Malware problems! I followed the procedure. Anybody got a minute?

You don't really have too many problems!

Bitdefender only showed items in System Restore which can be removed by flushing your restore point as indicated in step 9 of the READ ME. But we will do that after we remove the below malware.

Panda found nothing but a few cookies and one benign/stray left over registry key. It gives no details on this key so there is nothing we can do to fix it but it is not causing you any problems anyway.

Are the below 2 settings something you configured?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qu123.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qu123.com

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6

Make sure viewing of hidden files is enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.yisou.com/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.yisou.com/srchcust.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\yasrde.exe
C:\WINDOWS\system32\yasrdd.dll
C:\WINDOWS\system32\yas.dat
C:\Program Files\YiSou <--- the whole folder
Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Jim\Local Settings\Temp

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Re: Hahaha, great! Cheers for the fix!

The use HJT to fix them but they may not fix now because you have run something or configured something that I did not ask for. You now have the below in your log:

What did you run or install or change the configuration on? Spybot perhaps or SpywareBlaster??

Also have HJT fix the below leftover from Spy Sweeper:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

What are the below new files on your Desktop?

Code:

"C:\Documents and Settings\Jim\Desktop\
bhr.exe       Oct 10 2006     2449088  "bhr.exe"
hjbghj~1.doc  Oct 11 2006       30720  "hjbghjbhj.doc"

Jibberish names like the .doc file are always suspected to be malware!

The below files that I asked you to delete are still there:

C:\WINDOWS\system32\yasrde.exe
C:\WINDOWS\system32\yasrdd.dll
C:\WINDOWS\system32\yas.dat

You need to delete it. DO NOT USE WINDOWS SEARCH. Use Windows Explorer!!! That was why we had step 2 of the READ ME enable viewing of hidden files. That only enables viewing of hidden & system files in Windows Explorer not Windows Search.

 

Re: Like rabbits out of a hat, but cant find the hat!

Then perhaps those 3 files are related to Yahoo! Assistant! Is this the application that you mean you cannot uninstall? Do you use this?

How is your PC running right now?

 

Re: Like rabbits out of a hat, but cant find the hat!

Then goto Add/Remove programs and uninstall Yahoo! Assistant. Then reboot your PC.

After reboot, are those three files gone now. If not, please put all three of them into a ZIP file and upload them here as an attachment.


I also get a load stuff transfered to tribal fusion on every browse but the spybot and Ad-Aware-SE dont pick up the cookie for this. Any way to manually remove it or block this site (already done the spybot immunise but it hasnt made any difference to this particular data tracker)?[/quote]Cookies are not problems to be concerned with and in most cases cookies are helpful and useful to you. See step 11 in this How to Protect yourself from malware!

No P2P applications are actually safe and you cannot trust that the people you are downloading from are running clean PCs nor can you trust them to be honest. In any malware removal type forum, no one would every recommend the use of P2P applications but we obviously realize that many people use them. Some help forums will even refuse to provide you any help until ALL P2P type applications have been physically uninstalled and folders where their downloads have been saved have been deleted. I will however tell you that more than 50% of the people coming here with infections have typically picked them up by using P2P applications (some of which are bundled with malware) or by download infected files from the P2P servers. You are on your own in this area!

 

Re: the 3 culprits

Those files are definitely part of a Chinese version of Yahoo (probably something to do with a search assistant). See this:

http://en.wikipedia.org/wiki/Yahoo!_Assistant


Now that you remove the Yahoo folder, can these 3 files be deleted and do they stay deleted.