Looks ok, but it's not

By abl983 · 7 replies
Jan 14, 2009
  1. hi, i've followed the 8-step procedure for the past week or so, trying to get my pc working smoothly again, but there's something that was able to bury itself pretty deep that causes: a) firefox to get hijacked occasionally, b) pages to load at a much slower speed than before. the attached log files contain both the initial and most recent logs for each program recommended, as well as an additional SAS log from last night that found several tracking cookies. any help would be much appreciated. thank you.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The Tracking Cookies are the least of your worries! I see you installed Avira sometime between 1/7 and 1/14. You should run a scan with the new, updated program.

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Open IE> Tools> Internet options> Security tab> Trusted Zone> Sites> remove all of the following sites from the Trusted Zone:
    Reboot into Normal Mode
    Run ComboFix:
    Please download ComboFix. HERE:

    1. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    2. Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.
    Rescan with HijackThis when through and attach both ComboFix and HijackThis logs.
  3. abl983

    abl983 TS Rookie Topic Starter

    thanks a lot. here are the logs.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Open IE> Tools> Internet options> Security tab> Trusted Zone> Sites> remove all of the following sites from the Trusted Zone:
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)

    Then click on Restricted Sites> Sites> type the following in> click on Add after each:
    (use the * as it acts as a wild card)

    Then run SDFix:

    Download SDFix from HERE and save it to your Desktop.

    1. Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
    2. Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    3. Run SDFix
    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    4. Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    5. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    * Attach Report.txt back here

    Follow with rescan with HijackThis. Attach new log.

    Both Java andf Adobe Reader need to be updated:
    Update Java:
    Update Adobe:
  5. abl983

    abl983 TS Rookie Topic Starter

    thanks again, bobbye.

    had to remove the two sites manually from the registry, since they weren't showing up as 'trusted' in IE, but were obviously there because of the error message i got when i tried to restrict them.

    updated adobe; java was apparently already the latest version.

    relevant logs are attached. no trojans found, apparently. how does it look to you?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you reboot after you restricted the sites, then run HijackThis?

    The AppInit_DLLs: lxddrr.dll entry is still coming up. I had that checked to removed, but see I put it on a line with another process and you might not have seen it. So:
    1. Did you have HijackThis remove AppInit_DLLs: lxddrr.dll?
    2. Did you get the sites into the Restricted Zone?
    3. Did you reboot after restricting the sites?

    If these are all Yes, I will find someone to write code for the removal- I don't write code, so give me then answers and we'll go from there. The logs are okay except for this one stubborn entry!
  7. abl983

    abl983 TS Rookie Topic Starter

    you're right, i did miss it. just removed it with HJT.

    yes, i was able to add the sites to the restricted zone. i then installed sdfix and booted into safe mode. not sure if that technically qualifies as rebooting after restricting the sites though...

    overall, haven't seen any hijacking attempts since you've helped me out, but pages are still loading slower than before the infection. i'm wondering if this is just due to something innocuous like avira and SAS slowing things down (had no AV prog installed before, i figured just using firefox would be enough to guard against attacks - wishful thinking, i guess).

    here's the newest HJT log, btw. thanks!
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Firefox is "only" a browser. While it does have some security settings within it, in itself, it is not a security program. You need the following to have layered protection:
    1. Antivirus program
    2. Firewall
    3. Two or more spyware/adware programs.

    Your HijackThis log is clean so we will remove the cleaning tools:

    Download OTCleanIt HERE & save it to your desktop.
    1. Double click on OTCleanIt.exe.
    2. Click on CleanUp!.
    3. It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
    4. You will receive a prompt that it needs to restart the computer to remove the files>
    Click Yes.
    It will restart your computer automatically. If it doesn't, please restart your computer manually.

    Clear your existing System Restore points and establish a new clean restore point:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...