Hi,
Today my computer got infected with a huge virus from some bogus website. In an effort to get rid of it I ran all of my anti-virus software and thought I had eradicated it. Unfortunately, when I went to start up my computer, Windows Vista had limited functionality. i managed to restart in safe mode and do a system restore. I thought that had done the trick until I was searching on explorer and found that all my searches were being redirected. I found your website and followed the 8 STEPS. SuperAntiSpyware found some Trojans and got rid of them. I rebooted but am still getting site redirection. What should I do from here on? I changed all my passwords on another computer to prevent further problems of another kind, but should I be looking at a complete reinstallation of vista? I need help...

Attached Files

	malwarelog.txt (4.2 KB, 3 views)
	superlog.txt (2.6 KB, 3 views)
	hijackthislog.txt (8.1 KB, 3 views)

Can anyone check my logs and let me know if there are any problems?? Please!!

I'll check you logs now. I took Thanksgiving off to be thankful. Please use patient- this is a very busy forum and bumping a thread the same day you posted it is frowned on.

Download theNorton Removal Tool save it to your desktop.

Please reopen HijackThis to 'do system scan only'. Check each of the following if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O4 - HKCU\..\Run: [rfweuboa] C:\Users\Elspeth\AppData\Local\chbylb\dgjrsysguard.exe

Close all Windows except HijackThis and click on "Fix Checked."

When finished:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double click on the Norton Tool and run.

Reboot in to Normal Mode when finished.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach Combofix report to next reply.

Rescan with HijackThis and paste new log in to new reply.

I fixed those files listed under HijackThis.
Which Norton file should I download? I don't own any of their products. Does it matter?

The Norton entry is for 'Norton Confidential' which is now use in their suites. I don't have enough information to give you a version. At some point, this was installed on the system. It might have been preloaded by the manufacturer:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} NCO 2.0 IE BHO coIEPlg.dll "Norton Confidential" online identity theft protection, now incorporated into other Norton products

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} Show Norton Toolbar CoIEPlg.dll "Norton Confidential" online identity theft protection, now incorporated into other Norton products .

Source: system Lookup: Global Search.

Okay, ran ComboFix - they found a rootkit and I had to reboot, then it ran pretty quickly.
Ran Hijack this, too.

Here's the HJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:33 AM, on 29/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Combo-Fix\PEV.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/...sticsVista.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6018 bytes


ComboFix log attached.

By the way...thanks for all of your help so far!

Attached Files

combolog.txt (10.9 KB, 4 views)

Oh, I also managed to disable Norton.
I've heard things about only having one antivirus program to use. Aside from what further steps I should take, can you give me info on this?

Please be patient. I'm helping others.

Hello,
Sorry, I don't mean to be a bother. I appreciate all the help you've given me so far. I definitely couldn't do it alone, or without the help on this forum. I don't want to sound impatient, and I know you've been busy helping others, but I am just wondering what i should do next. I would like my computer up and running only because it's the only one I have, and I'm afraid to use it if it's still at risk. I appreciate anything you can add, if you have the time. Thank you very much!

I am very sorry. I answered this yesterday, but must have done a preview and not a send.

Combofix is still finding entries to delete. Can you tell me how the system is running? Do any f the original problem remain?

You need to update Java to v6u17- you're way behind on that and earlier version is a vulnerability:
Check this site Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs

[b[Make sure Adobe Reader is also current:[/b]
Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

Please run this online AV scan to make sure we haven't missed anything:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach log to next reply. If it's clean and if the problems have been resolved, I'll have you remove thee cleaning tools and set clean restore point.

Haver string on finger to make sure I 'post' after 'preview'!

Alright, both Adobe Reader and Java were removed and then updated.

What sort of things did ComboFix find that needs to be acknowledged as a problem? Right now it seems like the internet redirect problem is gone. I haven't noticed any other weird things yet.

I ran ESET, but it found no problems or infections. For some reason it generated no log (perhaps because it found nothing?) I do have a log, but it's from a few days ago when I first scanned my system with ESET (Nov. 28th - found 63 items). I'll post it in case you want to take a look at it.

Seeing as my problem involved a rootkit, I am just worried that it's still lurking somewhere. They sound like they are quite virulent and hearty. I am hoping nothing on my computer has been compromised.

With all that said, what's next? System restore?

Thanks again for walking me through this!

Attached Files

esetlog.txt (10.1 KB, 2 views)

Unfortunately, the log shows Virut- even if it's a few days old, you will still have the infection:

Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/...-throwing.html

But let's check to make sure:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Please paste the log into your next reply.

Change all of your passwords and monitor any online financial transactions.

Although Eset states 'cleaned and removed', If it is Virut, it has just morphed into another variant.
Most agree that a complete reformat and reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

* Backup all your documents and important items only.
* DON'T backup any executable files (,exe .scr .html or .htm)
* DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

Yikes, that worries me! What a nasty sounding demon. I've changed all my passwords again.

Viruscan found nothing harmful, but to be on the safe side, I think I will reformat and reinstall. I've backed up everything important (pictures, photos, documents).
What's the best way to approach this? I'm afraid I hardly know what I'm doing, so if you could point me in the right direction, I'd appreciate it.

Thanks so much.

Attached Files

virscanlog.txt (9.3 KB, 1 views)

You don't need to reformat or reinstall. It's hard to believe that Virut was there and now it isn't.

Would you do this please?
1. Delete the temporary internet files:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

2. Delete the current Eset log. Rescan with Eset. After every scan an option to uninstall ESET Online Scanner with all its components is provided. Don't check this.
Attach new log in your next reply.

Empty the Recycle Bin

Then delete the contents of the Recycler Folder. This is different from the bin:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in cmd> OK> At a Command Prompt type rd /s /q c:\recycler

NOTE: there is a space before each / in the command.
Windows will create a new recycler for the drive when the computer is rebooted.

Let me check the new log.

Ran TFC, rebooted, then ran ESET again. Nothing found. I deleted the log, but when the scan finished, it kept the log from before. It also won't let me upload it to the forum because it's already uploaded to this thread.
I tried the recycling thing but it keeps telling me the file could not be specified.
Am I doing this right? (rd /s /q c:\recycler)?
Thanks.

Whoops, double post, sorry.

Sorry, I had one ] missing in the command.

Try this for Recycler: Empty the Recycle Bin first

Open windows Explorer: Right click on Start> Explore> My Computer> Local Drive (C)> go up to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide system files and protected folders'> Apply> OK.

Scroll down to Windows> click to open the Recycler folder> check the right screen for the files> Right click> Delete each.

(The actual SID of the infected file is this: S-1-5-21-6841296011-9967747418-749282096-0715

I don't always find this successful but not to worry- it's just freeing up a minute amount of the resources. It will not delete though unless the Recycle Bin is empty.

FYI: The Recycle Bin is where the trash goes when you delete a file or folder.
The Recycler is where the files go when you empty the Recycle Bin> I haven't figured out the need for this redundancy yet!

I went back and checked the Combofix report again. It shows possible infection from Domain
I want you to put this Domain in the Restricted Zone as follows:
Open Internet Options from either the Control Panel or IE> Tools)> click on security tap> Restricted Zone> Sites> type in *.dnusax.com> Add> Apply> OK

(Note the use of the * which acts as a wild card, before the slash.)

Then delete the Combofix Report on the desktop and any Eset logs you have:

1. Run Combofix again> Attach new report.
2. Update and run the Eset scan again> Attach the new log
3. Go back and rehide the files.

Alright. After looking for Folder Options for about 20 minutes, I did what you specified. Under Recycler I only found one file - not the one you has listed. It's (S-1-5-1832671809-316018632-562484060-1001). I deleted it anyway.

Put the address under the restricted zone for internet.

Deleted ComboFix and Eset logs. Ran both. For some reason I couldn't access firewall and windows defender when I went to use my internet, (something about a registry key that has been labelled for deletion?). I restarted my computer and all was fine again - hopefully it wasn't a problem.

Combofix log below. Eset again found nothing and only generated the log from the first time I scanned. Again, I can't repost it as an attachment.

Hm, what's next?

Attached Files

combolog2.txt (13.2 KB, 3 views)

Please rescan with HijackThis and give me a new log.

Are you still having the redirect problem?

The redirect problem seems to be gone.

New log below.

Attached Files

HJlog3.txt (6.1 KB, 2 views)