I also got hit with click.gethotresults.com and getamazingresults - requesting Georgi's help

[Todorov]

I too got hit with this nasty trojan and am pretty nervous. To begin with I followed these steps:

I followed the instructions from the Microsoft forum:

• I booted into safe mode with networking
  
• Ran rkill. Rkill didn't find any running malware processes. (I don't think it's supposed to)
  
• Then I installed Malwarebytes; Malwarebytes found and removed 2 items
  
• Everything seemed okay after that. The following day I turned on the computer - did a quick google search and found the browser again hijacked to sites like Scour and Getamazingresults etc.
  

I changed some passwords and quickly checked my credit card activity for anything suspicious. I am scared to turn the machine back (it's only four months old!) But I know you need the txt files. I'm composing this on an old Macbook.

Can you help Georgi?! And thank you!!

[B-boy/StyLe/]

Hi,

STEP 1

• Please download RogueKiller and save to the desktop.
  
• Close all windows and browsers
  
• Right-click the program and select 'Run as Administrator'
  
• Press the scan button.
  
• A report opens on the desktop named - RKreport.txt
  
• Please post it in your next reply.

Talk to you tomorrow. Here it is 02.37 am and I need my sleep.

Regards,

Georgi

[Todorov]

Hi Georgi,

Thanks so much for your help. I chose my profile name in your honor after my favorite Bulgarian philosopher Tzvetan Todorov

I've done as requested and here's the report - attached:

-Nick

RKreport1.txt

[Todorov]

PS - I transferred the RKreport from my PC to my Mac via a USB flash stick. I hope that's not a problem.

[Todorov]

Also, when I was quitting RogueKiller, it had asked if I wanted to quite before deleting two items it had found. I did quit without deleting because I didn't want to do anything that you did not authorize.

[B-boy/StyLe/]

Hi Nick,

I don't use MAC, but please immunize your USB before inserting it into other computers.

Please download Panda USB Vaccine and save it to your desktop.

Unzip the file to your desktop. A folder will appear with the name, USBVaccine.

Double click on USBVaccine.exe to start the program. Install and run it.

Click the button to vaccinate your computer.

Insert a USB drive. When the name of the drive appears in the dialog box, click the button to vaccinate your USB drive(s).

Click the red arrow to exit the program.

Keep in mind that USB drives that have been vaccinated cannot be reversed except with a format.

You did a good job waiting for instructions.

Please follow the instructions below:

1. Please download OTL from the link below:
   • OTL
     

[*]Save it to your desktop/

[*]Double click on the icon on your desktop.

[*]OTL should now start. Change the following settings:

- Click on Scan All Users checkbox given at the top.

- Under File Scans, change File age to 90

- Change Standard Registry to All

- Check the boxes beside LOP Check and Purity Check

[*]Copy and Paste the following code into the textbox.

[*]Don't copy the word "quoted"

netsvcs

msconfig

safebootminimal

safebootnetwork

activex

drivers32

%SYSTEMDRIVE%\*.*

%USERPROFILE%\*.*

%USERPROFILE%\temp\*.exe

%USERPROFILE%\AppData\Local\*.*

%USERPROFILE%\AppData\Local\*.

%USERPROFILE%\AppData\Local\temp\*.exe

%USERPROFILE%\AppData\Roaming\*.*

%USERPROFILE%\AppData\Roaming\*.

%Public%\Documents\Softwrap\YOYOGAMESGM70FINAL\*.exe

%Public%\Documents\Fonts\*.exe

%Public%\Documents\Config\*.exe

%Public%\Documents\*.*

%ProgramData%\*.*

%ProgramData%\*.

%CommonProgramFiles%\*.*

%CommonProgramFiles%\ComObjects*.exe

%PROGRAMFILES%\*.*

%PROGRAMFILES%\*.

%ProgramFiles(x86)%\*.*

%ProgramFiles(x86)%\*.

%systemroot%\system32\config\systemprofile\AppData\Local\*.*

%systemroot%\system32\config\systemprofile\AppData\Roaming\*.*

%windir%\SysWOW64\config\systemprofile\AppData\Local\*.*

%windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*

%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb

%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb

%windir%\temp\*.exe

%windir%\*.

%windir%\installer\*.

%windir%\system32\*.

%windir%\sysnative\*.

%Temp%\smtmp\1\*.*

%Temp%\smtmp\2\*.*

%Temp%\smtmp\3\*.*

%Temp%\smtmp\4\*.*

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\syswow64\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /90

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\syswow64\drivers\*.sys /90

%systemroot%\syswow64\drivers\*.sys /lockedfiles

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

%systemroot%\*. /rp /s

%systemroot%\assembly\tmp\*.* /S /MD5

%systemroot%\assembly\temp\*.* /S /MD5

%systemroot%\assembly\GAC\*.ini

%systemroot%\assembly\GAC_32\*.ini

%systemroot%\assembly\GAC_64\*.ini

%SystemRoot%\assembly\GAC_MSIL\*.ini

HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s

HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s

HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s

HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s

HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s

HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s

HKEY_CURRENT_USER\Software\MSOLoad /s

>C:\commands.txt echo list vol /raw /hide /c

/wait

>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c

/wait

type c:\diskreport.txt /c

/wait

erase c:\commands.txt /hide /c

/wait

erase c:\diskreport.txt /hide /c

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

consrv.dll

services.exe

explorer.exe

lsass.exe

svchost.exe

wininit.exe

winlogon.exe

userinit.exe

atapi.sys

iaStor.sys

serial.sys

volsnap.sys

disk.sys

redbook.sys

i8042prt.sys

afd.sys

netbt.sys

csc.sys

tcpip.sys

dfsc.sys

hlp.dat

str.sys

crexv.ocx

/md5stop

[*]Push the button.

[*]Two reports will open, copy and paste them in a reply here:

• OTL.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

Now I am going to bed.

Regards,

Georgi

[Todorov]

Hi Georgi,

Thanks and I hope you are getting some sleep! Here are the reports:

Regards

Nick

Extras.Txt

OTL.Txt

[B-boy/StyLe/]

Hi Nick,

Sorry for the delay. I had a busy day at the office.

Please go ahead and uninstall Vuze Remote Toolbar.

Also I have a question for you.

Do you recognize this extension:

C:\Users\Nicholas\AppData\Roaming\Mozilla\Firefox\Profiles\ue0btsdc.default\extensions\ytpgfowwqv@ytpgfowwqv.org.xpi

Next,

STEP 1

Download the adwCleaner

• Run the Tool
  Windows Vista and Windows 7 users:
  Right click in the adwCleaner.exe and select the option
  
• Select the Delete button.
  
• When the scan completes, it will open a notepad windows.
  
• Please, copy the content of this file in your next reply.
  

STEP 2

• Please download a fresh copy of Combofix from here.
  
• Save it to your Desktop.
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  
• Double click it & follow the prompts.
  
• If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log for you.
  
• Please include the C:\ComboFix.txt in your next reply.
  
• Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.
  

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.

Regards,

Georgi

[Todorov]

Hi Georgi,

Well, serious problems to report. I ran adwCleaner and had zero problems (report attached). I ran Combofix and this is when all hell broke loose. (report also attached). I turned off my Norton antivirus - all of it - disabled it all. But, Combofix said I didn't. Weird. It ran and this is what happened at the end:

When Windows rebooted there was an exclamation mark where my internet connection was supposed to be. Windows could not find the network or detect proxy settings. On top of this, Constant Guard repeatedly (like every 60 seconds) would give an error code.

I called both Comcast and Constant Guard but neither could help me and suggested I call Microsoft since the computer was bought around 6 months ago. Comcast said that everything was fine on their end (modem etc) and they are right. I am typing this on my laptop which is working fine.

BUT, the Desktop (the infected computer) is in trouble!

Thanks Georgi

PS - I did remove the vuze toolbar and no, I don't recognize this at all: C:\Users\Nicholas\AppData\Roaming\Mozilla\Firefox\Profiles\ue0btsdc.default\extensions\ytpgfowwqv@ytpgfowwqv.org.xpi

AdwCleanerS1.txt

Combofix log.txt

[B-boy/StyLe/]

Hi,

Click Start - type CMD - right click CMD.exe on top => select Run as administrator => type the command below

IPCONFIG /ALL > C:\Report.txt

Attach C:\Report.txt in your next reply.

Then could you please use System Restore and tell me if that bring your internet connection back.

Regards,

Georgi

[Todorov]

Hi Georgi,

Thanks again for your continued help! I had trouble executing it all in one command - so I ran the ipconfig and then copy and pasted the results in the attached .txt. It should hopefully contain what you want to see. Sadly, since the machine won't recognize the internet, I was not able to access the System Restore website.

All the best

Nick

C.txt

[B-boy/StyLe/]

Hi Nick,

You can paste the command directly to the command prompt window.

Note the space between parameters.

About System Restore:

Open the Start Menu, type rstrui.exe in the search box, and press Enter.

Click on the Next button.

Select the last restore point before combofix was run.

Click on the Next button.

Click on the Finish button

Click on Yes to confirm.

After the computer has restarted, click on the Close button.

Check you internet status and let me know.

Regards,

Georgi

[Todorov]

Hi Georgi,

Gotcha. Since there's no internet on the other computer, I didn't paste the command because I couldn't access this webpage - however, I will simply copy and paste what you wrote above to a txt file on a flash stick and bring it over to the dead computer. I'll execute the command and include it in the next reply.

Then, right after that - I'll get on system restore immediately. THANK YOU!

Nick

[Todorov]

Hi Georgi,

System Restore got me back online (thank you!). A great relief.

However, after I copy and paste the command - it says access denied: IPCONFIG /ALL > C:\Report.txt

See screen grab attached: I will await instructions.

Nick

[Todorov]

Woops - I didn't mean to say it says access denied (that was because I forgot to "run as admin") - I meant to say that after I hit return it does nothing - just asks for another prompt. Sorry, LONG DAY.

[B-boy/StyLe/]

Hi Nick,

I'm sorry for the delay. I had a busy week.

I'm glad to hear that your internet connection is back again.

Please check if there is a log file in C:\ called report.txt

If so, please delete it.

I need you to run this command again to compare the results (when your internet connection was messed up and now when it is working again).

Click Start - type CMD - right click CMD.exe on top => select Run as administrator => type the command below

IPCONFIG /ALL > C:\Report.txt

Please check if there is a log file in C:\ called Report.txt.

If so please attach it in your next reply.

Finnaly please run adwCleaner again and post the results.

Also please run OTL scan with the settings as before and attach the OTL.txt log.

Regards,

Georgi

[Todorov]

Hi Georgi,

Please, no apologies about when you can get back to me, I truly appreciate all of your help and will be as patient as needed.

1) Adware Cleaner report attached

2) OTL scan reports attached.

But, there was no "Report.txt" on my hard drive. And, again, when I type IPCONFIG /ALL > C:\Report.txt , the command doesn't prompt or do anything. No report is run. When I type Ipconfig/all, a small report is run, but when I copy and paste the command as: IPCONFIG /ALL > C:\Report.txt , nothing happens. See screen grab. I am copying and pasting, so I know that spacing is correct.

Not sure how to proceed with this problem.

Thanks so much

Nick

AdwCleanerS2.txt

Extras1.Txt

OTL1.Txt

[Todorov]

This is what it looks like after I type in IPCONFIG /ALL > C:\Report.txt

[B-boy/StyLe/]

Hi Nick,

Ok, try this instead:

Please download MiniToolBox.exe by Farbar save it to your desktop and run it.

Run the tool.

Checkmark the following checkboxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Devices
  
• List minidump files
  
• List Restore Points
  

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox. Do not include the word "Quoted"

   
   :OTL
   IE - HKU\S-1-5-21-818373064-1766621983-2307336601-1001\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
   FF - prefs.js..extensions.enabledAddons: {c50ca3c4-5656-43c2-a061-13e717f73fc8}:4.2.2
   FF - prefs.js..extensions.enabledAddons: ytpgfowwqv@ytpgfowwqv.org:2.5
   [1832/11/29 00:51:36 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\Nicholas\AppData\Roaming\Mozilla\Firefox\Profiles\ue0btsdc.default\extensions\ytpgfowwqv@ytpgfowwqv.org.xpi
   [2012/08/05 16:31:47 | 000,314,397 | ---- | M] () (No name found) -- C:\Users\Nicholas\AppData\Roaming\Mozilla\Firefox\Profiles\ue0btsdc.default\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}.xpi
   O4 - HKLM..\Run: [] File not found
   :files
   c:\users\Nicholas\AppData\Roaming\inst.exe
   :commands
   [emptytemp]
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   
7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
   
8. Copy/paste the content of the log back here in your next post.
   

Also please uninstall McAfee Security Scan Plus

Download the MCPR tool and run it to clean the remnants from McAfee.

Please follow these steps to remove older version of Java components:

Uninstall all older versions of JAVA from your system if present:

Java 7 Update 5 (64-bit)

JavaFX 2.1.1

Java 6 Update 32

Leave only Java 7 update 7 installed.

I want you to run this for me

:Run JavaRa

• Please download JavaRa and unzip it to your desktop.
  
• Double-click on JavaRa.exe to start the program.
  
• Click on Settings and Place a checkmark beside Create a log file. Click on Back.
  
• Click on Update JavaRa Definitions. Click on download. When this is done click on Back.
  
• Choose Remove JRE, since you already uninstalled Java, please click on Next.
  
• Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  
• When that's succesfully done, please click OK to close the message.
  
• Click on Next. Since you already downloaded the latest version of Java, please click on Next.
  
• Now click on Close this wizard and click Finish.
  
• From the main menu please choose Additional tasks
  
• Place a checkmark beside Remove Outdated JRE Firefox Extentions and click Run. Mozilla Firefox should be closed before running this task.
  
• When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  
• A log file should be created in the same directory as JavaRa.
  
• Please post the log in your next Reply.
  
• Close JavaRa by clicking the red cross button.
  

I suggest you to uninstall Vuze/azureus as well !

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Vuze/azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software

Also please tell me if you still getting redirected.

Regards,

Georgi

[Todorov]

Hi Georgi,

I'll get back to you asap. I did uninstall vuze - several days ago.

[Todorov]

Georgi,

Thanks so much for everything. Here are my logs - I've deleted and am continuing to delete questionable software! As of right now - Firefox is not going to these websites after conducting a search. I will report back in a bit later too (24 hours). But, perhaps I am safe now - with your approval of course.

THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!!!!!

As soon as my malwarebytes trial period is over I will buy the full version. I think it will be a good protection tool.

09162012_112648.log

Result1.txt

JavaRa-9-16-2012.log

[B-boy/StyLe/]

Hi Nick,

I believe that your browser was redirected because of this malicious extention which I removed with OTL:

C:\Users\Nicholas\AppData\Roaming\Mozilla\Firefox\Profiles\ue0btsdc.default\extensions\ytpgfowwqv@ytpgfowwqv.org.xpi

VirusTotal

SystemLookup

Description by Microsoft

To aid in its search-redirection payload, Trojan:Win32/Tracur.AV installs a Firefox browser extension by dropping a JAR archive file, with an .xpi extension...

Let's check for leftovers.

The most of them should take no more than 5 minutes each.

Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.

STEP 1

• Please download the newest version of Malwarebytes' Anti-Malware and install it.
  
• Please start the application by double-click on it's icon.
  
• Once the program has loaded go to the UPDATE tab and check for updates.
  
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad.
  
• Please save it to a convenient location and post the results in your next reply.
  
• Also I want to see the log when you ran MBAM after coming for help here.
  

Then I installed Malwarebytes; Malwarebytes found and removed 2 items

STEP 2

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[B-boy/StyLe/]

STEP 3

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the Run ESET Online Scanner button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
      
   8. Now click on Advanced Settings and select the following:
      
      
      
      • 
        
        • Scan for potentially unwanted applications
          
        • Scan for potentially unsafe applications
          
        • Enable Anti-Stealth Technology
          

      [*]Push the Start button.

      [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

      [*]When the scan completes, push

      [*]Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

      [*]Push the button.

      [*]Push

STEP 4

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure that all options are checked.
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.
  

STEP 5

Download Security Check by screen317 from here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Regards,

Georgi

[Todorov]

Hi Georgi,

I'm working on it! I'm at step 3 right (ESET) now. I will post everything in the next post late tonight or tomorrow. THANK YOU!

[B-boy/StyLe/]

Hi Nick,

Don't worry. Take your time!

Regards,

Georgi