Trojans, Dialer, Adware - Help!

For a while (four weeks?) I have had a problem in Google - sometimes when I click on a link from a search result, I get a random redirection to another site, most typically Ebay or other (inferior) search engine. This is driving me nuts because I never know whether to use the link - out of precaution I copy the link and paste it into the address bar, but it takes the fun out of surfing.

I have previously been using AVG free, Adaware, Spybot S&D, Spyware blaster, but without them picking anything up.

I have worked through the 'read and run me first', which has located several bits of malware, but hasn't got rid of them all. I enclose the log-files in hope of help - I've been really impressed reading through some of the threads.

Remaining logs to follow. Thank you very much for your time.

 

Here are the remaining log files.

 

Download
- Pocket Killbox

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the procedure for WareOut Removal

Post fresh HijackThis, ShowNew, and GetRunKey logs; as well as the log for FixWareout.

 

I've made a start...

I followed the steps accurately up to the Hijack this part. I checked the boxes as directed but encountered a problem once I had pressed fix selected. There was an error message almost straight away (which I have unfortunately lost) asking me to let the HJT people (merjin? - I can't remember exactly) know what I was doing when the error message came up, and to click to continue. So I continued, and the other things got fixed I think, and then as it was finishing counterspy warnings came up about stuff that was trying to change my URLs which I inadvertantly let through.

So instead of getting straight back to you people (which is what I guess I should have done) I have re-run counterspy in safe mode, and got a new HJT log, and runkey log.

I attach these here with apologies if warranted and request for further advice. Should I continue from where I got up to in the last instructions?

Thank you in advance

 

Post the ShowNew and FIxWareout logs, as well. Thank You

 

I took your reply as an indication to continue, so I have worked through the rest of the steps you gave. Here are the logs (one further to follow).

I am running XP with SP2, so When I was in safe mode I deleted the prefetch data as in CCleaner. However, I didn't delete the remaining files in C:/WINDOWS/Prefetch which were the layout.ini and a single .pf file. I don't know about either of the extensions, so I thought better to leave alone for now.

When I ran Wareout fixit, on reboot I got a whole load of warnings from counterspy about URL changes. I blocked these after bad experience last time.

I am not at an internet now until Wednesday 18:00 GMTish, I will work on it again then though. Thank you for all your help.

lorette

 

Should say I have re-done HJT and getrunkey as indicated at the end of the instructions.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

Hooray! Thank you so much for your help, I am back surfing as normal. I can't quite believe my computer is working again. Thank you thank you thank you. You lot are so :cool

Can I ask a question that I don't think is malware? My account starts up much slower than my partner's. We both have administrator privileges, but I am the one who does the geeky stuff (within my very limited capabilities - removing temp files, running scans, installing a firewall - just now). Any ideas?

 

System performance can be effected by several different factors. How much stuff is running in the background, especially resident protections tools such as Anti-virus and Anti-Spyware tools. Some Anti-Spyware tools don't play well with others, some place huge demands on system resources. I saw both Counter-Spy and AVG Anti-Spyware running with Resident Protection enabled. You only need one of those applications running. I would keep AVG Anti-Spyware over CounterSpy.

 

Thanks Shadow. I already uninstalled counterspy since it was a trial version. I'm inspired to go over to software and read up on some of the things there. Thank you again for all your help.

Lorette

 

You're welcome.