Help! Multiple Infections

[Cypher]

Hi jtfish,

Running much faster. No Google redirections. Starts up faster, seems more stable.

That's good news
Do the following then if you have no further problems i can give you final instructions.

Download OTM.exe by Old Timer and save it to your Desktop.

• Double-click OTM.exe to run it.
• Right-click then copy the following code, Do not include the word Code.
  
  Code:

  :Reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
  
  :Files
  C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\ihmejilfknnkfdefibpfelpljeabanmc
  ipconfig /flushdns /c
  
  :Commands
  [EmptyFlash]
  [emptytemp]
  [ClearAllRestorePoints]
  [start explorer]
  [Reboot]

  • Return to OTM, right-click then paste the code into the blank box below
  • Next click on the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Logs/Information to Post in your Next Reply

• OTM log.
• Please give me an update on your computers performance.

[jtfish]

Seems to be running fine - faster startup (even faster than before these viruses), no redirect. I noticed that the ESET scan found 6 problem files. Do these need to be removed?

Here is the OTM log:

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
========== FILES ==========
C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\ihmejilfknnkfdefibpfelpljeabanmc folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Jason\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jason\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jason
->Temp folder emptied: 8476 bytes
->Temporary Internet Files folder emptied: 24425258 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 6405411 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 790 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Michelle
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 91372 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 979580 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 31.00 mb


Restore points cleared and new OTM Restore Point set!

OTM by OldTimer - Version 3.1.18.0 log created on 09102011_140028

Files moved on Reboot...

Registry entries deleted on Reboot...

[Cypher]

Hi jtfish,

Seems to be running fine - faster startup (even faster than before these viruses), no redirect.

Excellent that's what i like to hear

I noticed that the ESET scan found 6 problem files. Do these need to be removed?

We dealt with one of the problems with that last fix, the rest of what the ESET scan detected will be taken care of when you run through the instructions below.
The good news is your latest set of logs appear to be clean!
This is my general post for when your logs show no more signs of malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Time for some housekeeping

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the box and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
  

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next

Clean up with OTM

• Double-click OTM.exe to start the program, This tool will remove all the tools we used to clean your pc.
• Close all other programs apart from OTMoveIt3 as this step will require a reboot
• On the OTM main screen, press the CleanUp! button
• Say Yes to the prompt and then allow the program to reboot your computer.

You can now delete any tools we used if they remain on your Desktop.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpywareBlaster
Download and install Javacools SpywareBlaster from Here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

[jtfish]

Got it! Thanks so much for your help.

[Cypher]

Hi jtfish,

Thanks so much for your help.

You're most welcome, good luck and stay safe.

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me a private message (pm). A valid, working link to the closed topic is required.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D!