8 Steps done for system with search redirecting/trojan detected

[djsayut]

Hi,
I am currently in my second day of trying to get my computer back to rights after being infected with a trojan. Currently everything seems ok except all my searches are still being redirected. Any help would sure be appreciated. Thanks.

 

[Bobbye]

Welcome to TechSpot, djsayut. My apology for the delay. Thank you for your patience.

I'd like you to submit a file for identification: Open this site> http://virscan.org/
Browse to this file on your computer:
C:\WINDOWS\userinit.exe

Upload and submit for analysis.
Please paste the results into your next reply.

You have a lot of Adobe entries. The problem is that you have an outdated version-v7- it's important that you keep this current so please update to v9.xx:

Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

It would be best if you disable the Trojan Scanner while we''re cleaning. This is the entry:
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

You may need to go into Safe Mode to disable it.

I am also very conservative about putting sites in the Trusted zone. None actually need to be in that zone and it has a lower security setting than the internet zone. Leave this is you have an intranet set up- otherwise I suggest you remove it from the Trusted Zone:
invitrogen.com

Contorl Panel> Internet Options> Security tab> Trusted Zone> Sites> remove the site> Apply> OK

 

[djsayut]

Thank you so much for your help, I'm at wit's end over here.

I have deleted my old version of Adobe and updated to 9.3. I have also ran the userinit file from my windows directory, however since it had been detected and deleted by malwarebytes, I scanned the quarantined file. I am not sure if this would effect the result, but I didn't want to restore it either. The results are pasted below:

VirSCAN.org Scanned Report :
Scanned time : 2010/01/20 23:21:50 (EST)
Scanner results: Scanners did not find malware!
File Name : QUAR1.91747
File Size : 24576 byte
File Type : data
MD5 : 277ddae8b31fd15698f04aa1238ba1aa
SHA1 : 1b6b2c3d9c9411ca8b310ae32e626da84a7d0877
Online report : http://virscan.org/report/50f49090784d45525b1753f454e565d5.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100121063125 2010-01-21 5.19 -
AhnLab V3 2010.01.20.01 2010.01.20 2010-01-20 1.58 -
AntiVir 8.2.1.146 7.10.3.30 2010-01-20 0.34 -
Antiy 2.0.18 20100120.3726318 2010-01-20 0.02 -
Arcavir 2009 201001201837 2010-01-20 0.02 -
Authentium 5.1.1 201001210013 2010-01-21 1.26 -
AVAST! 4.7.4 100120-1 2010-01-20 0.01 -
AVG 8.5.720 271.1.1/2635 2010-01-21 0.24 -
BitDefender 7.81008.4878549 7.29981 2010-01-21 4.24 -
CA (VET) 35.1.0 7247 2010-01-19 17.64 -
ClamAV 0.95.2 10318 2010-01-21 0.01 -
Comodo 3.13.579 3409 2010-01-20 1.52 -
CP Secure 1.3.0.5 2010.01.20 2010-01-20 0.01 -
Dr.Web 4.44.0.9170 0004.00.00 0004-00-00 8.68 -
F-Prot 4.4.4.56 20100120 2010-01-20 1.43 -
F-Secure 7.02.73807 2010.01.20.12 2010-01-20 0.06 -
Fortinet 11.399- 11.399 2010-01-20 0.28 -
GData 19.10058/19.689 20100121 2010-01-21 10.18 -
ViRobot 20100120 2010.01.20 2010-01-20 0.75 -
Ikarus T3.1.01.80 2010.01.21.75008 2010-01-21 4.58 -
JiangMin 13.0.900 2010.01.19 2010-01-19 13.92 -
Kaspersky 5.5.10 2010.01.21 2010-01-21 0.02 -
KingSoft 2009.2.5.15 2010.1.21.7 2010-01-21 0.81 -
McAfee 5.3.00 5867 2010-01-20 3.33 -
Microsoft 1.5302 2010.01.20 2010-01-20 9.00 -
Norman 6.01.09 6.01.00 2010-01-16 4.02 -
Panda 9.05.01 2010.01.20 2010-01-20 9.91 -
Trend Micro 9.120-1004 6.790.01 2010-01-20 0.02 -
Quick Heal 10.00 2010.01.21 2010-01-21 2.09 -
Rising 20.0 22.31.03.01 2010-01-21 0.45 -
Sophos 3.03.0 4.49 2010-01-21 3.29 -
Sunbelt 3.9.2390.2 5626 2010-01-19 4.14 -
Symantec 1.3.0.24 20100112.005 2010-01-12 0.00 -
nProtect 20100118.03 6934584 2010-01-18 11.60 -
The Hacker 6.5.0.8 v00157 2010-01-20 0.87 -
VBA32 3.12.12.1 20100119.2151 2010-01-19 3.09 -
VirusBuster 4.5.11.10 10.119.13/2028414 2010-01-21 3.65 -

Also, I should mention that when I first started detecting the virus on my system I went through a period where I couldn't log into windows. What eventually got me back to rights was recovering my registry as though it was corrupted in the recovery console and then loading a system restore point. If I knew then what I know now I would have just formatted, but here I am. Thanks again for the help.

 

[Bobbye]

Depending on when you did the System Restore, if malware was on the restore points, you could have reinfected the system.

Please run this:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow with this:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then a new scan with HijackThis.
Attach the Combofix report, Eset log and new HJT log to next reply.

Please don't do any other recovery attempts while we are trying to clean the system.

 

[djsayut]

Ran ComboFix and Eset with both coming back with something. Those logs and a highjackthis log are attached.

 

[Bobbye]

Please open this site: http://virusscan.jotti.org/en

Browse to this file on your system: c:\windows\system32\userinit.exe

Upload it to the scan box and run. Paste the scan log in next reply.

The Eset find is a file that was quarantined in Combofix (Qoobox) When I have you uninstall Combofix it will be removed. It's not active in the system now.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  c:\documents and settings\Administrator.UMASS-1F6C5E3AB.000\Application Data\Malwarebytes
  c:\documents and settings\Administrator.UMASS-1F6C5E3AB.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[djsayut]

I am so grateful for your help and your timely responses. I can't believe how quick you are given the incredible demand on this board.

The scan for the userinit file in the system32 dir is below, and the OTM log should be attached:

Filename: userinit.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sun 24 Jan 2010 02:53:50 (CET) Permalink

File size: 24576 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 39b1ffb03c2296323832acbae50d2aff
SHA1: e5aedcbe25a97c89101f1f3860ff846e94d70445

2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-24 Found nothing
2010-01-24 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-24 Found nothing
2010-01-22 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-22 Found nothing
2010-01-22 Found nothing
2010-01-24 Found nothing
2010-01-24 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing
2010-01-23 Found nothing

Thanks.

 

[Bobbye]

Okay, you need to reboot to complete the process.

Are you having any more malware related problems? If so, what? If not, run one more HijackThis scan for me>>>>>>>>> please disable TeaTimer before running this last scan:

• Right click the TeaTimer icon in the system Tray
  
• Then click Exit Spybot-S&D Resident
• (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

Leave new log. Almost through.

 

[djsayut]

It seems like it is no longer redirecting, which is fantastic! The latest hijackthis log should be attached.

 

[Bobbye]

Clean as a whistle! If the original problem have been resolved, you can remove the cleaning tools and old restore points:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Let me know if you need help in the future.