Numerous Issues Found, Can't Run Spybot or Install Latest HijackThis

Run this quick scan, it wont take long

1. Go HERE and download FileLister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.
unzip4.JPG

  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.
 
I ran the tool as described, and while the file was created, there wasn't anything in it. I ran it in safe mode, should I boot up in normal for it to work properly?
 
No, thats fine. I was just looking for bad drivers that may have been installed in the last month or so and none have, so thats good news malwarewise.

How are things running now ?
 
Hold on a second. I may have been looking at the wrong Files.txt. I just noticed that another Files.txt, Hidden.txt and UNI.txt were created in the same directory as the tool. The Files.txt I was looking at was at C:\Files.txt. Does that matter?

In terms of how things are running now, things seem to be running a little faster now in general, however, I McAffee seems to be having some issues. Let me check running Spybot and doing google searches and see how those are behaving now.

Also, I read somewhere about old version of Java runtimes sometimes making infections like possible. Any advice on that?
 
Uh oh, my browser (firefox is the one I generally use) is still redirecting on Google searches. It redirected to some website that tried to download a file immediately. I closed the browser and disconnected from the internet again.

Also, Google chrome is still not loading, or working at all apparently. (I tried this while connected, of course.)

I did not test Spybot yet, as it looks like I still have a problem. Man this is so frustrating....
 
This may fix the Firefox redirects

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
 
FYI, I tested Spybot by running a scan. As before, it crashes once the scan has completed. Because it crashed, I couldn't see much more than reports of tracking cookies. Also, WildTangent, which I understand is bundled with some games, but has a bad reputation. (I have a legal copy of "World Of Goo" installed, so that could be the reason for it.)

Here's the results of that GooredFix Scan:
----

GooredFix by jpshortstuff (08.01.10.1)
Log created at 14:52 on 16/04/2010 (Brian)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:39 21/06/2006]
{B13721C7-F507-4982-B2E5-502A71474FED} [02:41 06/06/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [19:01 29/07/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [13:29 19/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:30 18/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [16:03 18/07/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [18:22 20/03/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [17:42 16/04/2010]

C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\p6dqke3h.default\extensions\
enquiries@retailmenot.com [17:49 05/06/2009]
firebug@software.joehewitt.com [16:00 13/03/2010]
{32537848-7D38-4ee2-B5A2-47562E69C59E} [17:55 26/11/2006]
{a02c0c70-605c-11da-8cd6-0800200c9a66} [05:36 30/01/2010]
{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [16:53 17/12/2009]
{AE93811A-5C9A-4d34-8462-F7B864FC4696} [17:43 16/04/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [06:46 08/01/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:52 06/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [17:41 16/04/2010]

-=E.O.F=-
 
Windows crashed on the first boot, and it's was very, very slow this time... But YES! It looks like the redirect is fixed! :bigthumb:

However, Google Chrome is still broken. (Just in case that was supposed to fix this as well.)
 
OK, ran FileLister in normal windows. C:\Files.txt has nothing in it. Also, the Files.txt that FileLister opens up while running had nothing in it.
 
Hi again,

I was poking around, and noticed that both Malwarebytes and SUPERAntiSpyware were out of date, and allowed both to update. (Not sure how badly out of date their malware detection information was, I did install Malwarebytes last weekend.)

I ran a quick scan with Malwarebytes, and it found nothing. However, SUPERAntiSpyware's scan found the following:

-Adware.TrackingCookie [ 14 items ]
-Adware.Vundo/Variant-EC [ 1 items ]
-Adware.Vundo/Variant-Senorita [ 1 items ]
-Adware.Vundo/Variant-Variant-Yx [ 3 items ]

The scan is still open, I haven't told it to remove anything, because I didn't want to do anything that might interfere with your next recommendation.

Also, one last thing. I tested Internet Explorer, and it is still redirecting. (Firefox is still working fine.) I should have tested it before, but like I mentioned, I rarely use it, and don't really trust it even when I'm not infected.

Thanks!
 
We need to try and run GMER again, cant give you a clean bill of health until I see the report. This time we are going to disable the CD drivers and you also have to disable your Anti Virus

Disable Antivirus Software Info
Link


Drag GMER to the trash and we are going to start over



GMER with Defogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Next:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.



To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.
 
Quick question. I'm trying to disable Spybot's TeaTimer per the linked instructions, but I can't find the TeaTimer entry in the System Startup section... Can I disable it via msconfig or something (provided I can find it)?
 
No problem, disable the TeaTimer this way


Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect
 
Unfortunately, I don't see any log! :confused:

The only thing I see is the defogger_disable log, and that was only requested if an error occurred running defogger. I did notice that defogger did NOT reboot as described when it finished running... Perhaps a lengthy delay in doing so? Man, and GMER was running just fine too. (I need a banging-head-against-wall emoticon.)

Should I try running GMER again, or do I need to go through the defogger process? Or?
 
You must log in or register to reply here.
Back
Top