Hello. Yesterday I was browsing the internet, when Adobe Reader (which I haven't updated in months because I hate it), popped up. The next thing I knew was my firewall was turned off, my restore points were deleted (running system restore gives a message- 'disabled by group policy'), and the "Folder Options" control panel completely disappeared. Regedit stopped working. The windows security center that would come up was a fake, and every time I tried to open something, "Vista Antivirus 2010" came up and was "scanning" my computer. I opened process explorer and noticed many imitation processes which I found file locations for and close. I booted my computer in Ubuntu/Linux and deleted the files. Upon restarting system restore was still disabled, and regedit wasn't working, and exes would fail, and give a message- "rundll32 not found". I got that fixed by searching the internet, and regedit works. I opened regedit, and tried to clear out my /Run things, but everytime I press delete, I refresh and the entry is instantly reapplied. The same thing for "DisableSR". So system restore still fails. And there are still some weird processes / RAM being used that shouldn't be. Upon trying to download antispyware things, I noticed that this thing blocks websites like safer networking, malware bytes, etc. Also when in Google search results, clicking on a link will always redirect to some random page- it takes about 7 clicks of the same link before it goes to the right page I tried to run Malware Bytes' but that failed. After renaming the exe, it ran. It found things, I did both the fast, and full scans, multiple times. And I each time I go through the process of doing it, and restarting my computer, upon restarting I experience the same problems. I tried to install spybot, but it wouldn't let the installer run. Renaming made it run, however, spybot attempts to connect to safernetworking.org which caused the installer to not work because of the virus's censorship. Please help me :S. Here's a HJ log... And iexplore.exe keeps being opened, multiple instances at once, while I know I'm not using it.

---------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:12 PM, on 2/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\sessmgr.exe
c:\program files\aim6\aim6 .exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
H:\Other Stuff\GoogleChromePortable\GoogleChromePortable.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
C:\WINDOWS\system32\ctfmon.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
H:\Other Stuff\procexp2.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
c:\program files\internet explorer\wmpscfgs.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
H:\Other Stuff\GoogleChromePortable\App\Chrome-bin\chrome.exe
C:\Program Files\Trend Micro\HijackThis\fghnHijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\g8waera.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\g8waera.dll
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Chrish16\LOCALS~1\Temp\cmd.exe
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208312814296
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC85187F-77D1-4187-B0EE-AFDA818055FA}: NameServer = 93.188.162.13,93.188.166.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\g8waera.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service (FLEXnet Licensing Service-BackupByDreamweaverPortable) - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-Jaadu\WinVNC.exe (file missing)

--
End of file - 7368 bytes

Hello

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

You have quite a mess going on :sad: One of the reasons you got infected is because your Adobe Reader may not be updated to the latest version. Your computer has been hijacked by the lovely people in the uKraine



Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: C:\WINDOWS\system32\g8waera.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\g8waera.dll

O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Chrish16\LOCALS~1\Temp\cmd.exe
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc (User 'Default user')

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC85187F-77D1-4187-B0EE-AFDA818055FA}: NameServer = 93.188.162.13,93.188.166.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82

O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\g8waera.dll




Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.