Various Trojan Problems - Logon, Logoff loop / Google Redirect

Status
Not open for further replies.
L

leaht

Posts: 8   +0
Hi, I'm new here. This looks like a pretty busy place, you guys seem to help a lot of people, and since I didn't get a reply in the other forum I found a few days ago I thought I'd try this place. Thanks in advance to anyone who takes the time to read. :)

The following is a detailed description of the issues I've encountered the past week. I apologize that it's so long, I just don't want to leave out any important details. I have also included the logs from the 8-step process. It actually looks like I've cleaned everything out, but I'd like an experts opinion to make sure.

About a week ago, I managed to infect my system. I believe it happened when I accidentally clicked a third-party ad on a website, and silly me had my avast turned off at the time. D: My desktop picture suddenly changed itself to a .gif file that said "Your system has been comprimised! Run a virus check now! Vulnerable to third-party.... etc etc" and there was red X icon on my system tray that I had never seen before.

I ran avast and it found some corrupted files which I removed, but I still could not change my desktop picture back to normal. When I tried (by right clicking into the display properties as I normally would) it would not allow me to browse for a new picture. I could not alter the desktop in any way, so I knew something was still wrong.

Also, when I did a google search, and clicked on a search result link, it took me to unwanted websites. For example, even though the file path of the link pointed to techspot, when I clicked it, it took me to some random site.

I found the link problem to be changes in my registry and also the internet settings of my browser. Firefox was setup to access internet through a proxy server called 7171. I disabled the proxy and deleted the 2 registry files that pointed to the proxy:

HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings, ProxyServer =http=localhost:7171
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings, ProxyOverride = *.local;<local>

that fixed the google problem. I also found registry files that said "disabletaskmanager" "noactivedesktopchanges" and "noactivedesktop" so I deleted those. I also found a file called m3SrchMn.exe. Then I ran malwarebytes, and it found a few things that I removed.

Malwarebytes seemed to have fixed everything, though. I restarted and all was well. This was 1 week ago.

Today, I turned my computer on, and found that I was stuck in the Log-on, Log-off loop. I managed to fix that by booting from my Windows XP CD and using the recovery mode.

I then downloaded Adaware, and it turned up malware files called Win32.TrojanD\.\ader.NewMedia along with a few other things. But after that, I was suddenly unable to connect to the internet. I tried using a restore point but that didn't work. So I ran a check with internet explorer and it told me the problem was (LSP): Web Guardian. I got onto my husbands computer and learned that malware uses LSP's to mess with the firewall. (or something) So anyway, I deleted it as IE suggested, then rebooted and now I'm online again.

I have since removed Avast and installed Avira. Before starting the 8-steps recommended by this board, I ran a full Avira scan, and it found quite a few things, so I enclosed the Avira log along with my Malwarebytes, SuperAntiSpyware and HTJ logs. I ran the CCleaner twice as suggested, and it removed quite a bit. Malwarebytes found absolutely nothing, but SuperAntiSpyware found a lot.

My systems clean, everything is working normally. I believe I'm ok, but I would appreciate anyone who can verify that for me. This has been quite the nightmare, I've never infected myself like this before. D:
 

Attachments

  • AVSCAN-20090315-221629-E398500D.LOG
    27.4 KB · Views: 5
Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (file missing)
O2 - BHO: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll (file missing)
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O20 - AppInit_DLLs: c:\program,files\permissionresearch\prai.dll nydorj.dll

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Do you know the highlighted red folder? If not delete the following folder

c:\program files\permissionresearch\

avatar62338_9.gif
Download and Run ComboFix

  • Download this file to your desktop and save it as, leaht.exe from either of the two below listed places :



    HERE or HERE


  • Then double click leaht.exe & follow the prompts.
  • When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
That was a quick reply, thanks!

When ComboFix finished, my whole desktop was blank except for the background picture. My desktop icons and my tray was gone, so I rebooted. Everything is where it should be now. Is this normal after running ComboFix?
 
It can happen yes.

What about that folder?

EDIT\\\\\\\\\\\\\\\\\\\


You also have a couple of open ports, did you open them on purpose? If not that's another sign of this particular virus. You also have file sharing software, I would get rid of them.

COMBOFIX-Script



  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



    Code: 
    File::
c:\windows\t55ft3518f44.dat


Folder::
c:\windows\SxsCaPendDel
c:\windows\9gdfgjf23

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=-
"7171:TCP"=-


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.



    CFScript.gif



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Please download ATF Cleaner by Atribune.



  • Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.



  • Open a folder window (for example, double-click My Computer).
  • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

Run HijackThis again and post a log back along with the combofix log.
 
I don't know what that folder was, so I checked it along with everything else. When I went looking for it to delete it like you suggested, it wasn't listed in c:\program files anymore so I assumed HJT deleted it for me.

I'm not sure what it means to leave a port open, so I don't think it's anything I would have done on purpose, unless it has to do with the fact that I'm connecting to the internet through an ethernet cable, which is plugged into the router, which is plugged into our modem. :-/

My IE folder was located here:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\
instead of here:
C:\Windows\Temporary Internet Files
Not sure if that's important or not.

I deleted the folders, and there were two other things in the content.ie5 folder - one was "index DAT File" and the other one was "desktop configuration settings". You didn't say to delete those so I left them alone, but I thought I should mention them.

Here are the logs. How am I looking so far?
 
OTMoveIT



Please download the OTMoveIt3 by OldTimer

  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



Code: 
:Processes
explorer.exe

:Services

:Reg
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=
"7171:TCP"=

:Files
c:\windows\t55ft3518f44.dat

:Folders
c:\windows\SxsCaPendDel
c:\windows\9gdfgjf23



:commands

[purity]
[emptytemp]
[start explorer]
[Reboot]



  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Download random's system information tool (RSIT) by random/random from HERE and save it to your Desktop.

  • Double click on RSIT.exe to run.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.
  • log.txt <will be maximized and info.txt <will be minimized
  • Please post the contents of both logs in the next reply.
 
The best software I have come across to stop this problem is Spybot. If you download that latest version, it will block any nasties affecting your System files where all the damage is done.
 
Ok, that looks better.

P2P Warning!

  • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    LimeWire

    Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
    Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
    http://www.techweb.com/wire/160500554
    http://www.internetworldstats.com/articles/art053.htm
    See Clean/Infected P2P Programs here

    I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    If you wish to keep it, please do not use it until your computer is cleaned.

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.
 
Sorry it took me so long to reply, I was battling a migraine today.

I went to the kapersky site, but it didn't prompt me to run any activex program. It did say "You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0." which doesn't make any sense because my java is up to date. I went to java.com to confirm, and it said "You have the recommended Java installed (Version 6 Update 12)."

What should I do?

(edit) About Limewire, I haven't used it about 6 months, but I used to use it all the time for years and never had a problem with getting infected, so I always assumed it was safe enough. I mainly needed it for certain favorite bands so I could listen to their new songs before they were available for purchase, I'm a big music junkie and can't always wait for CD release dates. ;) But after this whole scare, it isn't worth putting myself at risk. I'm going to take a look at the links you provided, and will probably end up deleting it. :( Thank you for pointing that out to me.
 
ok,

lets do this then.

PANDA ONLINE SCAN
Please go >here< to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad, attach it.
 
Wonderfully. I can't thank you enough for taking the time to walk me through all of this!

As for all the different programs that I've downloaded, should I keep them and run them occasionally, to check my system? I never dreamed that malware could get this complicated - I've had Malwarebytes for a long time, and I always ran it about once a month to make sure nothing unusual was hiding in my computer. If it didn't come up with anything, I thought that was enough. Apparently not.

Do you think I should change all my passwords to websites and email now? I just remembered, I actually have them saved to a notepad file on my computer, because there's so many. Is it possible for someone to have accessed them?
 
It really couldn't hurt.

As for the programs, keep malwarebytes and SAS and we'll take care of the rest now.

Please download the OTMoveIt2 by OldTimer.



  • Double-click OTMoveIt3.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.



Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.



  • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.



    You can find instructions on how to enable and re-enable system restore here:



    Windows XP System Restore Guide



    or



    Windows Vista System Restore Guide



Re-enable system restore with instructions from tutorial above



  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.



  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.




  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.



    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:



    Instructions for Spybot S & D




  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.



    A tutorial on installing & using this product can be found here:



    Using SpywareBlaster to protect your computer from Spyware and Malware




  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.



Here are some additional utilities that will enhance your safety



  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:

    Using Winpatrol to protect your computer from malicious software



Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!



The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.



Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
 
I've done everything you suggested. I feel so much more secure and I learned a lot. Thank you again for all your help! You're a lifesaver!
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
834
losdavos
losdavos
T
Windows Logon Password Box Fully Populated Coming Out of Hibernation, Why?
Replies
1
Views
476
Nelson28
N
AGenericFool
Help - Valid Windows 10 Licenses deactivate after two days?!
Replies
1
Views
322
Nelson28
N

Latest posts

Back