Help me kill this

[edawg159]

OK, So I got a nasty infection with that malware that takes over your task manager and turns your desktop into a blue "Warning:you have a spyware infection" and fires off pop-ups like crazy.

I ran through the instructions on these forums and was able to remove nearly all the infections. All scans in the preliminary instructions come back clean.

The problem that remains is when I perform google searches, when the google links appear and I click on them, I get redirected/jump to some other page. This happens maybe every 3rd search.

I've been working on cleaning my machine for a couple days, hopefull an expert on this board can help me finish this thing off. Any help is appreciated

Enclosed is a recent HJT log

 

[kimsland]

Pretty sure this is the problem:

O2 - BHO: (no name) - {db41de82-1dd1-11b2-b7fd-fbaf280c36b9} - C:\WINDOWS\ngjwfexo.dll

Please click start ->run-> regedit

And do a search for this key db41de82-1dd1-11b2-b7fd-fbaf280c36b9
(it'll be under browser helper object, in HKEY_LOCAL_MACHINE)

Once found remove it

Also rmove C:\WINDOWS\ngjwfexo.dll
(from the windows directory)

This will help you a lot I believe

 

[edawg159]

Thanks so much, I was able to find it and delete it. I also ran Webroot's spysweeper and it found another spyware trojan I was able to delete it from the C:\Windows and from the C:/recyler I'm going to do a full scan overnight. I'll post the results if anything is strange.

 

[kimsland]

We have spyware specialists here, that can confirm every step you should take.
From reading many posts from these guys, it is possible that you may be still infected (ie I'm not a Spyware specialist, but I can help a little)

Therefore, you may want to attach your log and scan results to a new post here (and then wait for a reply)
By the way (a little bit more advice!) I'd say remove Norton fully (didn't help anyway) and install AVG Free and do another big scan (manually updated 3 x, on first install)

I bet AVG Free finds more positive issues and removes them (strangely)

 

[Blind Dragon]

Windows XP SP1 <- This is an easy way to become infected SP2 had a lot of security upgrades, you are also probably missing 60+updates, and SP3 is already coming out.

You also have a redirect through RedSheriff, as you can see you can still get to Yahoo! but you are redirected through redsheriff first where they collect info.

This should be mostly cleared up by Spybot and Adaware, Spybot can set a hosts file for you where this won't happen.
-------------------------------------------------------------------------------------------------------
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

--------------------------------------------------------------------------------------------------------

I highly recommend you upgrade to SP2 as soon as possible, after we get you clean

 

[kimsland]

Platform: Windows XP SP1 (WinNT 5.01.2600)
I missed that
But Blind Dragon doesn't miss a beat
For now on I'll check that too (plus Normal; plus version; plus a million other things!)

 

[Blind Dragon]

Platform and Version glance at that, after that I look to the running processes to check the folder HJT is installed to. Then look at entries

 

[edawg159]

Thanks all-
I followed BlindDragon's instruction with HJT,

I'm updating windows, and I'll re-run AVG and post the log along with a new HJT log

 

[kimsland]

You may find that AVG may need to be re-installed
Actually there are may preliminary steps to do before loading SP2
One of the most important (if not, the number one importance) is to have a virus and basically bug free system, before loading SP2 (otherwise Windows may not load)

We all remember those days, load SP2. Xp fails !

 

[edawg159]

OK attached are the new logs after I made the HJT fixes stated in this post and rebooted. I can't install the SP2, I get a messge "catalogs fail" it also freezes up my system

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {db41de82-1dd1-11b2-b7fd-fbaf280c36b9} - (no file)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Rename HijackThis.exe to edawg159.exe by doing the following;

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename HijackThis.exe to edawg159.exe
• When you've renamed HijackThis, open HijackThis again.
• Take a fresh HijackThis log (click Do a system scan and save a log file)
• Post the fresh HijackThis log here.

 

[edawg159]

Many thanks for the assistance

 

[kimsland]

Just to add

Before loading Service Pack 2, make sure to uninstall all the Spyware and Antivirus and Firewall programs fully first.

Also consider AVG Free instead of Norton

 

[edawg159]

One last thing, I ran Search and Destroy and Webroot's SpySweeper again. S&D comes back clean

however spysweeper is picking up
purityscan
winad
wurldmedia
hiwire

 

[kritius]

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[kimsland]

Just to add

Before loading Service Pack 2, make sure to uninstall all the Spyware and Antivirus and Firewall programs fully first.

Also consider AVG Free instead of Norton

I'm quoting my own post, and asking Kritius (or any others a question)

Can you go from SP1 to SP3 ? (to be release later this month)

 

[kritius]

Its actually usually better to wait until the computer is clean before moving from sp1 to sp2 as moving up on an infected computer can cause problems, at the moment its probably better to get sp2 before getting sp3.

 

[Blind Dragon]

On a clean computer, I believe you can go straight to sp3 from sp1 though because it includes all previous updates

 

[kimsland]

Thanks Blind Dragon, cause you're not going to believe it, but my Windows OS is Xp SP1, so I was thinking to create a new clean image

 

[Blind Dragon]

"In addition, your computer must at least be running Windows XP with Service Pack 1 installed."

http://technet.microsoft.com/en-us/windowsxp/cc164204.aspx#1

 

[edawg159]

I appologize for not posting, running combo fix now

 

[edawg159]

Here is the combofix log