domcom trojan, systr.dll, and hotoffers

Hello, I am new to this forum and actually just used some threads from other users to get rid of the systr.dll and hotoffer webpage that I believe were a result of the domcom trojan; which I somehow got today but luckily removed. Thanks to PhilliePhan if he reads this because it was his replies to someone else that also worked for me. I also downloaded hijack this and ran it, and just wanted to be sure my computer is running clean now and was hoping someone more knowledgeable than myself could look at my log file (as I don't want to delete anything I actually need). I noticed the announcement about not posting a log until asked though, so I will wait until I am asked. Thanks!

 

Oh I spoke too soon! Before when I tried to go to yahoo or google or ebay I would be redirected to a webpage called search assistant. After I ran spybot it found something called a redirector and it fixed the problem for yahoo and google, but now I realized it's still there for ebay. Does that mean that my computer is still infected, and if so what can I do to fix it?

 

Yes, your still infected!

• Be sure you have HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hey thanks for the quick reply, I just downloaded the newer version of hijack this that you posted and ran it again according to your instructions. I'll attach the log file. Thanks again!

 

First:
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Second:
Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Third:
After doing the above steps, attach a fresh HJT log.

 

Here is the new hijackthis log after completing the steps you suggested. The only thing is the Hoster program wouldn't allow me to click "restore original hosts" button, it remained grayed out and the "ok" button never appeared after I clicked on it. Will that be a problem?

 

You MUST do this before we procede, if you do not then you will not get backups!
I will go ahead and post you a fix, but DO NOT do anything else with HJT until you do this!

Now EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

The first thing that jumps out at me is that your operating system is WAY out dated. After we get your system cleaned up I would recommend your going to Windows Updates and getting updated. Browsing the web without proper protection will lead to more and more infections.

Now Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4 www.aol.com
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 ebay.com
O1 - Hosts: 69.50.173.4 www.ebay.com
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O1 - Hosts: 69.50.173.4 icq.com
O1 - Hosts: 69.50.173.4 www.icq.com
O1 - Hosts: 69.50.173.4 lycos.com

O9 - Extra button: Microsoft AntiSpyware helper - {29A11C4D-406B-4AC5-8EA4-CF5BE8E88062} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29A11C4D-406B-4AC5-8EA4-CF5BE8E88062} - (no file) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After doing ALL of the above REBOOT!

Scan with HijackThis and attach the new log.

 

All done (hopefully)! Here is the log file. Thanks so much for all of the help.

Another question do I want to download all of the windows updates offered, such as service pack 2 (because I've heard very mixed reviews of it), or just specific items?

 

You must download and install Service Pack 2 as it brings more security patches and some nice little features such as the Security Center and Popup Blocker plus much more!

You want to get ALL critical updates!

Allow me a moment to check your latest log.

 

Do you use EmpirePoker?

The last log looks clean to me!

Are you currently experiencing any further problems?

 

Great, I'm ecstatic that everything looks fine and everything seems to be working perfectly too. I will download the windows updates right away. Thanks again. Oh, and I do use Empire Poker.

 

Okay! Good Deal

You should see this article on How to Protect yourself from malware!

 

I can't believe it. Up until yesterday, I hadn't had a virus in months. And now, I've gotten two in two days. I was just alerted that my computer has the "Trojan.Alwayup" How should I go about removing this and ensuring that my computer is clean? Should I take the same steps to remove it as the domcom trojan? Also, when I was notified the antivirus software said that "clean failed, quarantine failed, delete succeeded" and I received so many notifications that I had to disconnect from the internet. Any suggestions? I am running a virus scan now.

 

Virus scan detected no viruses...does that mean my computer is clean? Or should I do anything else, HijackThis log, change the registry, etc. Thanks.

 

Have you downloaded and installed Service Pack 2 yet?

To remove this start by doing these scans.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you do ALL of these scans reboot and post a fresh HJT log.

 

Here is the new HijackThis log, and also the Bitdefender virus scan said it found viruses (and I have also attached the log for that); the other three virus scanners did not find anything. I downloaded zone alarm and spyware blaster like it suggests in the link you referred me to called "how to protect yourself from malware." When I went to download.com to download service pack 2 I read a lot of reviews that said zone alarm, anti-virus software, and ad-aware/spybot were sufficient protection, and that service pack 2 might slow down my computer. I thought I would ask your opinion about that before I proceeded with the installation. Thanks!

 

You need Service Pack 2 before you need anything else. Go download and install Service Pack 2 right now if you can. Without this you will continue to have problems. Its a MUST!

Allow me a moment to check your logs.

 

Run Hijack This and have it fix the below entries, Be sure ALL browsers are closed before you click FIX.

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After you fix the above entries, Reboot Into Safe Mode!

Navigate to and delete the following files/folders:

C:\Program Files\AWS

C:\temporary <-- Delete everything in this folder!

NEXT:
Run CCleaner!

Reboot and tell me how things are working now!

 

Everything seems to be running great, except my computer's much slower when I am surfing the net and I can't access a lot of web pages (I think due to zone alarm). After I get service pack 2 should I keep zone alarm, or is it unnecesary to keep both of them? As usual, thanks for the quick help.

 

Service Pack 2 is a MUST due to security purposes. A firewall & antivirus program in my opinion are required as well, to stay clean anyway.

What problems are you having accessing websites? What happens?

 

The web pages almost always load up much slower than they used to, or the green progress bar along the bottom of the webpage will take a long time, and then go to the "the page cannot be displayed" page. This doesn't always happen though, but when it does I can fix it by shutting down zone alarm. It hasn't been doing it this session though, is it possible that this was a problem unrelated to zone alarm, and perhaps due to the virus I had?

 

Its possible, anything can cause this. If you keep having problems with ZA there are other free ones available. There is the Sygate Personal Firewall and the Kerio Personal Firewall, both free!

You can give one of these a try if you like. However your OS will run better if you go ahead and update to Service Pack 2.

 

Hello, just wanted to say thanks first of all because my computer is still running great. However, I came home from college today and our computer at home is a mess and loaded with spyware (59 criticals from an ad-aware scan). I updated and performed a virus scan, ran spybot, ad-aware, and ccleaner. I was wondering if you could take a look at this HijackThis log, because I'm pretty sure the computer isn't clean yet. For example, the web browser always goes to "http://searchweb2.com/" even after I reset the homepage, and there are still a lot of pop-ups. Thanks for your help, I really appreciate it!

 

Edit by chaslang: Please do not come into the Spyware Forum and post incorrect and incomplete fixes. None of the items you suggested are true problems. You missed all of the bad stuff that really needed fixing.

Also you should read our sticky threads so you are familiar with our cleanup procedures. You are suggesting that the user run Ad-Aware when it has already been installed and run during the execution of the cleanup procedure.

Please do not ask for HijackThis logs to be posted. You are not yet qualified to be reading them or to suggest fixes.

 

jowolf359,

I think I have this under control. Thanks for the help though. Dont remove anything until I request it. Allow me moment to check your log.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Messenger Plus! 3

MyWebSearch

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

MsgPlus.exe

iexplore.exe <-- End all instances of this process!

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pamrfhgpcblhbi.net/TA22Rg99P5b1r5B9Tgv/37gheDuuqGCn0iZi9qMbDI9TX7TlTj JVZv7getpA80Pw.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whdbgbykwffovss.org/TA22Rg99P5aR5RY74BZgDx66Ehs2RAEEnJQXD451Cag.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)
O2 - BHO: (no name) - {FFF975F3-1F32-FB7E-1F16-889C16AEBD6B} - C:\DOCUME~1\Admin\APPLIC~1\mfcdhide\For name.exe

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)

O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Atom Proxy Dupe Lite] C:\Documents and Settings\All Users\Application Data\Save real atom proxy\Five Atom.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DefaultBind] C:\DOCUME~1\Admin\APPLIC~1\GPLMET~1\nurb fast bin.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup 1.0.0.8.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

D:\Program Files\Messenger Plus! 3 ←–– Delete this whole folder if it exist!

C:\Documents and Settings\Admin\Application Data\mfcdhide ←–– Delete this whole folder if it exist!

C:\Documents and Settings\All Users\Application Data\Save real atom proxy ←–– Delete this whole folder if it exist!

C:\Documents and Settings\Admin\Application Data\GPLMET~1 ←–– Delete this whole folder if it exist!

C:\Program Files\MyWebSearch ←–– Delete this whole folder if it exist!

C:\WINDOWS\about.htm

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

bjgarrick, I already have deleted all of the items that jowolf359 suggested...I have been running the microsoft antispyware scan and just noticed your post. Did I delete anything I shouldn't have? Should I just follow the steps you posted, or should I do something different? Thanks.

 

I didnt spend 10 minutes creating that fix for it not to be followed, please follow EVERY step in that fix from start to finish. I dont know how you got all of this mess back but something aint right.

Also, from now on be careful who you take advice from because that user didnt know what he was talking about and could have really messed you up. So be careful who you take advice from.

After doing all the steps I listed in that fix, post a fresh HJT log.

Just a little advice, I would recommend your updating Symantec AV or installing one from our article on HOW TO PROTECT because your not protected. You also need a firewall.

See this thread:
How to Protect yourself from malware!

 

Bj, I don't know if you noticed, but I think fd is talking about a different computer.

 

I performed all of the steps, but a lot of that stuff was already gone. The following items weren't in the HijackThis log so I couldn't remove them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pamrfhgpcblhbi.net/TA22R...i9qMbDI9TX7TlTj JVZv7getpA80Pw.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whdbgbykwffovss.org/TA22...JQXD451Cag.html


O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)
O2 - BHO: (no name) - {FFF975F3-1F32-FB7E-1F16-889C16AEBD6B} - C:\DOCUME~1\Admin\APPLIC~1\mfcdhide\For name.exe

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll (file missing)


O4 - HKLM\..\Run: [Atom Proxy Dupe Lite] C:\Documents and Settings\All Users\Application Data\Save real atom proxy\Five Atom.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DefaultBind] C:\DOCUME~1\Admin\APPLIC~1\GPLMET~1\nurb fast bin.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...ralInitialSetup 1.0.0.8.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...asetup142f1.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab


I also realized that jowolf had me delete a lot of the O16's (but I don't know what affect this had), and they are no longer there. The computer seems to be running fine, but is it possible that he had me delete anything that I actually shouldn't have?? In any case, here is the new HijackThis log. Please let me know if it looks clean, and whether or not I deleted anything I shouldn't have. Thanks for the help.

p.s. This is my home computer, my computer at college is still working great!

 

The O16 entries are only ActiveX controls, nothing to worry about. I apologize about the remark about the stuff coming back, I wasnt paying attention because I was trying to get a post in about ignoring that users post.

Let me check your log, one second!

 

You MUST close ALL browsers!

C:\Program Files\Internet Explorer\iexplore.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aecoabphtzhfkol.us/TA22Rg99P5b1r5B9Tgv/37gheDuuqGCn0iZi9qMbDI8NUw9hi0 FoWv7getpA80Pw.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yah oo.com

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - (no file)


Again, make sure All Browser Windows are Closed when you Click FIX.


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

 

I have just completed the final steps you posted. Attached is the HijackThis Log. I also got a firewall (zone alarm). I was wondering what you meant by updating my symantec antivirus because I'm currently not protected. Do you mean running live update? Because I did that earlier and it should be up to date. Or did you mean that the version I have is too old perhaps?

 

I thought all of those baddies were on the machine we just cleaned up, thats why I said that because if it would have been the case Symantec wasnt doing its job. But that was another machine.

Your log is clean!

Are you having any further problems on this machine?

 

Nope, no more problems at all, everything is working fine. Thanks again for the great help!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

I was using my computer earlier, and received a Symantec alert that I had the "Trojan.Alwayup." It said "Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied." Does this mean that the trojan is gone from my computer because it was deleted? I decided to run ccleaner, spybot, and ad-aware; then I performed symantec virus scan, trendmicro online scan, bitdefender, ravantivirus, and trojanscan as well. The symantec scan found nothing, but the others found a few viruses, which I then deleted. I just rebooted and ran HijackThis. My computer has been running great, and the Trojan.Alwayup didn't seem to do anything, but I just want to make sure that my computer is clean. Here is the HijackThis log. Thanks

 

You MUST update your computer, without Service Pack 2 you will continue to have problems like this.

Why didnt you follow the sticky on how to protect? If you had you wouldnt be in this spot again.

Now, surf in to windows updates right now and get updated!

After you get updated come back here and post a fresh HJT log and we will start cleanup procedures once again.