Palladium HYJACKED my computer...

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

You did not explain whether you have tried safe mode.

 

Before I even look at the logs you provided (which you must attach not post inline)
HOW TO: Attach Items To Your Post
I am going to request that you attach the most important log of them all which you have not done yet. I would like to see the C:\Mglogs.zip from running C:\MGTools.exe

 

One of the Malware Bytes log reflects that you did not select items for removal. Did you indeed fix what it found?

J2SE Runtime Environment 5.0 Update 6 <--- Uninstall this very outdated version of Java.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

After clicking Fix exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
c:\documents and settings\All Users\Application Data\WSTB
c:\documents and settings\HP_Administrator.CRAIG\Local Settings\Application Data\{F98E9651-799B-4D4F-AB76-4D532BF78FBC}
Driver::
ostw
FF::
FF - ProfilePath - c:\documents and settings\HP_Administrator.CRAIG\Application Data\Mozilla\Firefox\Profiles\fzwsf5dk.default\
FF - prefs.js: keyword.URL - hxxp://search.momentlook.com/?sid=10101074100&s=
FF - user.js: keyword.URL - hxxp://search.momentlook.com/?sid=10101074100&s=
File::
c:\windows\system32\drivers\ygrk.sys
c:\windows\Kzodoquq.bin
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{77905D69-14B9-47B8-883A-8D2C1DF05CCE}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{70260D28-FB24-4F37-A1FF-957303A4E08E}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,5d,0b,18,20,2f,58,4a,82,3b,03,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,5d,0b,18,20,2f,58,4a,82,3b,03,\

[HKEY_LOCAL_MACHINE\software\Classes\.mfp]
@DACL=(02 0000)
@SACL=
@="MacromediaFlashPaper.MacromediaFlashPaper"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\.sol]
@DACL=(02 0000)
@SACL=
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\.sor]
@DACL=(02 0000)
@SACL=
"Content Type"="text/plain"

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some data on it
• Right click on the screen and select > Select All
• Press Control+C
• Open a notepad and press Control+V
• now please ATTACH that report to this thread

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Run MBRCheck again for me and attach the log? (My apologies, I meant to ask for this before)

 

c:\documents and settings\All Users\Application Data\WSTB <--- Delete this empty directory.

Click Start, Run, and copy and paste the below into the Run box and click OK.

This should bring up your preferences file for FireFox in a notepad window. Look for lines containing the below information and delete the whole line where it appears.

After deleting those lines, click File, and select Save. If you cannot save the file, close all browsers first before saving.

Computer still running well?

 

I am sorry but it has been so long since we last were working on this that I have to ask you to run Combofix again by double clicking it and to re-run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

We are going to be uninstalling and re-installing Firefox. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Documents and Settings\*UserAccount\Local Settings\Application Data\Mozilla
C:\Program Files\Mozilla Firefox

*where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

Re-run Combofix by double clicking it. Attach the log into your next reply.

 

Give me a little while to ask colleagues about something I am unsure of before we wrap up.

 

Okay I am sorry about the delay. I have had a busy weekend. You seem to be having alot of problems that are not due to malware and I may have to send you off to the software forum to further discuss those after we are finished here, but until then there is one last thing I want to tackle before I declare you malware free.

So having said that, can you let me know first how are things running? Can you boot up normally or are you having to resort to safe mode?

 

If you are not able to boot up then you would be better off asking about this in the software forum. Then you can return here.

 

I was seeing this in the Combofix log:

I didn not like the look of that website so I want to remove those entries.

 

I want you to re-run the steps in post # 19 except this time instead of using the regular uninstaller for firefox I want you to use Revo Uninstaller

 

Well, MBAM did not remove anything that it should not have done. Neither did Combofix. In fact Combofix scoped out an infection that would not have been apparent to me and my eye. It reported to have dealt with the problem. The malware itself is probably what has caused system instability.

The fix I gave you by using Revo seems to have ensured a much more thorough uninstall of Firefox which ultimately took away the Momentlook crap I was dubious about.

Are you still not able to get into normal mode? :confused

 

No, I did not say you still had malware on your machine. I just felt that when the malware was present it could have upset your system somewhat. You will have to ask in the software forum about getting back up and running in normal mode again, and then you can return here for one final check.