Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hit by malware/trojan horse/virus, now Firefox is hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 28th, 2011, 5:20 pm

Gary,

I wasn't able to run OTM.exe, even though I downloaded them from the main and alternate sites. I'm not sure whether to skip OTM and continue with the other instructions, so I'll wait for your reply.

I also tried a fresh reboot on the computer in case OTM can't run in safe mode, but that's where the reboot took me. When I clicked on "Restore my Active Desktop" I got a script error message.

The OTM error shows:

OTM has encountered a problem and needs to close. When I click on more information it shows:

AppName otm.exe
AppVer 3.1.17.2
ModName kernal32.dll
ModVer 5.1.2600.2945
Offset 00112a5b

Thanks, and waiting to hear from you.

nvguy
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm
Advertisement
Register to Remove

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » February 28th, 2011, 6:04 pm

OK, try this .....

Please download Rkill and save it to your Desktop.

Alternative links
Vista/Win7 users right-click on the Rkill executable and select Run as Administrator.
  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Next

Now try running OTM again.

If it runs OK, post me the log, if you still have problems with it let me know.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » February 28th, 2011, 7:56 pm

I ran rkill and it took a minute or two, but nothing showed up as being deleted. Then I ran OTM and got the same error as before.

I realize that not every computer can be fixed. Do you think we have a good chance or shall I just reinstall XP?
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » March 1st, 2011, 2:24 am

No I don't think there's a need to re-install at this point. I'm not sure quite why you're having a problem with OTM, so lets use a different tool for removing those folders.

Download Avenger by Swandog and unzip it to your Desktop.

Note: This programme must be run from an account with Administrator priviledges.

  • Open the Avenger folder and double click Avenger.exe to launch the programme.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code: Select all
Folders to delete:
c:\docume~1\alluse~1\applic~1\AVG10
c:\docume~1\alluse~1\applic~1\AVAST Software
c:\docume~1\alluse~1\applic~1\oCiJlBg08200
c:\docume~1\alluse~1\applic~1\Norton
c:\program files\AVAST Software


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Post the log back here please. (it can also be found at C:\avenger.txt)

Next

Download ATF Cleaner by Atribune and save it to your Desktop.
  • 1st Ensure your Internet Browser is closed.
  • Double click ATF-Cleaner.exe to run the program.
  • Check the following boxes:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch
    • Recycle Bin
    • Java Cache
  • The rest are optional - if you want to remove the lot, check Select All.
  • Now click Empty Selected.
  • When you get the Done Cleaning message, click OK.
  • If you use Firefox browser.
    • Click Firefox at the top and choose: Select All
    • If you would like to keep your saved passwords, please click No at the prompt.
    • Click the Empty Selected button.
  • If you use Opera browser.
    • Click Opera at the top and choose: Select All
    • If you would like to keep your saved passwords, please click No at the prompt.
    • Click the Empty Selected button.

Now follow the instructions in my earlier post ..... viewtopic.php?p=569555#p569555 ...... missing out the section to use OTM, and post me the Avenger log and the E-set log please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » March 1st, 2011, 3:23 pm

Gary,

Avenger worked in removing the stray files. Logs below. The reason there are two logs is that I can't copy/paste, the XP laptop in question still can't connect to the internet, and my old and semi-broken Windows 2000 laptop can connect to the internet so I can download the files and read the instructions easily enough and hand type them into the XP laptop. I'm transferring files using my oldest USB flash drive yet every time I plug it into the old laptop I get the blue screen and have to reboot.

Since I can't log onto the internet from the XP laptop I wasn't able to install Java 6 or run Eset. Java 5 is uninstalled however.

The latest message I got when trying to connect was:
"Local area Connection Status"
"Limited or no connectivity"
I clicked to repair, got the message "Renewing your IP Address" then:
"Windows could not finish repairing the problem..."

Avenger logs:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\docume~1\alluse~1\applic~1\AVG10" deleted successfully.
Folder "c:\docume~1\alluse~1\applic~1\AVAST Software" deleted successfully.

Error: folder "c:\docume~1\alluse~1\applic~1\oCiJ1Bg08200" not found!
Deletion of folder "c:\docume~1\alluse~1\applic~1\oCiJ1Bg08200" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\docume~1\alluse~1\applic~1\Norton" deleted successfully.
Folder "c:\program files\AVAST Software" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\docume~1\alluse~1\applic~1\oCiJlBg08200" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » March 1st, 2011, 4:50 pm

OK, I'd like to run further scans on your computer to see if we can collect a little more information that might reveal why you can't connect.

First

I'd like to see if we can get a scan with another of OldTimer's tools.

Download OTL by OldTimer to your Desktop.

Alternative Download

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Under Custom Scans/Fixes copy/paste the contents of the code box below.
Code: Select all
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents

  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Next

Please download MiniToolBox and run it.

Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
Click Go and post the result (Result.txt).

Summary of the logs I need from you in your next post:
  • OTL.txt
  • Extras.txt
  • Result.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby nvguy » March 2nd, 2011, 2:11 am

Gary,

The oldtimer software would not run. This is the "more information" I got:

AppName: otl.exe
AppVer 3.2.22.2

This is the result I got from the mini toolbox:

MiniToolBox by Farbar
Ran by User at 2011-03-01 19:39:38
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************


================= Flush DNS: ==============================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
================= End of Flush DNS ========================================

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : computer Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) Physical Address. . . . . . . . . : 00-06-5B-E2-E9-10Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.Pinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 06 5b e2 e9 10 ...... 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

Gary,

I truly appreciate your time, efforts, and expertise, but I think it's time to start from
scratch and simply do a reinstall.

I plan to buy a new (refurbished) laptop and move overseas in the very medium-term
future, so I need to move forward.

I've learned a lot from our working together, especially the need to keep anti-virus
and anti-malware software current and running.

Again, thank you very much for your time,

John
nvguy
Active Member
 
Posts: 14
Joined: February 26th, 2011, 3:01 pm

Re: Hit by malware/trojan horse/virus, now Firefox is hijack

Unread postby Gary R » March 2nd, 2011, 4:12 am

OK, no problem John, sorry we didn't get to the root of your problem, but if it's software based then a reformat should resolve it.

Thanks for letting me know.

If you want a few suggestions for securing your computer, please read this topic ..... viewtopic.php?f=4&t=54766

Since you're going to perform a reformat ..... This topic is now closed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware