browsers Hijacked & other nasties

Post 1 of 2
Xxxx Xxxxxx forum is not Major Geeks.:confused

Message to Xxxx Xxxxxxx forum.

Early January I started noticing problems.
I downloaded a trial program. Then like a fool I went looking for a crack version for it. I also downloaded WinRar but not from their site (came with extra baggage of some kind). After downloading the crack I received more than one threat warnings from AVG free Edition. AVG took care of them as they popped up, so I thought. After all, the crack file was gone. I later Searched and went to view a tutorial for this trial program and was told I needed a codec to view. Downloaded it. Watched the tutorial. Then it happened. Miss direction on searches, pop ups and internet connection very active when it shouldn't be.
At that point I ran AVG till it came up clean. Ran Lavasoft Ad-Aware 2008 free, it found 76 problems.
Still having problems I ran Search and destroy or spyblaster can’t remember its findings. Then ran Windows Clean Up (thorough clean up) it removed 2.4 Gig of stuff including older versions of IE.
Still problems.
Searched for online scans, chose Panda Security they told me I was infected with (EMedia Codec). Tried to get their free removal tool, item does not exist or being blocked. Searched for that tool and found Smithfraudfix. Ran it safe mode as instructed. Went back to Panda for another scan, STILL THERE. I then went to (TREND MICRO house call) to get a second opinion. They removed another Trojan, scanned again, came up clean. Went back to Panda their scan said I still had (EMedia Codec).OK I’m doing something wrong here. Scanned with AVG again it came up clean same with Ad-Aware.
The online problems seem to be still there but the computer seems more responsive.
Then I found this forum (Xxxx Xxxxxxx forum) when searching” how to change clock from 24 to12 hr”.

PROBLEMS THAT STILL EXISTS like they ever went away.
Lavasoft Ad-Aware 2008 can not update, error message (no connection check your internet connection). I’ve uninstalled rebooted and reinstalled this software and no change.
Windows Defrag and Scan disk both come up with the same error message “can’t start” even in safe mode.
Windows update never happened on the 13th. That is to say I saw the little gold shield for a second, then gone, then there again and finally gone, never to return. I can’t go to their site, Google is there instead, and the google icon in the address and tab window looks different. It’s a lower case “g” but with four colours around it.
I have tried to get the updates for Windows and Ad-Aware to manually update. In every attempt (different web sites) I could get as far as the download page. I click on the download icon and got the message “Page could not be viewed bla-bla bla” you know the one I speak of.
Pop-ups and that annoying redirection of web sites.

AVG findings as follows

2009-10-12 11:30am
C:\autorun.inf (Virus found Worm/AutoRun) INFECTED
C:\Documents and Settings\User\Local Settings\Temp\temp2B7.tmp MOVED TO VALT
C:\Documents and Settings\User\Local Settings\Temp\temp2B8.tmp DELETED

2009-10-12 1:30pm
C:\autorun.inf (Virus found Worm/AutoRun) INFECTED
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BR3WFAU8\freescan[2].htm (Virus found FakeAlert) INFECTED
F:\DVD Temp\ Software&crack I downloaded.rar\ Software&crack I downloaded \crack\ Software-crack.exe (Trojan horse Generic12.MIR) INFECTED, EMBEDDED OBJECT, DELETED
F:\DVD Temp\ Software&crack I downloaded.rar (Trojan horse Generic12.MIR) INFECTED ARCHIVE
C:\abARYkT.exe DELETED
C:\gvFB.exe DELETED
C:\ C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TGU2NCYT\oldmoves_com[1].htm DELETED
F:\autorun.inf HEALED

2009-10-12 2:33pm
C:\autorun.inf (Virus found Worm/AutoRun) INFECTED

2009-10-12 2:35pm
C:\autorun.inf (Moved to Vault)

2009-10-12 10:00pm
Clean

uke I have left the above Xxxx Xxxxxx forum do to they broke three of there stead-fast rules. Site now suspect to me.

 

Post 2 of 2

Major Geek

Thank you, for empowering me to fix as much as I could myself.
The only issue I had was with Combofix log. When I ran combofix I was unplugged so recovery console was not installed. So I ran Combofix it again after MGtools scan, to install recovery console and do the toggle procedure. Well now I understand why you tell us to do scans only once. The second run of combofix rewrote the log file I think because this log has no reference to the files in quarantine.
Example: The first log I remember seeing file name AutoRun.inf found on C:\ & F:\ . This log does not show that or the other files it found. I'm so sorry for messing up like that.
As for the issues I was having with my computer they seem to be ALL gone. As a matter of fact one of the first things I remember seeing after the reboot for the recovery console toggle was the Windows " gold shield icon" letting me know that my Windows update were ready to install. I checked windows defrag and scan disk they work now, not that I'll ever use them again since the download of Smart Defrag. Ad-Aware also was able to update.
And one more thing, months ago I noticed that one of my games would not log on to the net for internet play. I didn't think much of it since I was not fond of getting beat by 10yr olds over and over again.
Point? It's working again, which means I've been having problems before January maybe as far back as Sept.
Here's the rest of the logs and thanks again for your instruction and tool source.

Give a man a fish, feed him for a day. Teach him to fish,feed him for a life time.
Can't say it enough THANK YOU MAJOR GEEKS.:celebrate:clap:celebrate
This place is unbelievable!
George

I await your reply.

 

When viewing the combofix log I attached I noticed reference to a cobbofix2.txt log. I found it, the date and time stamp looks like the one that I thought got rewrote. If this is the one that I should have submitted in the first place than COOL. If not, then sorry for wasting your time.

George

Needed to zip it, too big to attach.

 

Chaslang
MajorGeeks

Thank you for the response
Thank for questioning those .bat files. Gone now.
When I first came to MajorGeeks I remember seeing a page that scared the C**P out of me, it was the fake malware/adware remover comparison page. I think I have one to add to your list. SPYWARE DETECTOR by Max Secure or it fake version. It was a sponsored site from the last tech forum I was at. I downloaded the .exe, did a scan, but you needed to buy it before it would do any thing about the scan. So I ran Spybot Search&Destroy to see if it could find these problems aswell. Now I have heard that these anti Spyware programs having conflicts with each other but get this. Spybot found a conflict with Max Secure “SpywareDector” so it removed it. The program I mean, all168 files including the desktop shortcut. That, I have never seen before. The download came from a SpywareRemoversReviews site not Max Secure itself. I have the link at your request. The download .exe from Max Secure is named alittle different.
George

And thanks again for your help with my malware problems.

 

cool