Need Help: Logs from recent READ & RUN

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tegary, Jun 29, 2009.

  1. tegary

    tegary Private E-2

    I use Foxfire. I've been having a problem with Yoog loading as my default home page for about a month now. I go in and change it back to Google, but each time I startup Foxfire, it reverts back to Yoog. I was living with that just because I didn't see any other issues. Until yesterday, I started having IE windows popping open, some with porn. Then, today when I would open Foxfire, a christian website that I had visited last night would open instead and a Windows Media Player would start up playing a video that was on the christian website.

    So, I ran the READ & RUN and I'm still having the same problems listed above. I don't think anything was solved.

    I'm no expert like you'all, but can do anything pc related if given instructions.

    Greatly appreciate any help you can give me.
     

    Attached Files:

    tegary, Jun 29, 2009
    #1
  2. tegary

    tegary Private E-2

    Final log.
     

    Attached Files:

    tegary, Jun 29, 2009
    #2
  3. tegary

    tegary Private E-2

    OS is XP.
     
    tegary, Jun 29, 2009
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome :)

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thanks for your patience during this time.

    However I would like to point out that your version of SAS is outdated:

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.
     
    Kestrel13!, Jul 1, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Why are you using this machine without any anti-virus protecting you? You are leaving yourself wide open to attack!


    1. For yoog: Please follow the information in the below link...

    Yoog Removal

    2. Please disable all anti-virus (and anti-spyware programs) while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix exit HJT.


    3. Now we need to use ComboFix to remove a bunch of malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

File::
C:\WINDOWS\System32\ImagXpr532.dll
c:\documents and settings\Owner\Application Data\Save\SaveUninst.exe
c:\documents and settings\Owner\Application Data\Save\Save.exe
c:\program files\mozilla firefox\components\SaveComponent.dll

Folder::
c:\program files\BetterBrowsingExperienceTool
c:\documents and settings\Owner\Application Data\Save
c:\program files\BetterShoppingExperienceTool

DirLook::
c:\windows\FONT

Extra::
FF::
FF - user.js: browser.startup.homepage - hxxp://www27.yoog.com/
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www27.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www27.yoog.com/search.php?q=

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Save"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\c8c0e7c7517]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix

    5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, Jul 1, 2009
    #5
  6. tegary

    tegary Private E-2

    Here's the Superantispyware file. I downloaded it before, but I may have ran the old version when reloading it.

    As far as antivirus software, I had PCTools and Spybot Search and Destroy on my pc before running the READ & RUN, but uninstalled them because the instructions said to delete multiple ones before starting. So, I didn't want anything interfering with the scans, so I uninstalled them.

    However, since having them on my pc, they have not popped up with any viruses that they have found. And, I've kept the definitions updated.

    Thanks for your help.

    P.S. Working on the rest of your instructions. Will post soon as finished.
     

    Attached Files:

    tegary, Jul 2, 2009
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    But Spybot Search and Destroy is not an anti virus. Neither is PCTools.

    PCTools is a Firewall and S&D is Anti-Spyware. :)
     
    Kestrel13!, Jul 2, 2009
    #7
  8. tegary

    tegary Private E-2

    Great! I guess that's why it hadn't found anything. :-o Dummy me! Could you suggest a free one I can download? Thanks.



    Here's what I did with the rest of your instructions.

    Not sure if I’m running 64 bit. How can I tell?


    Step 1 Yoog (YOOG STILL SHOWING UP AFTER DOING THE FOLLOWING)

    FireFox results

    · Navigate to the C:\Program Files\Mozilla Firefox\searchplugins folder. Locate the one for Yoog or any others you don't want and right click on it and select Delete. (Yoog not found, but saw creativecommons.xml and answers.xml)
    · Also navigate to the below folder and make sure nothing for Yoog appears. Replace UserName (didn’t see UserName, did see Owner, didn’t change anything) with your actual user account name. If you see another searchplugins folder, look in it for anything from Yoog and delete it. Note that the default.zdt folder may have different name that looks like random characters (for example like 1op3lem4.default )
    · C:\Documents and Settings\UserName(Owner folder)\Application Data\Mozilla\Firefox\Profiles\default.zdt (deleted Yoog, also saw mywebsearch.xml but didn’t delete, have seen this before when scanning for malware)
    · NOTE: If using Vista, the folder will be more like the below:
    o c:\users\UserName\AppData\Roaming\Mozilla\Firefox\Profiles\default.zdt\
    · Empty your Recycle Bin
    · Reboot in normal mode and see if you still have problems with Yoog or not also check in the Filters/Value column like above to see if Yoog is now gone. (went back to Filters and one of the Yoogs was gone, but there were about 2 others still there. I went back into Manage Search Engines and there was nothing in at all.)

    ALSO, decided to do IE7 because it has been opening up when I click on FireFox links.

    IE7 results
    · If you see Yoog in the list, select it and then click the Remove button. (found)
    · Scroll thru the Enabled list looking for globaladsolution and globaladsolution browser enhancer (neither found) and select them (one at a time) and then click the Disable radio button to move them into the Disabled list. Under the File column, write down any file name listed. (8 files listed) Normally a DLL file. Then click OK to the prompt about disabling this addon. Then click OK to close the Manage Add-ons window.
    · Reboot in normal mode
    · Search for the DLL file (looked for these globaladsolution and globaladsolution browser enhancer, was that correct?) you sway above (possibly it is in your C:\Windows\system32 folder. Delete the file if found.


    Step 2: went ok

    Step 3: Stalled when logging off to reboot. Had to physically reboot. Then it stalled at “boot from CD”. After starting Windows, it went ok.

    Step 4: went ok

    Thanks.
     

    Attached Files:

    tegary, Jul 2, 2009
    #8
  9. tegary

    tegary Private E-2

    tegary, Jul 2, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Kes will be away from the computer for a few days, so let me continue with you. First, go ahead and reinstall PCTools AV program or any other of your choosing from our Top Freeware Picks.

    You did not attach a new MGLogs.zip, but instead a second Combo log. We will do that in a moment.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Extra:: 
FF::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\654d8pdp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www27.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www27.yoog.com/
FF - prefs.js: keyword.URL - hxxp://www27.yoog.com/search.php?q=
FF - user.js: browser.startup.homepage - hxxp://www27.yoog.com/
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www27.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www27.yoog.com/search.php?q=
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Jul 3, 2009
    TimW, Jul 3, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds