Hi Guys

I who always use spybot/SAS/CC/rehseeker/spyblaster, have a visiter, it seems that when I open IE, I get adverts for gambling, or naughty naughty.

Is it spyware or Malware, I have just ran all the above except SAS/Spyblaster
as I have UNinstalled them ready to Reinstall them again.

What is quickest prog to remove offender

George, I have moved your post over to Malware for Scotty to give you a hand. ~Cindy~

Hi

Install HijackThis


Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Hi Scotty

Before I do that, I have re-installed SAS and done complete scan, see attachments and I await your comments please


George

You may have Vundo please post the logs.

Scotty

Will attach notepad file but have not done 1-5 in second part yet as it sounds like a repeat of saved file??

No, the Uninstall List is different. You can skip that bit. And please copy paste any logs in reply.

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Use this link to download and save Combofix to your Desktop.
http://download.bleepingcomputer.com/sUBs/+/ComboFix.exe


Please visit this webpage for installing the Recovery Console, but use the link above for downloading Combofix, not the one on the page below.:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:

http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif

Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.


1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

Scotty

It all sounds a bit complicated so I wont rush, 2 questions>>

1-now that I have scanned with SAS, found errors and deleted them, how do you know i still have a problem.

2-the first log I pasted, did it tell you anything

Hi George

1-Contrary to popular belief, SAS cannot fully remove Vundo. It can do enough to make you think you are clean, but as we have seen many a time the victims appear on forums like this telling us it came back, when it never actually went away.

2-The regkeys are still in HijackThis but HijackThis never tells the full story. Combofix will.

Scotty

I have d/l the first link for combo fix but have not run it yet.

But the second link for o-use combofix will not d/l, its like watching paint dry :( so I await your advice

What do you mean? The Recovery Console? It's a very small download 4.4mb

Scotty

I hear you but just been waiting 17 mins and give up again.

Will try again tomorrow, I also did a scan with Stinger earlier

Just run it without the RC for the moment. And please dont do anything else.

You mean run the combofix?

Change of plan. Delete the combofix icon. Just realised you have Avast on board. Do this instead.

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
For Vista users, right-click DSS and select Run As Administrator
If asked to install HijackThis click on Yes
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply

Scotty

See attached what you asked for and BTW, for 2 years I have used Nod32 as advised by Mylanta but 1 week ago, acting quite mean, decided to try free Avast instead of paying for Nod32 for another year, coincidence??

Also, those viruses I had, would they have come from e-mail or surfing as I am very particular??

George. You need to copy/paste the logs in the reply box. I cant read screenshots.

SCOTT

Cant seem to do a copy paste to reply, cany even use my Snippy prog.

Can I do a PM on this forum eg "send to"

How can you not do copy/paste. Open one the logs, click on Edit then Select All, then the text will turn blue.
Click on edit again and select copy.
Select Post reply here, right click in the Reply box and select Paste.

If it is easier for you, just attach the logs again, like you did the first time.

Scotty

I assure you that I do know how to copy/paste but as logs were saved to Notepad, I do not get the "select all" option. As I said, it was saved as jpeg so in case it was for that reason, I copied to works.

Why attach them again if you cant read them, plus they are still in the previous reply

Who said I cant read the attached logs. I just prefer to see them posted in the reply.
Why was the logs saved as jpegs? Youve lost me.

Scotty

Who said I cant read the attached logs You said in previous reply "I cant read the screenshots."

Scotty, if my inexperience is creating frustration, dont worry about it, I will sort it somehow, and on this site when dealing with Mylanta/BM/Doug, I have always taken a screenshot/open Irfanview/edit/paste and always saved as JPEG.

BTW, I now have a site trying to tell me I have viruses etc etc and do i want to scan, naturally I say no. It is called Spywinware but it wont allow me to save screenshot.

Scotty

Right or wrongly, I have just ran dss.exe and result is attached

Hi

That was perfect. Ok, lets proceed. Delete the Combofix icon from your Desktop.

Disable Windows Defender until the computer is clean

Windows Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save
Don't forget to re-enable it, when your computer is clean.


Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Documents and Settings\All Users\Application Data\Adsl Software Ltd
C:\WINDOWS\system32\qqwgogky.dll
C:\WINDOWS\system32\nitpbrkb.dll
C:\WINDOWS\system32\msvrgfxc.dll
C:\WINDOWS\system32\VxGOoUvw.ini2
C:\WINDOWS\system32\ymvdpxgx.dll
C:\WINDOWS\system32\ksqiaxsk.dll
C:\WINDOWS\system32\KkTsttwa.ini2
C:\WINDOWS\system32\cdtrnt.dll
C:\WINDOWS\system32\bwdfgkfy.dll
C:\WINDOWS\system32\ltyqutqs.dll
C:\WINDOWS\system32\msqodkkn.dll
C:\WINDOWS\system32\dgjQBcdd.ini2
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3879AC70-3812-4EEE-A837-B90AAA7BA64C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{57b8d02a-4795-40e1-96d8-743168d6c3df}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{D479A472-5641-4E67-8DB5-DAA7ABFF5220}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E32528BF-E13C-46AE-97EC-8B23D1BCE4B0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\\BM67a56ab7
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\WinSpywareProtect
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6496592b
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM67a56ab7


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply with a new HijackThis log.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Scotty

First obstacle, if I c/o tools, I dont have general settings, I am trying to do what I've done hundreds of times and that is>>printscreen>>open Irfanview>>edit paste (I get an error message saying PDF Save error with an Irfanview window).

If I save printscreen to Works, it saves to size 100% (which may be small for you) and when I increase to 200% and save, it still saves to 100%.

So I wait

Just do what you did last time. Attach the logs. I can save them to my own pc. You're doing fine George.

Are you having a problem going the other way? That is, copying the the OT script?

Does highlighting with the mouse pointer then right-clicking not work?

Scotty

But how about the first question re Defender.tools ??

You cant find Tools in Windows Defender? And where does Irfanview fit into all this?

Scotty

I d/l move it (had to skip defender query) I ran it, the only button that seemed applicable was CLEAN UP so although you did not mention that one, I ran it but log seems so different than yours.

Are you not reading my instructions? You click on the MoveIt button after entering the list of what needs to go. CleanUp is for uninstalling OTMoveIt.

Scotty

You have been very patient and I thank you for it but I cannot follow this way with this particular problem.

I find exchanging views/help on pc's with others sometimes confusing as I teach some basic users would you believe and its always hard knowing what the recipioent of help knows.

I am guessing you live in UK and I would willingly ring you to receive help but I do understand most senior members like it all to be displayed so as to help others.

So once again, lets close this subject please and THANK YOU.

George, Im a patient man. We can take this a step at a time if you wish.

***CLOSED***

The topic in this thread has been closed at the request of the topic starter.

Please refrain from any additional posting on this topic unless there is an UPDATE or new information relevant to the original topic.

Additional postings may be removed without notice.

Thank you!
KH Mod Squad