Jump to content

Recommended Posts

My computer is plagued with a google hijack virus. Please help. I've followed your instructions. Ran Defogger, got 'finished' message, but was not asked to reboot. Below are the contents of dds.text, and other logs are attached.

Thanking you in anticipation of your help.

Neil

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_24

Run by Sally at 16:12:53 on 2011-05-26

Microsoft

ark.zip

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi Chris,

Many thanks for your help. Here are the MBAM and DDS logs as requested:

Regards

Neil

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6717

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

29/05/2011 19:58:21

mbam-log-2011-05-29 (19-58-21).txt

Scan type: Quick scan

Objects scanned: 200518

Time elapsed: 29 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_24

Run by Sally at 20:12:13 on 2011-05-29

Microsoft

Link to post
Share on other sites

  • Staff

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for uTorrent and anything else you may have installed.

Link to post
Share on other sites

Hi Chris,

My apologies. I've removed the outlawed program and re-run MBAM and DDS; see logs below.

Neil

---------------

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6754

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

02/06/2011 21:12:23

mbam-log-2011-06-02 (21-12-23).txt

Scan type: Quick scan

Objects scanned: 201473

Time elapsed: 29 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_24

Run by Sally at 22:01:11 on 2011-06-02

Microsoft

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi Chris,

I ran ESET as instructed and it found 1 threat, but when I opened the log file there was very little text in it. I've copied it below and added in (below the dotted line) what it said on the summary screen when it had finished scanning. Checkup.txt is below that.

I ran Firefox after that and Google seems to be working fine now with no evidence of redirecting. The only other issues I've noticed is that (i)many of my files and folders were changed to hidden (including most everything on the desktop, which I subsequently changed to unhidden status manually); is there a quicker way of 'unhiding' the other files? (ii) the ATI Catalyst Control Center appears to have been corrupted. I get a message on startup saying 'Host application has stopped working - close program'. I haven't tried to remove and reinstall this yet, I thought I should await your advice first. Finally, I'm getting a message on startup that 'Java auto updater is requesting poermission to continue "C\Program Files\Common Files\Java\Java Update\jucheck.exe" - auto - scheduled'. This looks benign but I think I picked up the infection in the first plkace when I clicked on a box that popped up saying that a video file I was attempting to view required an earlier version of Java, so I thought it best not to grant permission until you advised.

Thanks very much for your help so far. I really appreciate it.

Regards

Neil

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

--------------------------------------

Step 4 out of 4

Scanned files: 188061

Infected files: 1

Cleaned files: 1

Total scan time: 03:38:26

Scan status: Finished

List of found threats:

C:\Users\Emily\Downloads\MsgPlusLive-481.exe a variant of Win32/Adware.CiDHelp application cleaned by deleting - quarantined

- - - - - - -

Results of screen317's Security Check version 0.99.13

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 24

Java SE Runtime Environment 6

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.2.159.1

Adobe Reader 8.2.6

Japanese Fonts Support For Adobe Reader 8

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

TOSHIBA Toshiba Online Product Information TOPI.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Java

Link to post
Share on other sites

Hi Chris,

All seems good now; all files are unhidden and Catalyst Control Center is loading again. I tried several times to uninstall combofix like you said but got the message 'Windows cannot find Combofix. Make sure you typed the name correctly, and then try again'. It's still in my program list and on the desktop. Also on the desktop are DeFogger, DDS, GMER rootkit scanner (all of which I ran on from my first attempt to fix things) and Unhide. Do I need to do anything with these?

Thanks

Neil

Link to post
Share on other sites

  • Staff

Just delete the individual files and logs for DDS, GMER, UnHide, and Defogger.

If there are no other issues, I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.