\Fοnts\аttrib.exe File not found
      O4 - HKCU..\Run: [Nqkhbbep] "C:\Program Files\ѕystem\wυauboot.exe" File not found
      O4 - HKCU..\Run: [Qfzdvyp] C:\WINDOWS\Міcrosoft\еxplorer.exe File not found
      O4 - HKCU..\Run: [Ourfhfdy] C:\WINDOWS\Таsks\dνdplay.exe File not found
      O4 - HKCU..\Run: [Qyx] "C:\Program Files\Common Files\sуstem32\dеxplore.exe" File not found
      O4 - HKCU..\Run: [RecordNow!]  File not found
      O4 - HKCU..\Run: [Ulo] C:\WINDOWS\ѕуmbols\nοpdb.exe File not found
      O4 - HKCU..\Run: [Ueolnyso] C:\WINDOWS\system32\Міcrosoft.NET\mѕdtc.exe File not found
      O4 - HKCU..\Run: [Ulo] C:\WINDOWS\ѕуmbols\nοpdb.exe File not found
      O4 - HKCU..\Run: [Uoqfo] C:\Documents and Settings\Owner\My Documents\Μicrosoft.NET\eхplorer.exe File not found
      O4 - HKCU..\Run: [Vipi] "C:\Documents and Settings\Owner\My Documents\Μіcrosoft\ѕрoolsv.exe" File not found
      O4 - HKCU..\Run: [Vjgdk] "C:\Program Files\Common Files\Μicrosoft.NET\ѕсanregw.exe" File not found
      O4 - HKCU..\Run: [Yva] C:\WINDOWS\Ѕуmantec\сhkntfs.exe File not found
      [2005/04/25 00:42:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\jxfhg.dll
      [2005/04/21 15:39:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\win.inihttp
      
      :Services
      
      :Reg
      
      :Files
      C:\Program Files\BitTorrent
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done

    [​IMG]Combofix
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    Link 3
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

      [​IMG]

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      [​IMG]

      Click on Yes, to continue scanning for malware.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  5. ghostal

    ghostal TS Rookie Topic Starter

    Hello again,

    Quick question regarding Combofix: it's popping up with an error advising that I turn off Symantec/Norton. I right-clicked it in the tray and disabled Auto-Protect, but it still doesn't look like Combofix likes this. Do you have any suggestions regarding this, or is it not really a big deal? As a sort of side note, I think it's possible that my Symantec is damaged by the malware anyway, but...

    Anyway, thank you again for your assistance, I do appreciate it.
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Lets try it this way,

    Run CFScript
    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  7. ghostal

    ghostal TS Rookie Topic Starter

    Thanks. ComboFix was still giving me an error regarding Symantec ("ComboFix has detected the following real-time scanner(s) to be active..."), even after I had disabled the Auto-Protect feature, but I ran it anyway in Safe Mode. Attached are the logs for review. Thanks yet again.
     
  8. ghostal

    ghostal TS Rookie Topic Starter

    Update: Google search result click-throughs are still redirecting to random search/spam sites. Stuff like "c.php," "click.php" and "findwhat.dll" show up in Firefox's immediate browsing history. Thanks again for your help...let's kick this thing!
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Did you do the OTL script?

    NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a [​IMG] sign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled and the sign will now look like this: [​IMG]
    You succesfully disabled the Norton Antivirus Guard.

    Run CFScript
    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Double-click GooredFix.exe to run it.
    • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
    Note: Do not run Option #2 yet.

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  10. ghostal

    ghostal TS Rookie Topic Starter

    I'm almost certain that I did run that OTL script you posted--should I run it again?

    Attached are some new logs. The Kaspersky scan took 3.5 hours to complete, but unfortunately when I went to save the report I am getting an "error on page" message at the bottom-left of IE when I click the Save Report As... button. It won't let me save it --pretty frustrating. It picked up a lot of infected objects. I'll try running it again and hopefully be able to save the log.
     
  11. ghostal

    ghostal TS Rookie Topic Starter

    Success with saving the Kaspersky scan--it is attached. Thanks!
     
  12. kritius

    kritius TS Guru Posts: 2,084

    This should remove the remaining infected entries,

    Note:- one of the items was a pst file that was infected with a few items, it would be best to remove this but if you have e mails that you want then this is up to you.

    Empty the quarantine folder for Symantec.

    OTL by OldTimer

    Run OTL.exe
    • Under the Custom Scans/Fixes box at the bottom, paste in the following
      Code:
      :Processes
      explorer.exe
           
      :OTL
      C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\huskymail.pst
      C:\Documents and Settings\Owner\My Documents\programfiles\mirc616.exe
      C:\Documents and Settings\Owner\My Documents\programfiles\OiUninstaller.exe
      C:\WINDOWS\system32\AWM226.exe
           
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then post a new OTL2 log (check the boxes beside LOP Check and Purity)
     
  13. ghostal

    ghostal TS Rookie Topic Starter

    Thanks for the reply--looks like we're almost finished.

    One quick question, though--I don't mean to get off track here, but do you know if it's possible to clean the infected .pst file? Is there a way to identify which message(s) are infected and delete them separately, as opposed to deleting the entire file (as there may be some messages inside worth saving)?
     
  14. kritius

    kritius TS Guru Posts: 2,084

    unfortunately no.

    It could be any of them. Best chance at getting clean is to delete it.
     
  15. ghostal

    ghostal TS Rookie Topic Starter

    OK; I've attached the OTL log. Unfortunately, I didn't check the boxes beside LOP Check and Purity before running the script, because I forgot about/didn't see that step until after I had pasted in and ran the custom fix--is that OK? Thanks again.
     
  16. ghostal

    ghostal TS Rookie Topic Starter

    kritius, thanks for your help. Do you think I'm in the clear now?

    (If anyone else wants to jump in and give their thoughts on my last OTL log, be my guest...I had been working with kritius, though, as you can see. Thanks!)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...