Followed the 8-step viruses/spyware/malware process

[techdummy415]

Hello,

Thanks for the 8-step instructions to get my viruses (or whatever they are called) removed. I found this website because I have two major problems running on my computer and are as follows.

Google/Yahoo search results get redirected: I have had this problem for about 6 weeks now and do not know how to fix it. I did the 8 step process as you recommended but still have this problem.

False positive with System Security virus: This program seems to have been removed after using the recommended antispyware scans. I thought it would be still important to let you know that I had this at one time.

As requested, I have attached the 3 logs. Please let me know what I need to remove, and how I can remove these infected files. Thanks for all your help.

Techdummy415

 

[rf6647]

The logs paint this as a "handled" case. However, you cite that the browser is still being redirected.

Please run ComboFix & HJT. ComboFix cleans & provides diagnostic information that is used to find enabling infection that remain or just residue. As with most scans, the repeat scan looks for any infection that is now unmasked or a clean run. Always assess if symptoms remain.

Supporting information

Uninstall Combofix

Simplified Instructions for ComboFix + link to download
How-to-use instructions - full version

Please see this for instructions:
:Temporarily Disable Real Time Monitoring Programs

• 1 Spybot S&D (Teatimer)
• 2 Ad-Aware Ad-Watch
• 3 Spywareguard
• 4 Windows Defender
• 5 TrojanHunter Guard
• 6 Disable SpySweeper
• 7 WinPatrol
• 8 CounterSpy
• 9 AVG Anti-Spyware (formerly ewido)
• 10 Spyware Doctor
• 11 Prevx
• 12 ProcessGuard
• 13 ZoneAlarm's OS Firewall
• 14 Ad-Aware 2007 Service

 

[techdummy415]

It Worked!!

Hello,

Thanks for the advice. I ran the last program and it deleted an additional 3 files on my computer. I thought I would never get this fixed. ALso, my computer seems to be running as good as when I first bought it a few years ago. I've attached the logs to this reply.

Cheers

 

[adweston]

It's still there.. Well, at least the folder is:

c:\documents and settings\All Users\Application Data\327481232

Check to make sure it's empty, then delete the folder.

System Security is one of those brutal infections that Combofix doesn't deal with adequately yet. I just ran into that one two days ago.

EDIT: After you delete that folder, run CCleaner (both the file cleanup and the registry cleaner)

 

[techdummy415]

Thanks for the info. I was just going to post another reply stating that my browser just got hijacked again. I'll follow your steps and report back.

It's still there.. Well, at least the folder is:

c:\documents and settings\All Users\Application Data\327481232

Check to make sure it's empty, then delete the folder.

System Security is one of those brutal infections that Combofix doesn't deal with adequately yet. I just ran into that one two days ago.

EDIT: After you delete that folder, run CCleaner (both the file cleanup and the registry cleaner)

Stupid question, how do I get to c:\documents and settings\All Users\Application Data\327481232? When I hit the start button then to go "my computer" I double click the "local c drive" and then "documents and settings". Finally I click "all users" but after that there does not appear to be an option for "application data". I must be doing something wrong. Thanks.

 

[adweston]

In My Computer:

Go to Tools > Folder Options

Click the View tab

Check "Show hidden files and folders:

Uncheck "Hide extensions for known file types"

Uncheck "Hide protected operating system files" Click ok in the pop up prompt

Click ok.

Then go back to that folder and try it.

 

[techdummy415]

Ok so I found the 327481232 folder and found 3 files located under that folder. I deleted the three files under that folder and then deleted the folder itself. I ran CCleaner (both the file cleanup and registry cleaner). After all this, I restarted my computer.

Unfortunately my google search results were still getting redirected so I decided to rerun combofix as my problem was temporarily fixed after I ran it the first time. I finally ran hijack this to get an updated log. I have posted both the combofix and hijack log to this post.

My google search results are not getting redirected as of yet. I'm kind of skeptical as this was only temporarily fixed the first time. Let me know if you see anything else suspicious in my computer. Thanks!!!

 

[adweston]

I don't see anything else in those logs, but run this just to be certain.

And for God's sake.. When you're finished delete some of that crap. You're computer will barely run with all that jazz in there. Kill Mcafee (do NOT use the uninstaller. Use the McAscrap Removal Tool), Spybot, WinPatrol, Superantispyware and Malwarebytes. You can reinstall the last two if you need them again.

It's pretty obvious what the first three are worth. Malwarebytes will start screwing with your cookies, interupting things like Java games, etc (Prime example is Pogo).

One other thing I find amusing. You use Firefox. How often do we hear the Firecrap fanboys raving about how Firefox protects them from infections? I guess we can link them to your logs.....

 

[techdummy415]

So i don't know if this is just a coincidence but I was trying to download the One Republic CD online (I think it was emp3.com) when my Mcafee suddenly warned me that they detected a trojan (the end of the file was called dll I think). Shortly after, the following problems occured on my comp.

1. Windows Automatic Update not turned on message: That message was on the bottom right of my computer and I clicked the balloon to try to fix it. When I get the option to turn on automatic updates, windows tells me that I cannot and have to do this through my control panel. When I go to control panel, it tells me that the automatic updates are already turned on.

2. The time on the bottom right turned to military time.

3. My shortcut icons on the bottom left (to the right of the start button) are now missing.

4. My computer goes REALLY slow.

I decided to redo the 8 step process after installing Avira (and deleting Mcafee). Avira found a malware during the scan (file called AcrA3BB.tmp). Avira moved that file to 49d32812.qua. Don't know what that means but I'm sure you do. When running MALB and Super, they both found a bunch of infected files, more than before.

When I restarted the computer after the final step, my computer still had a warning stating that automatic updates was not turned on. Only this time, I was able to turn it on after clicking on the balloon.

THe only symptons that persist are 2 and 3 from above. Also, I have attached my logs to make sure there is nothing lingering. Was this recent attacked due to the last virus I caught or was this completely as separate issue and I have just been unlucky recently?

Thanks for all your help.

 

[techdummy415]

My Avira just found another trojan called the softomat trojan. Don't know what that is but I guess Avira is working. The file name is called a1063069.dll. Is my computer toast?

Help!!! Please see the post above which is the most recent issue I've been having. Thanks.

 

[kimsland]

Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

So far, so good

 

[techdummy415]

Still having problems

Help someone! I am still having virus problems in my computer. I just recently had one today and ran the 8 step virus twice (until the programs stopped detecting a problem). Keep in mind, I did the same 8 step last week more times than I want to remember.

Although nothing was detected the second time through I do notice that I now have the YOOG SEARCH virus that I cannot remove. I don't know what else to do.

I've attached the most recent logs to this post. THank you.

 

[kimsland]

Please rescan with HJT and tick the following entries
Before selecting Fix all, close any\all Internet browsers

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O20 - AppInit_DLLs: bqnwyd.dll epdnpw.dll

Before restarting download Combofix
Lots of info on its use here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Direct download here: https://www.techspot.com/downloads/5587-combofix.html

Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
Log into your Administrator account
Locate the previously downloaded Combofix
Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

Once Combofix has finished, save the log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

 

[techdummy415]

Thanks,

So I followed your steps as closely as possible. I still have the yoog search in my toolbar. Of note, when I initially restarted in safe mode, I could not locate the combo fix file as I saved it on my desktop (sorry, I thought the desktop is the same as c drive). So I had to restart in normal mode and move to the c drive. I then restarted and when I opened combo fix, a warning stating that my antivirus is running came up.

I tried to disable my av, however I don't think it was actually running because when I opened up the av program, it said that it was disabled. Also, when combofix was running I noticed that the program stated that it could not locate some temporary folder. The message was too quick for me to note down.

I don't know if this is important for you but I figured it couldn't hurt to tell you everything since I think my computer is still infected. Thanks!!!

 

[kimsland]

Reset your browser settings:

Internet Explorer: https://www.techspot.com/vb/post682762-2.html

Firefox:

http://kb.mozillazine.org/Resetting_preferences

If you simply want to start over with the default set of Firefox preferences, remove the prefs.js file (and the user.js file, if it exists) from the Firefox profile folder. Firefox will rebuild the prefs.js file from program defaults. This restores the default values of all preferences displayed in about:config and will restore the default theme.