hi..My pc got infected i guess from a trojan which initially caused a display of security toolbar 7.1 and changed my homepage to security files.However i did manage to get rid of that by doing smitfraud fix first and then running super anti spyware. Also i was able to disable from services.msc the security center.However wasnt able to stop it since the stop button wasnt getting highlighted thats y i feel my system still has some traces of that trojan or some other adware.This is evident from the fact that when i click on google links the link gets redirected to some other link known as autosearch daily search something like this. pls help me with this .Iam a new member of your site.pls do help me find way out of it.I also tried downloading a patch from microsoft site for IE6 redirection but it doesnt seem to have cured the problem.iam posting the hijack this log for analysis.Pls help me out guys...

[B]Hello and welcome to Techspot.[/B]

I have deleted your other posts on this subject.

[b][color=red]Very Important:[/color] Before deciding whether you should clean or reformat your system, go and read this thread [b][URL="http://www.techspot.com/vb/topic65943.html"][color=blue]HERE[/color][/URL][/b] and decide what it is you want to do.[/b]

If after reading the above, you wish to clean your system, do the following.

Go and read the [b][URL="http://www.techspot.com/vb/topic58138.html"]Viruses/Spyware/Malware, preliminary removal instructions.[/URL][/b] Follow all the instructions exactly.

Post fresh [b]HJT[/b], [b][color=red]AVG Antispyware[/color] and Combofix logs as [color=blue][URL="http://www.techspot.com/vb/topic19133.html"]Attachments[/URL][/color][/b] into this thread, only after doing the above.

[b]Also, let me know the results of the Panda Antirootkit scan.[/b]

Regards Howard

[color=red][b]This thread is for the use of[/color] fardeen [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Thanx a million first of all for responding to my issue.Iam sure I'll be able to get rid of these malicious softwares if professionals like you are there to help me out.Thanx again...Coming back to technical stuff,I did whatever you told me to do and i guess also in the way you told me to.Iinstalled and ran C cleaner and the three tools,smitfraud fix(which i had already used before),virtumundo be gone and vundofix and panda antirootkit programme all of which showed negative results.panda antirootkit scanned 3082 items and found no known or unknown rootkits.I also did combofix ,the log of which i have attached with the reply.I did combofix and adware 2007 from normal mode and not from safe mode.I dont know whether i have done the right thing or not.Then i did spybot (from safe mode) and also AVG antispyware from safe mode(Log attached).Finally i have done the HJT and the log is attached.AVG and spybot removed a few things and after that when I tried google again,it seemed to be working fine(all because of you).However i just want to make completely sure ,so sir pls analyse my logs and pls advice me further on the issue. Iam using quickheal as antivirus right now.Thanx again

Attached Files

	AVG antispyware log.txt (1.9 KB, 5 views)
	combofix log.txt (9.9 KB, 1 views)
	latest hijackthis log.txt (5.0 KB, 5 views)

Go to add remove programmes in your control panel and uninstall anything to do with([b]if there[/b]).

Dap

Close control panel.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:



Save this as [b]CFScript.txt[/b]

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

[color=red][b]This thread is for the use of[/color] fardeen [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Thanx again howard.. I have done the combofix from the combofix script you provided me. It found a strain of trojan autoit which it deleted.Iam attaching the log file of the CF scan along with a new HJT log.Thanx for all the support you are providing me.Iam very very sure that Iam on the right path to eliminate these malicious things....

Attached Files

	combofix log2.txt (51.9 KB, 1 views)
	hijackthis log 2.txt (4.8 KB, 1 views)

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial61.html"]HERE[/URL].

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial62.html"]HERE[/URL].

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to([b]if there[/b]).

O2 - BHO: (no name) - {DB9D6AFD-8168-47DD-8169-C6CB026CCF72} - C:\WINDOWS\system32\deskper.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll (file missing)

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE (file missing)

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - [url]http://secure2.comned.com/signuptemplates/securelogin-devel.cab[/url]

Click on the fix checked button.

Close HJT.

Locate and delete the following [b]bold[/b] files and/or folders([b]if there[/b]).

C:\WINDOWS\system32\[b]deskper.dll[/b]
C:\WINDOWS\system32\drivers\[b]akliqnar.dat[/b]
C:\WINDOWS\system32\drivers\[b]lddvbjyx.dat[/b]
C:\[b]qoobox[/b]

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

[color=red][b]This thread is for the use of[/color] fardeen [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Thanx howard again for replying...Before I proceed with the HJT,I just wanted to ask that is DAP(Download accelerator plus ) being harmful to my PC as its the default download manager Iam using.I think proceeding with the HJT will remove the dap exe.Pls advice me on this.I'll certainly delete it if you'll tell me to do so.Thanx again howard....
Regards,
Fardeen

[URL="http://www.speedbit.com/Symantec_Security_Response.htm"]Dap places adware[/URL] on your computer and that`s why I advised it be uninstalled.

Regards Howard

[color=red][b]This thread is for the use of[/color] fardeen [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Thanx howard...I have removed DAP completely from my system and carried out the HJT removal as you said and removed the browser helper objects and all the things that you mentioned . But when i tried to remove the four files that you mentioned(deskper.dll etc),I wasnt able to delete them due to an access violation error. I tried deleting them from cmd prompt but was unsuccessful. I finally tried using killbox and AVG file shredder but they too were not able to delete those files.Pls tell me howard what should i do now.iam posting the fresh HJT log alongwith.Thanx brother for all the support you are giving me.

Attached Files

HJT log 3 after DAP removal.txt (4.1 KB, 1 views)

You haven`t posted the fresh Combofix log as requested. Please do so.

Regards Howard

[color=red][b]This thread is for the use of[/color] fardeen [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Sorry brother ,wasnt in the city for the last two days and hence wasnt able to send you the combofix log which you asked me for.Howard ,i also wanted to tell you that even HJT wasnt able to fix the BHO which included deskper.dll and neither the files are getting deleted even by the delete on reboot function in HJT.iam posting the fresh HJT and combofix logs .Thanx howard.

Attached Files

	hijackthislog3.txt (3.8 KB, 1 views)
	combofixlog3.txt (9.7 KB, 0 views)

Ok, let`s try this.

Download DrWebCureit to your desktop.
[url]ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe[/url]
[url]http://spywareinfo.dk/download/drweb-cureit.exe[/url]

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial61.html"]HERE[/URL].

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial62.html"]HERE[/URL].

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste the contents of the DrWeb.csv into your next reply and attach a fresh HJT log.

Regards Howard

[color=red][b]This thread is for the use of[/color] fardeen [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Dear HH, (TechSpot Evangelist)

I didn't know where to put this, but I just wanted to write to you to say a HUGE 'Thank You'.

I've been battling with this problem for two weeks now, and the DrWeb_cureit solved the problem for me first time.

I can't thank you 'techies' enough... I really can't.

You just saved my old little machine from being thrown out of the window!

Thanks again,
scoobs