Spyware Knight/Spysoldier browser redirect

Hi, i seem to be having the same malware problem as another user in that every few pages my browser is redirected to a warning page for Trojan.DLoader/LX trying to sell me Spyware Knight or Spy Soldier. This is the other user's thread:

http://http://forums.majorgeeks.com/showthread.php?t=113445

I've ran the instruction steps in the 'Read and run me first' thread and wondered whether i should follow the same instructions in the thread i linked to? I don't really have any knowledge in this area at all so i'll just list what i did.

I've run CCleaner, Spybot Search and Destroy fixed everything it found, Counterspy found zero problems so there was nothing to quarantine, have done bitdefender and panda active scans and got logs (attached). Then i also ran Getrunkey and Shownew followed by getting a HiJack This log as was still having the same problem (attached in next post) but thought if i posted these someone could point me in the right direction or let me know whether or not the instructions given in the above thread will be the same for me?

Thank you!

 

These are the other logs for Getrunkey, Shownew and HiJack this.

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

 

Hi, thank you very much for your advice, it all went smoothly, apart from this one bit:

the file path C:\WINDOWS\system32\adirss.exe didn't come up on hijack this, though it did come up on killbox. Now have rebooted my browser seems okay, no redirections so far but here are my logs to make sure. Could you let me know if they're okay? Thanks.

 

Download
- ExplorerXP

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

These folder have showed up teh same day you got infected. What is in teh folders?
C:\Program Files\Orange
C:\Program Files\orange4
C:\Program Files\Thomson

Post the following logs:
1. ShowNew
2. GetRunKey
3. HijackThis

 

Thanks again for getting back to me.

The Orange folders are my broadband supplier, the day i got infected was the day i reconnected my broadband with this new provider, so think thats why it looks suspicious. The Thomson folder is the installation of my modem that came with my broadband pack.

Did all of the above, the files to delete in ExplorerXP didn't show up in there and didn't know in CCleaner how to delete the contents of C:\WINDOWS\Prefetch, couldn't see that anywhere. Attached are my new logs, please let me know if they're okay.

Thanks.

 

Delete the following folder:
C:\Documents and Settings\katherine\Local Settings\Application Data\SpySoldier

The rest of your logs look fine.

How is your computer running?

 

Done. It seems fine, i don't get the browser redirect anymore and seems to be back to its old self. Thank you very much for your help, was the first time i've had a problem so had no idea what to do, thanks again.

 

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!