ox.jisearch.me

Discussion in 'Malware Help (A Specialist Will Reply)' started by DNMD, Feb 14, 2014.

  1. DNMD

    DNMD Private E-2

    Problems: About a week ago started having problems with pop-ups and addditional links added to the original links on web pages.

    Problems occur in Explorer and Firefox. Example added link: ox.jisearch.me.www/delivery/aft.php?

    2/10/14: Uninstalled VLC Media Player that had been recently installed.
    2/10/2014 Error message: APSDaemon.exe: "This application has failed to start because MSVCR80.dll was not found. Re-installing the application may fix this problem."

    Also, getting these error messages:
    putil.exe "This application has failed to start because MSVCR80.dll was not found. Re-installing the application may fix this problem."

    Microsoft Windows: "defaults has stopped working" "A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

    Completed steps:
    Step 1: Getting Started
    I tried a few of these items, but they didn't seem related to my issues.
    Step 2: Uninstalling Multiple Protection Applications
    I believe we are only running McAfee.
    Step 3: Configuration & Setup
    32 bit
    Step 4: Disable Any Disk Emulation Software (like Daemon Tools..etc)
    Ran Defogger.
    Step 5: Temp File/Folder Cleaning
    Run CCleaner Cleaner only (ran for all 4 user accounts).
    Step 6: Windows OS Specific Cleaning Instructions
    (Vista & Windows 7 Malware Removal/Cleaning Procedure)
    (http://forums.majorgeeks.com/showthread.php?t=139681)
    Step 1: Downloaded Tools
    Step 2: Disabled UAC
    Step 3: Installed Tools and Ran Scans
    I think TDSS Killer found something, but I didn't attempt to correct it.
    Step 4: Yes, Still Having Problems

    Log Notes:
    Ran Malware Bytes twice
     

    Attached Files:

    Last edited by a moderator: Feb 15, 2014
    DNMD, Feb 14, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

    Uninstall the below programs:

    • Ask Toolbar
    • Updater
    • Web Protect for Windows




    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Updater (C:\ProgramData\Updater\updater.exe [7]) -> FOUND
    • [RUN][SUSP PATH] HKLM\[...]\Run : Updater (C:\ProgramData\Updater\Updater.exe [7]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-1432576016-3336662556-2931470029-1000\[...]\Run : Updater (C:\ProgramData\Updater\updater.exe [7]) -> FOUND

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for items on the Drivers tab (Or file/folder)

    • [Inline] IAT @iexplore.exe (RegQueryValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCD90)
    • [Inline] IAT @iexplore.exe (RegOpenKeyExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCCD0)
    • [Inline] EAT @iexplore.exe (RegOpenKeyExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCCD0)
    • [Inline] EAT @iexplore.exe (RegQueryValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCD90)
    • [Inline] EAT @iexplore.exe (RegSetValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6EAAC0)
    • [Inline] EAT @iexplore.exe (RegisterClassExW) : USER32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DF4F0)
    • [Inline] EAT @iexplore.exe (RegisterClassW) : USER32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DF5A0)
    • [Inline] EAT @iexplore.exe (IELaunchManageAddOnsUI) : IEFRAME.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6E9BC0)
    • [Inline] IAT @iexplore.exe (RegQueryValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCD90)
    • [Inline] IAT @iexplore.exe (RegOpenKeyExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCCD0)
    • [Inline] EAT @iexplore.exe (RegOpenKeyExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCCD0)
    • [Inline] EAT @iexplore.exe (RegQueryValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCD90)
    • [Inline] EAT @iexplore.exe (RegSetValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6EAAC0)
    • [Inline] EAT @iexplore.exe (RegisterClassExW) : USER32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DF4F0)
    • [Inline] EAT @iexplore.exe (RegisterClassW) : USER32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DF5A0)
    • [Inline] EAT @iexplore.exe (IELaunchManageAddOnsUI) : IEFRAME.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6E9BC0)
    • [Inline] IAT @iexplore.exe (RegQueryValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCD90)
    • [Inline] IAT @iexplore.exe (RegOpenKeyExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCCD0)
    • [Inline] EAT @iexplore.exe (RegOpenKeyExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCCD0)
    • [Inline] EAT @iexplore.exe (RegQueryValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DCD90)
    • [Inline] EAT @iexplore.exe (RegSetValueExW) : ADVAPI32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6EAAC0)
    • [Inline] EAT @iexplore.exe (RegisterClassExW) : USER32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DF4F0)
    • [Inline] EAT @iexplore.exe (RegisterClassW) : USER32.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6DF5A0)
    • [Inline] EAT @iexplore.exe (IELaunchManageAddOnsUI) : IEFRAME.dll -> HOOKED (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32.dll @ 0x5A6E9BC0)


    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Re run Hitman Pro and have it delete Potential Unwanted Programs.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    • O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    • O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    • O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    • O23 - Service: PCProtect - Objectify Media Inc - C:\Program Files\Web Protect\PCProtect.exe
    • O23 - Service: Protect Monitor (ProtectMonitor) - Unknown owner - C:\monitorsvc.exe
    After clicking Fix exit HJT.




    Now download LSP - Fix

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the pcprotect.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move pcprotect.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    If it is already in the Remove section, just click Finish.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Users\Nanette\AppData\Roaming\Microsoft\Windows\Templates\3fab6f59
C:\Program Files\Web Protect
C:\Program Files\Ask.com
C:\monitorsvc.exe
C:\PROGRA~1\SearchProtect
C:\ProgramData\SPL19F2.tmp
C:\ProgramData\SPL933.tmp
C:\ProgramData\SPLC7E1.tmp
C:\ProgramData\Updater
C:\ProgramData\Websteroids
C:\Windows\System32\PCProtect.dll
C:\Windows\System32\PCProtect.ini
C:\Windows\System32\PCProtectOff.ini
C:\Windows\System32\SearchProtect
C:\Windows\System32\drivers\pcwatch.sys

:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{12CF3911-08B1-434B-81A9-1117B0D9E342}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Give Ccleaner a run. Not the reg scanner, just the cleaner itself to be rid of a chunk of temp files.


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 15, 2014
    #2
  3. DNMD

    DNMD Private E-2

    I may have goofed up your instructions. This is what, I have done so far (in this order)

    From Control Panel, I uninstalled the following programs:
    Ask Toolbar
    Updater
    Web Protect for Windows
    And a few other unneeded programs:
    Install Updater
    Duplicate older version of Verizon In Home Agent

    Then, I changed MSConfig settings to normal start mode.

    I also tried to uninstall BING bar but it wouldn't uninstall.
    I rebooted several times while attempting to runinstall BING bar thru Control Panel, but then gave up and moved on. I know BING is probably legit anyway.

    Then I ran Rogue Killer scan, but found different list of Registry Items and Driver items. I didn't delete any of them yet or reboot yet.

    I stopped there, and have attached a fresh RKiller report.
     

    Attached Files:

    DNMD, Feb 15, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Everything in the last RK log you attached looks just fine, so continue on with the other instructions please. :)
     
    Kestrel13!, Feb 15, 2014
    #4
  5. DNMD

    DNMD Private E-2

    Thank you. Things are much better.

    Resolved: Pop up windows stopped and the additional links that were added to web pages are gone.

    Unresolved:
    Error Message at Startup:
    "APSDaemon.exe: This application has failed to start because MSVCR80.dll was not found. Re-installing the application may fix this problem."

    Firefox crashed three times as I was trying to send this message. Should I try uninstalling and reinstalling Firefox?

    I sent this message from Explorer.

    Can't Change Startup Programs:
    From "Control Panel," I chose "Programs," and "Change startup programs."
    Message 1: "Windows Defender is Turned off" "Turn on and open Windows Defender"
    Message 2: "Windows Defender: Windows Defender encountered an error:: 0x800106ba. A problem caused this program's service to stop. To start this service restart your computer or search Help and Support for how to start a service manually."

    I want to remove Garmin and Windows Live Messenger from startup.
     

    Attached Files:

    DNMD, Feb 16, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Topic for the software forum. Non malware related. Something to do with itunes I believe.

    Again, you can ask about this in the software forum.


    It would be the best thing to try.
    Do this:

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Delete this:
    C:\Users\Nanette\AppData\Roaming\f6080abf

    Let me know how you get on.
     
    Kestrel13!, Feb 16, 2014
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds