Yoog + Vista 64-bit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mch, Jan 6, 2009.

  1. mch

    mch Private E-2

    So, I stupidly ran a malicious executable yesterday that installed some nasty software, including what SUPERAntiSpyware detected as some variant of Vundo adware. I'm pretty sure I managed to remove most of the malware (I'm no longer getting ad popups), but there are a few remaining problems:

    • FF and IE are infected with Yoog search. Deleting it either within Firefox/IE or on the hard drive (in my profile directory) doesn't get rid of it -- it just reappears on next launch.
    • A WinLogon startup entry called UpdateNf.dll appeared that reappears every time I delete it. It looks suspicious to me.
    • There's an uninstall entry for "Contextual Tool Milehighads" that I'm unable to run. I think that the executables associated with it may have been removed by a spyware scanner. I'm not sure about that, but in any case, they don't seem to exist on the hard drive.

    Now, here's the catch: I've got a 64-bit version of Vista, so I may have trouble running a few tools. In particular, MGtools gives me compatibility errors at various points, though it still runs and produces a log zipfile (attached), and ComboFix just doesn't run.

    The good news is, what's left appears to be fairly benign, as these things go. The bad news is, I'm not sure how to locate and fix this problem.

    Help? Any and all help very much appreciated. Thank you in advance.

    [Some logs are attached. I've attached a SUPERAntiSpyware log that I ran this morning and detected nothing. I'm also happy to provide what details I can about the stuff I removed up to this point -- I didn't take notes, unfortunately, but I do have the SUPERAntiSpyware log that removed Adware.Vundo/Variant.]

    [Edit: Forgot to attach the files.]
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please try working thru the below procedure and let us know the results:

    Yoog Removal
     
  3. mch

    mch Private E-2

    I followed the instructions, but when I started Firefox up again Yoog search reappeared. Also, the about:config entries with Yoog in them did not disappear.
     
  4. mch

    mch Private E-2

    A few other notes about what's going on:

    * On occasion I get advertising popups that say they are "by milehighads".
    * Once or twice C:\Windows\System32 has opened in Windows Explorer without my doing it -- I'm guessing from the malware trying to find a DLL that's not there anymore thanks to spyware scanners.
    * My boot record got corrupted a few days ago and I had to use a Windows recovery CD to do a fixmbr. Could this be related? Or is it just a coincidence?
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run the steps in safe boot mode?

    Also I suggest shutting down all protection software that you can while in safe boot mode and run the steps again. Also unplug your cable to the internet while doing these steps.

    If this does not work, we will have to uninstall FireFox and then delete all folders related to it and then do some manual searching of the registry.

    Also perform the IE steps to make sure IE is not infected. In the steps where I mention disabling globaladsolution, also look for milehighads and disable it if found.

    Now delete the below file if it exists.
    C:\Windows\system32\cont_milehighads-remove.exe

    Also copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Also uninstall the below outdated Sun Java versions.
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7



    Problems with your MBR are not related to Yoog.
     
    Last edited: Jan 16, 2009
  6. mch

    mch Private E-2

    Yup. Check and check.

    Check.

    It did not exist.

    Check. I got a success message when I double-clicked it.

    I tried to uninstall the Java updates, but in both cases I got the following error: "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

    Thanks again for your help.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are y ou still having Yoog problems? If so, uninstall FireFox. Reboot and delete your Mozilla FireFox folders. Then run the below. Do not reinstall FireFox yet. Just use Internet Explorer for the moment.



    Now download Registry Search (see the link titled RegSearch Download Link )
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • See the top 3 boxes under the Enter search strings (case independen) and click Ok... option, enter the below string (use copy and past)
      • Yoog
    • Then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
    • Attach this RegSearch.txt file.
    You will need to get help on this in the Software Forum but try the below. Click Start, Run, and enter services.msc and click OK. This will bring up the Services window. Scroll down to Windows Installer and double click on it. Make sure Startup type is set to Manual. Also make sure that Sevice status says Stopped and not Disabled.


    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one. This new version fully supports x64.


    Run MGtools.exe then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  8. mch

    mch Private E-2

    Yes, I am still having Yoog problems. Here are the logs.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Back in message # 6 you said that C:\Windows\system32\cont_milehighads-remove.exe does not exist. It clearly still does as I can see it in your logs and the file is also located here C:\Windows\SysWOW64\cont_milehighads-remove.exe

    You need to goto Add/Remove Programs and uninstall Contextual Tool Milehighads Let me know if you cannot uninstall this due to Windows Installer issues. Apparently the registry patch I gave you earlier was not successful.

    Then you need to reboot and make sure the above two mentioned files are gone. DO NOT USE Windows Search. Look for them yourself using Windows Explorer.


    If you have addressed your Windows Installer issues in the Software Forum then also use Add/Remove Programs to uninstall the below old Sun Java versions:
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O20 - Winlogon Notify: UpdateNf - updatenf.dll (file missing)

    After clicking Fix, exit HJT.


    Now delete the below folder:
    C:\Program Files (x86)\Mozilla Firefox

    Also delete the below files left over from trying to run ComboFix.
    C:\Windows\system32\CF21774.exe
    C:\Windows\system32\CF25213.exe
    C:\Windows\system32\CF9470.exe
    C:\Windows\SysWOW64\CF21774.exe
    C:\Windows\SysWOW64\CF25213.exe
    C:\Windows\SysWOW64\CF9470.exe
    C:\Windows\SysWOW64\cmd.execf

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\TEMP
    C:\Users\mch\AppData\Local\Temp


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now reboot your PC.



    Now run the RegSearch too again using the below procedue.
    • Doubleclick regsearch.exe to start the program.
    • See the top 3 boxes under the Enter search strings (case independen) and click Ok... option, enter the below string (use copy and past)
      • yoog.com
    • Then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
    • Attach this RegSearch.txt file
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • the new RegSearch.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  10. mch

    mch Private E-2

    My apologies. I didn't realize I needed to check SysWOW64 too. In my defense, the file didn't exist in System32.

    All steps completed, logs attached. I did get a success message on merging with the registry.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not uninstall the below as requested:
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7

    Your logs are clean. You did not say how things are working so I will assume it is fine.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds