Trouoble with hijacker - have followed 8 steps

[haveahijacker]

Hi,

I have a hijacker that is redirecting links from google search results.

Firefox is also crashing unexpectedly, and the system tray clock disappeared.

I have followed the eight steps and the three log files are attached. I renamed hijackthis I have also run ClamWin AV and Spy-bot search and destroy.

Any help would be appreciated.

Regards,

Steve

 

[mflynn]

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.

Next...

First boot to Safe Mode networking!

Open SAS and UPDATE then click Preferences then Repairs then do the following fixes.

Enable Windows Explorer options
Internet Zone Security Reset
Local page Reset
Remove Explorer Policy Restrictions
Remove Internet Explorer Policy Restrictions
Remove WinOldApp policy restrictions
Repair broken Network Connection (WinSock LSP Chain)
Reset Desktop Componets
Reset Desktop Policies
Reset URL PreFixes
Reset Web Settings
Reset Windows Clock Time Display (one or other 12 or 24 Hr)
Reset Winlogon Shell
Reset ZoneMap Settings
User Agent Post Platform Reset
User Agent reset

Then the below

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

 

[haveahijacker]

next round of reports (was: Trouble with hijacker - have followed 8 steps)

Hi,

Have carried out the steps in the above email and the reports are attached.

I can now use google without being redirected.

How do the reports look now?

Many thanks for your help.

Steve

 

[Bobbye]

A comment: your original logs were so clean, I was going to thank you! Don't think I would have done much more- EXCEPT:

Real Time Monitoring is suppose to be temporarily disabled before running the scans.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Mike has been somewhat overrun lately, so this might help out:

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 13 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 13

Open IE> Tools> Manage Add-ons> find and lick on Java Plug-in 1.6.0_03> Disable

Update Adobe: Most current version: Adobe Reader 9.1

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

Your logs are all clean. (thank you, thank you, thank you!) Since the original problem has been resolved, you can remove the cleaning tools and old restore points:

Download OTCleanIt HERE & save it to your desktop.

Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Please let us know if you need further help.

 

[haveahijacker]

Thank you so much for your help (both Mike and Bobbye), and so quickly as well. It it gratifying to know that there is still genourosity on the internet!

I think all is well now, the problem is resolved, I've learnt a few new tricks and scrapped over 2 gig of rubbish from my computer that I hadn't previously even known about.

Many thanks once again,

Steve

 

[mflynn]

Great!

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike