Various Trojan Problems - Logon, Logoff loop / Google Redirect

By leaht ยท 18 replies
Mar 16, 2009
  1. Hi, I'm new here. This looks like a pretty busy place, you guys seem to help a lot of people, and since I didn't get a reply in the other forum I found a few days ago I thought I'd try this place. Thanks in advance to anyone who takes the time to read. :)

    The following is a detailed description of the issues I've encountered the past week. I apologize that it's so long, I just don't want to leave out any important details. I have also included the logs from the 8-step process. It actually looks like I've cleaned everything out, but I'd like an experts opinion to make sure.

    About a week ago, I managed to infect my system. I believe it happened when I accidentally clicked a third-party ad on a website, and silly me had my avast turned off at the time. D: My desktop picture suddenly changed itself to a .gif file that said "Your system has been comprimised! Run a virus check now! Vulnerable to third-party.... etc etc" and there was red X icon on my system tray that I had never seen before.

    I ran avast and it found some corrupted files which I removed, but I still could not change my desktop picture back to normal. When I tried (by right clicking into the display properties as i normally would) it would not allow me to browse for a new picture. I could not alter the desktop in any way, so I knew something was still wrong.

    Also, when i did a google search, and clicked on a search result link, it took me to unwanted websites. For example, even though the file path of the link pointed to techspot, when I clicked it, it took me to some random site.

    I found the link problem to be changes in my registry and also the internet settings of my browser. Firefox was setup to access internet through a proxy server called 7171. I disabled the proxy and deleted the 2 registry files that pointed to the proxy:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings, ProxyServer =http=localhost:7171
    HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings, ProxyOverride = *.local;<local>

    that fixed the google problem. I also found registry files that said "disabletaskmanager" "noactivedesktopchanges" and "noactivedesktop" so I deleted those. I also found a file called m3SrchMn.exe. Then I ran malwarebytes, and it found a few things that I removed.

    Malwarebytes seemed to have fixed everything, though. I restarted and all was well. This was 1 week ago.

    Today, I turned my computer on, and found that I was stuck in the Log-on, Log-off loop. I managed to fix that by booting from my Windows XP CD and using the recovery mode.

    I then downloaded Adaware, and it turned up malware files called Win32.TrojanD\.\ader.NewMedia along with a few other things. But after that, I was suddenly unable to connect to the internet. I tried using a restore point but that didn't work. So I ran a check with internet explorer and it told me the problem was (LSP): Web Guardian. I got onto my husbands computer and learned that malware uses LSP's to mess with the firewall. (or something) So anyway, I deleted it as IE suggested, then rebooted and now I'm online again.

    I have since removed Avast and installed Avira. Before starting the 8-steps recommended by this board, I ran a full Avira scan, and it found quite a few things, so I enclosed the Avira log along with my Malwarebytes, SuperAntiSpyware and HTJ logs. I ran the CCleaner twice as suggested, and it removed quite a bit. Malwarebytes found absolutely nothing, but SuperAntiSpyware found a lot.

    My systems clean, everything is working normally. I believe i'm ok, but I would appreciate anyone who can verify that for me. This has been quite the nightmare, I've never infected myself like this before. D:

    Attached Files:

  2. kritius

    kritius TS Guru Posts: 2,084

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (file missing)
    O2 - BHO: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll (file missing)
    O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll (file missing)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
    O20 - AppInit_DLLs: c:\program,files\permissionresearch\prai.dll nydorj.dll

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Do you know the highlighted red folder? If not delete the following folder

    c:\program files\permissionresearch\

    [​IMG]Download and Run ComboFix

    • Download this file to your desktop and save it as, leaht.exe from either of the two below listed places :

      HERE or HERE

    • Then double click leaht.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply

    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  3. leaht

    leaht TS Rookie Topic Starter

    That was a quick reply, thanks!

    When ComboFix finished, my whole desktop was blank except for the background picture. My desktop icons and my tray was gone, so I rebooted. Everything is where it should be now. Is this normal after running ComboFix?
  4. kritius

    kritius TS Guru Posts: 2,084

    It can happen yes.

    What about that folder?


    You also have a couple of open ports, did you open them on purpose? If not that's another sign of this particular virus. You also have file sharing software, I would get rid of them.


    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    • Open a folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    Run HijackThis again and post a log back along with the combofix log.
  5. leaht

    leaht TS Rookie Topic Starter

    I don't know what that folder was, so I checked it along with everything else. When I went looking for it to delete it like you suggested, it wasn't listed in c:\program files anymore so I assumed HJT deleted it for me.

    I'm not sure what it means to leave a port open, so I don't think it's anything I would have done on purpose, unless it has to do with the fact that I'm connecting to the internet through an ethernet cable, which is plugged into the router, which is plugged into our modem. :-/

    My IE folder was located here:
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\
    instead of here:
    C:\Windows\Temporary Internet Files
    Not sure if that's important or not.

    I deleted the folders, and there were two other things in the content.ie5 folder - one was "index DAT File" and the other one was "desktop configuration settings". You didn't say to delete those so I left them alone, but I thought I should mention them.

    Here are the logs. How am I looking so far?
  6. kritius

    kritius TS Guru Posts: 2,084

    Looking over now.
  7. kritius

    kritius TS Guru Posts: 2,084


    Please download the OTMoveIt3 by OldTimer

    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [start explorer]

    • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    • Close OTMoveIt3

    Download random's system information tool (RSIT) by random/random from HERE and save it to your Desktop.

    • Double click on RSIT.exe to run.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt <will be maximized and info.txt <will be minimized
    • Please post the contents of both logs in the next reply.
  8. leaht

    leaht TS Rookie Topic Starter

    Here they are. I had to reboot after OTMoveIt3 but not after the RSIT.
  9. derekroysmith

    derekroysmith TS Rookie

    The best software I have come across to stop this problem is Spybot. If you download that latest version, it will block any nasties affecting your System files where all the damage is done.
  10. kritius

    kritius TS Guru Posts: 2,084

    Ok, that looks better.

    P2P Warning!

    • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.


      Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
      Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

      I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

      References for the risk of these programs can be found in these links:
      See Clean/Infected P2P Programs here

      I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

      If you wish to keep it, please do not use it until your computer is cleaned.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

    • Include the report in your next post.
  11. derekroysmith

    derekroysmith TS Rookie

    I only use Limewire in Ubuntu, so Viruses are not really a problem, plus in Windows, Spybot and AVG keeps the computer clean
  12. leaht

    leaht TS Rookie Topic Starter

    Sorry it took me so long to reply, I was battling a migraine today.

    I went to the kapersky site, but it didn't prompt me to run any activex program. It did say "You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0." which doesn't make any sense because my java is up to date. I went to to confirm, and it said "You have the recommended Java installed (Version 6 Update 12)."

    What should I do?

    (edit) About Limewire, I haven't used it about 6 months, but I used to use it all the time for years and never had a problem with getting infected, so I always assumed it was safe enough. I mainly needed it for certain favorite bands so I could listen to their new songs before they were available for purchase, I'm a big music junkie and can't always wait for CD release dates. ;) But after this whole scare, it isn't worth putting myself at risk. I'm going to take a look at the links you provided, and will probably end up deleting it. :( Thank you for pointing that out to me.
  13. kritius

    kritius TS Guru Posts: 2,084


    lets do this then.

    Please go >here< to run Panda's ActiveScan
    • Once you are on the Panda site, click the Scan your PC now button
    • A new window will the Scan Now button
    • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
    • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
    • When the scan has finished, click on Export To
    • Save the file as Activescan.txt to your Desktop
    • Close the Activescan window then go to your Desktop
    • Double-click on Activescan.txt and it will open in Notepad, attach it.
  14. leaht

    leaht TS Rookie Topic Starter

    Here it is!
  15. kritius

    kritius TS Guru Posts: 2,084

    How is the computer running right now?
  16. leaht

    leaht TS Rookie Topic Starter

    Wonderfully. I can't thank you enough for taking the time to walk me through all of this!

    As for all the different programs that I've downloaded, should I keep them and run them occasionally, to check my system? I never dreamed that malware could get this complicated - I've had Malwarebytes for a long time, and I always ran it about once a month to make sure nothing unusual was hiding in my computer. If it didn't come up with anything, I thought that was enough. Apparently not.

    Do you think I should change all my passwords to websites and email now? I just remembered, I actually have them saved to a notepad file on my computer, because there's so many. Is it possible for someone to have accessed them?
  17. kritius

    kritius TS Guru Posts: 2,084

    It really couldn't hurt.

    As for the programs, keep malwarebytes and SAS and we'll take care of the rest now.

    Please download the OTMoveIt2 by OldTimer.

    • Double-click OTMoveIt3.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide


      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for Spybot S & D

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to which is your local computer
    • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:

      Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
  18. leaht

    leaht TS Rookie Topic Starter

    I've done everything you suggested. I feel so much more secure and I learned a lot. Thank you again for all your help! You're a lifesaver!
  19. kritius

    kritius TS Guru Posts: 2,084

    Any time.

    Safe surfing!!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...