TechSpot

Virus problem: Internet search engines open random sites

Solved
By wanderlust
Aug 23, 2010
  1. Hello.

    I have been experiencing problems with my computer for awhile. The current main problem, is that when I use google to search the internet, it will automatically direct me to another site (Infosmash.com is one of them). The computer it self also seems to be running slower than it usually does.

    This was happening more often just a few weeks ago, and I also could not connect to Windows Update for awhile. I ran a bunch of virus scans and downloaded all of the anti-spyware programs that I could, which took care of some of my problems.

    I ran the 6 step virus removal program and here are my resulting logs. (i attached the DDS files because they were too long). After running the programs my computer seems to be operating very sluggishly.

    Thank you very much in advance for any assistance that you can offer.


    MALWAREBYTES:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4458

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/21/2010 1:25:38 PM
    mbam-log-2010-08-21 (13-25-38).txt

    Scan type: Quick scan
    Objects scanned: 156575
    Time elapsed: 6 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{97f8ca3f-3d0f-411c-8846-8d242ade76fc} (Password.Stealer) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97f8ca3f-3d0f-411c-8846-8d242ade76fc} (Password.Stealer) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97f8ca3f-3d0f-411c-8846-8d242ade76fc} (Password.Stealer) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MS Essentials (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-22 22:29:55
    Windows 5.1.2600 Service Pack 3
    Running: hk365hhk.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwrcypoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647BFE]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
    Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x80 0x92 0x60 0x50 ...

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Welcome aboard [​IMG]

    Please, re-run DDS in normal mode and post fresh logs.

    When done....

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. wanderlust

    wanderlust TS Rookie Topic Starter

    Thank you Broni for your speedy reply.

    Earlier my computer wasn't functioning well enough to run in normal mode, but I guess the startup in Safe Mode Cured it for now.

    I have attached the new DDS files, as well as the Combofix file. The MBRCheck is below.

    MBRCHECK:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0200000d

    Kernel Drivers (total 126):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB7F79000 ACPI.sys
    0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB7F68000 pci.sys
    0xB80A8000 isapnp.sys
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB80B8000 MountMgr.sys
    0xB7F49000 ftdisk.sys
    0xB8330000 PartMgr.sys
    0xB80C8000 VolSnap.sys
    0xB7F31000 atapi.sys
    0xB80D8000 disk.sys
    0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB7F11000 fltmgr.sys
    0xB7EFF000 sr.sys
    0xB80F8000 Lbd.sys
    0xB8108000 PxHelp20.sys
    0xB7EE8000 KSecDD.sys
    0xB7ED5000 WudfPf.sys
    0xB7E48000 Ntfs.sys
    0xB7E1B000 NDIS.sys
    0xB7E01000 Mup.sys
    0xB81C8000 \SystemRoot\system32\DRIVERS\AmdPPM.sys
    0xB81D8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xB8588000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB8458000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xB6FFF000 \SystemRoot\system32\DRIVERS\parport.sys
    0xB81E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xB858C000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
    0xB8460000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB81F8000 \SystemRoot\system32\DRIVERS\L8042mou.Sys
    0xB6FED000 \SystemRoot\system32\DRIVERS\LMouKE.Sys
    0xB8468000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB8478000 \SystemRoot\system32\DRIVERS\nvsmu.sys
    0xB8480000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xB6FC9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB8488000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB8208000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB8218000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB8228000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB6FA6000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8490000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xB6F7E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB6561000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB654D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB6533000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xB8598000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xB6515000 \SystemRoot\system32\DRIVERS\dne2000.sys
    0xB86D9000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB70A3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB85A0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB64FE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xB7093000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xB7083000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB8498000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB64ED000 \SystemRoot\system32\DRIVERS\psched.sys
    0xB7073000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB84A0000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB84A8000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB7063000 \SystemRoot\System32\Drivers\pcouffin.sys
    0xB7053000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB85F4000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB609C000 \SystemRoot\system32\DRIVERS\update.sys
    0xB7DDD000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB7043000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB7023000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xB85F6000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB5FDF000 \SystemRoot\system32\drivers\nvhda32.sys
    0xB5FBB000 \SystemRoot\system32\drivers\portcls.sys
    0xB7013000 \SystemRoot\system32\drivers\drmk.sys
    0xB39A0000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB84B0000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xB85FC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB87B3000 \SystemRoot\System32\Drivers\Null.SYS
    0xB85FE000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB8368000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB8370000 \SystemRoot\System32\drivers\vga.sys
    0xB8600000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB8602000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8378000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8380000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8580000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB38D8000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB387F000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB8258000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xB3859000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB8268000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB3769000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB3747000 \SystemRoot\System32\drivers\afd.sys
    0xB8278000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB371C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB36AC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB8298000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB3689000 \??\C:\WINDOWS\system32\drivers\cbfs.sys
    0xB6088000 \??\C:\WINDOWS\system32\drivers\BIOS.sys
    0xB3662000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xB8398000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xB363E000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB362D000 \SystemRoot\System32\Drivers\Udfs.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB3795000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB8420000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB87B1000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB84CC000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xB83A0000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0xB3205000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB2FDE000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB2E21000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB863E000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB2DE4000 \SystemRoot\System32\Drivers\SENTINEL.SYS
    0xB2D2C000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    0xB2C23000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB2B7C000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB29F7000 \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl
    0xB28CA000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB2EB6000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB8450000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xB1D62000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 49):
    0 System Idle Process
    4 System
    916 C:\WINDOWS\system32\smss.exe
    972 csrss.exe
    996 C:\WINDOWS\system32\winlogon.exe
    1040 C:\WINDOWS\system32\services.exe
    1052 C:\WINDOWS\system32\lsass.exe
    1204 C:\WINDOWS\system32\nvsvc32.exe
    1236 C:\WINDOWS\system32\svchost.exe
    1368 svchost.exe
    1432 C:\Program Files\Windows Defender\MsMpEng.exe
    1472 C:\WINDOWS\system32\svchost.exe
    1528 C:\WINDOWS\system32\svchost.exe
    1724 svchost.exe
    1772 svchost.exe
    1944 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    260 C:\WINDOWS\system32\spoolsv.exe
    352 svchost.exe
    400 C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
    428 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    668 C:\WINDOWS\system32\svchost.exe
    704 C:\Program Files\Java\jre6\bin\jqs.exe
    756 C:\WINDOWS\system32\HPZipm12.exe
    808 C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
    820 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    904 C:\WINDOWS\system32\svchost.exe
    1616 C:\WINDOWS\system32\searchindexer.exe
    2228 C:\WINDOWS\explorer.exe
    2296 wmpnetwk.exe
    3056 C:\WINDOWS\RTHDCPL.exe
    3216 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    3284 alg.exe
    3608 C:\Documents and Settings\Owner\Local Settings\Application Data\ZumoDrive\app\zumodrive.exe
    3688 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
    3736 C:\Program Files\Windows Defender\MSASCui.exe
    3856 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    3996 C:\WINDOWS\system32\rundll32.exe
    4012 C:\WINDOWS\system32\ctfmon.exe
    4084 C:\Program Files\Windows Media Player\wmpnscfg.exe
    1304 C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
    2076 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    2244 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
    1572 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    2724 C:\Program Files\Mozilla Firefox\firefox.exe
    424 C:\WINDOWS\system32\wuauclt.exe
    3556 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2336 C:\WINDOWS\system32\searchprotocolhost.exe
    2328 searchfilterhost.exe
    3196 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD5000AAKS-00YGA0, Rev: 12.01C02

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    What really cured your computer (not totally yet), was Combofix.

    I suggest, you uninstall HitmanPro, which is nothing else, but a bunch of free tools gathered in one program. On a top of it, HitmanPro is having copyright issues.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Alcmtr.exe
    
    
    Folder::
    c:\documents and settings\All Users\Application Data\avg9
    
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  5. wanderlust

    wanderlust TS Rookie Topic Starter

    I looked for Hitman Pro in the Add/Remove Programs as well as in the start menu and couldn't find anything. Is there a place where it might be hiding?

    Here are the combofix results:
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Maybe just some leftovers.
    We'll get rid of those manually.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. wanderlust

    wanderlust TS Rookie Topic Starter

    A continued thank you for your efforts to help me.

    Here are the two files produced by OTL.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      [2010/06/23 14:54:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
      [2010/06/23 14:54:30 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
      [2010/06/28 18:15:48 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
      [2010/06/22 08:45:56 | 000,001,899 | ---- | C] () -- C:\WINDOWS\System32\oilqbi
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  9. wanderlust

    wanderlust TS Rookie Topic Starter

    Here are all of the resulting files.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    It looks like you didn't run JavaRa (my reply #8) to remove old Java versions.
    Please, do it now.

    =========================================================================

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. Run defrag at your convenience.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  11. wanderlust

    wanderlust TS Rookie Topic Starter

    Thank you again for all of your help. I really appreciate you spending your time helping me out.

    I had run JavaRa previously, and noticed that it showed up in one of the logs, but assumed that maybe it was showing somethign that was previously deleted. I tried running it again, and it still does not remove either ver. 16 or 20. I tried to go to Add/Remove programs, and when manually trying to remove ver 16 it says "Fatal Error During Installation"
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    That's fine. It may be just dead listing.

    I assume, your computer is doing fine?
     
  13. wanderlust

    wanderlust TS Rookie Topic Starter

    It is. I have had limited use in the past few days, but i have yet to be redirected and it seems to be running smoothly. Thank you again.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Cool [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.