Malware popups keep reinstalling after removal

[jcmussel]

Hi, folks,

I am getting new windows opening opening up pages such as searchfeed.com, hornymatches.com, sethtrend.com, and buzznet.com, among others. I have tried various spyware removal programs including Ad-Aware, Spybot, AVG Anti-Spyware as well as fixit programs such as ComboFix and VundoFix, and they periodically pick up malware and I remove it. However, when I shut down the computer and restart then log onto the Internet, within a few pages opened, the problem starts all over again as the malware is reinstalled into my temporary folders and cookies.

Can anyone help? I am truly at a loss.

ps. Happy Thanksgiving to all the U.S. folks. Hope the turkey was good.

My Hijackthis file is attached.

 

[howard_hopkinso]

Hello and welcome to Techspot.

You`re running an outdated version of HJT and it needs to be renamed. See HERE.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jcmussel]

round 1

Hello, Howard,

I take it you've done this before? Thanks in advance for your assistance.

Panda-Anti-Rootkit results: No rootkits have been found.

I have also run CCleaner multiple times, and AVG Anti-Spyware which came up with only one cookie which was deleted.

Combofix and Hijackthis logs are attached.

jcmussel

 

[howard_hopkinso]

Yes, I`ve done this one or twice before lol.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\hgghigh.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\yexpyqcg.dll
C:\WINDOWS\system32\gcqypxey.ini
C:\qoobox.zip
C:\windows\system32\xlibgfl254.dll
Folder::
C:\WINDOWS\system32\rMa01yy

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{248CE456-371E-440B-B9D9-6F6A8C768DD2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F8EB053-358E-4611-8F0C-DDBBFCF20C9D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96288128-1BC8-4D9C-B591-6294F8D788DF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9F1F6A0-5E25-4285-BCF8-D86CDC04A554}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b8aa3e9d"=-
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Regards Howard

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jcmussel]

round 2

Hi, Howard,

Yeah, just a "once or twice". 26,000 posts- you've been busy! Do you do this full time as your occupation? If not, you should. I'm a field zoologist (freshwater mussels if it wasn't obvious).

I did what you asked (somewhat blindly- feeling a bit like a lemming! Hope there are no cliffs nearby). Attached are my ComboFix and Hijackthis logs.

jcmussel

 

[howard_hopkinso]

Your HJT log is clean.

However, we still need to solve one or two problems in your Combofix log.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please post a fresh Combofix log.

Regards Howard

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jcmussel]

round 3

Hi, Howard,

... a bit sleepy. Got up in the middle of the night (it's 3 am across the pond here) for some water and found your post.

My Combofix log is attached. Can it be we are almost done???

jcmussel

 

[howard_hopkinso]

Yes, we`re done mate.

Click start/run and type combofix /u into the run box and hit the enter key. That should delete Combofix and all it`s folders etc.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jcmussel]

round 4

Thanks so much, Howard,

Quickly, before you leave me to fend for myself (SCARY), I downloaded quite a few programs in the course of trying to fix this problem plus I had some already. Can you tell me which I should remove outright, which to keep permanently, and which I should reinstall only if I have problems some time in the future? The reason I ask is that (1) some may be competing, (2) some may only be necessary to reinstall only if I have problems in the future, (3) some may not have a "check for updates" feature and become quickly out of date. I assume I should reactivate Teatimer in Spybot, turn Ad-Watch back on, and reactivate the Resident Shield in AVG Anti-Spyware?

Programs:
PAVARK
Ad-Aware 2007
Spybot Search and Destroy
AVG Anti-Spyware
CCleaner
Hijackthis
Look2Me-Destroyer
SDFix
VundoFix
ATF-Cleaner

Also, on shutdown, I get a hasty error message: regsvr32 [This is located in my windows/system32 folder on the C drive] The application failed to initialize because the windows station is shutting down.

Thanks once again for all your assistance. Does TechSpot provide a means to offer positive feedback on your assistance? If so, just let me know and the glowing recommendations will rain down....

jcmussel

 

[howard_hopkinso]

I suggest you uninstall all the tools/programmes we used during clean up, except for SS&D, Ad-Aware and Ccleaner.

Can you give me the exact error message you`re receiving?

Regards Howard

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jcmussel]

round 5

Thanks,

The error message at shutdown reads: [note: top line is header for error box, buttom line is actual error message]


RegSVR32.exe - DLL initialization failed
The application failed to initialize because the windows station is shutting down.

I noted in other tech help forums that it may have to do with my Orb installation (http://forums.whatthetech.com/RegSVR32_exe_DLL_initialization_failed_t85121.html) Have you heard of this?

Also, I assume I should reactivate Teatimer in Spybot, turn Ad-Watch back on, and reactivate the Resident Shield in AVG Anti-Spyware?

jcmussel

 

[howard_hopkinso]

I actually suggest you uninstall AVG Antispyware to prevent resource drain.

By all means re-activate SS&D Teatimer and ADwatch.

I suggest uninstalling and reinstalling the Orb software and see if that helps and let me know.

Regards Howard

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jcmussel]

round 6

Yeah,

That did the trick. Uninstalled then reinstalled Orb.

So, I'll uninstall ComboFix, Hijackthis, and AVG Anti-Spyware (you sure about this last one? It's always popping up messages to tell me how many "potential" spyware it is constantly blocking for me).

I also have SDFix and VundoFix. VundoFix has been helpful in the past. SDFix was a desperation install before I contacted you. I also have Look2Me-Destroyer. I assume this is just one of Spybot's competitors. I used it once without much luck.

How about my old results log files from these programs. I am inclined to trash these, too.

jcmussel

 

[howard_hopkinso]

It`s up to you mate. If you want to keep AVG Antispyware, then by all means do so. Vundofix can be kept if you feel the need.

Yes, you can get rid of the old log files, we don`t need them.

Regards Howard

This thread is for the use of jcmussel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.