Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Jump hijack malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Jump hijack malware

Unread postby Dakeyras » May 18th, 2012, 3:20 pm

Hi. :)

Sorry i didnt note down the name of the webpage.
Fair play.

its not allowing me to attach the file it says its too large
That's a shame, OK we will merely take a different approach...

Scan with GooredFix:

Please download GooredFix from one of the locations below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • Right-click on GooredFix.exe and select Run as Administrator.
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Scan with SystemLook:

Please download SystemLook from one of the locations below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Right-click on SystemLook.exe and select Run as Administrator.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *Fun4IM*
    *Bandoo*
    *Searchqu*
    *iLivid*
    *whitesmoke*
    *datamngr*
    *trolltech*
    *sweetim*
    
    :folderfind
    *Fun4IM*
    *Bandoo*
    *Searchqu*
    *iLivid*
    *whitesmoke*
    *datamngr*
    *trolltech*
    *sweetim*
    
    :Regfind
    Fun4IM
    Bandoo
    Searchqu
    iLivid
    whitesmoke
    datamngr
    kelkoopartners
    trolltech
    SweetIM
  • Click the Look button to start the scan.
  • Because of the Registry searches, the scan may take 15 minutes or a bit more to run. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Re: Jump hijack malware

Unread postby elerrina » May 18th, 2012, 3:42 pm

Looks like it found something?

GooredFix by jpshortstuff (03.07.10.1)
Log created at 20:34 on 18/05/2012 (Ash)
Firefox version 12.0 (en-GB)

========== GooredScan ==========

Removing Orphan:
"{FFB96CC1-7EB3-449D-B827-DB661701C6BB}"="C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker" -> Success!

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [20:35 14/12/2011]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:18 25/03/2011]
{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} [17:17 05/05/2012]

C:\Users\Ash\Application Data\Mozilla\Firefox\Profiles\l6k2sjcs.default\extensions\
support@ancestry.com [20:30 25/09/2010]
{3112ca9c-de6d-4884-a869-9855de68056c} [07:17 13/06/2011]
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [20:58 10/05/2012]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"smartwebprinting@hp.com"="C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [22:14 02/09/2010]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"="C:\Program Files (x86)\AVG\AVG2012\Firefox4\" [18:56 04/05/2012]
"avg@toolbar"="C:\ProgramData\AVG Secure Search\11.0.0.9\" [18:58 04/05/2012]
"{F53C93F1-07D5-430c-86D4-C9531B27DFAF}"="C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\" [18:56 04/05/2012]

-=E.O.F=-


SystemLook 30.07.11 by jpshortstuff
Log created at 20:36 on 18/05/2012 by Ash
Administrator - Elevation successful

========== filefind ==========

Searching for "*Fun4IM*"
No files found.

Searching for "*Bandoo*"
No files found.

Searching for "*Searchqu*"
No files found.

Searching for "*iLivid*"
No files found.

Searching for "*whitesmoke*"
No files found.

Searching for "*datamngr*"
No files found.

Searching for "*trolltech*"
No files found.

Searching for "*sweetim*"
No files found.

========== folderfind ==========

Searching for "*Fun4IM*"
No folders found.

Searching for "*Bandoo*"
No folders found.

Searching for "*Searchqu*"
No folders found.

Searching for "*iLivid*"
No folders found.

Searching for "*whitesmoke*"
No folders found.

Searching for "*datamngr*"
No folders found.

Searching for "*trolltech*"
No folders found.

Searching for "*sweetim*"
No folders found.

========== Regfind ==========

Searching for "Fun4IM"
No data found.

Searching for "Bandoo"
No data found.

Searching for "Searchqu"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"

Searching for "iLivid"
No data found.

Searching for "whitesmoke"
No data found.

Searching for "datamngr"
No data found.

Searching for "kelkoopartners"
No data found.

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QSqlDriverFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QTextCodecFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QTextCodecFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QIconEngineFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QIconEngineFactoryInterfaceV2:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QSqlDriverFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.5\com.trolltech.Qt.QTextCodecFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QTextCodecFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QIconEngineFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QIconEngineFactoryInterfaceV2:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:]

Searching for "SweetIM"
No data found.

-= EOF =-
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 18th, 2012, 5:34 pm

Hi. :)

Looks like it found something?
Aye indeed, though not all is malicious.

Custom OTL Script:

  • Right-click OTL.exe and select Run as Administrator to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code: Select all
:Files
ipconfig /flushdns /c

:Reg
[-HKEY_CURRENT_USER\Software\Trolltech]
[-HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech]

:Commands
[EmptyTemp]
[CreateRestorePoint]
[Reboot]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Next:

As a precaution please reset your Router again ...

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • OTL Log from the Custom Script.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 18th, 2012, 6:50 pm

Is some of it malicious?
Ok ill try and get that done tomorrow morning before i go to work as i wont be back till later after that.
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 18th, 2012, 7:56 pm

Is some of it malicious?
Yes, hence the advised Custom OTL Script to run.

Ok ill try and get that done tomorrow morning before i go to work as i wont be back till later after that.
OK, not a problem. :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 19th, 2012, 6:38 am

computer seems to be performing ok, i havent experienced any redirects again for a while and the internet is back to normal speeds.

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ash\Desktop\cmd.bat deleted successfully.
C:\Users\Ash\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Trolltech\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-689666306-1716364123-2076767426-1000\Software\Trolltech\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Ash
->Temp folder emptied: 289565 bytes
->Temporary Internet Files folder emptied: 4415212 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 371193866 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 11316 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17889537 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50132 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 376.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.42.3 log created on 05192012_112911

Files\Folders moved on Reboot...
C:\Users\Ash\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
File move failed. C:\Windows\temp\logishrd\LVPrcInj02.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 19th, 2012, 10:35 am

Hi. :)

computer seems to be performing ok, i havent experienced any redirects again for a while and the internet is back to normal speeds.
Good.

Run Windows 7 SRD:

Boot your machine up with the Windows 7 64 bit Installation DVD.

  • If not sure how to, a very good tutorial can be read here.
  • You will have to answer a few basic questions then select the option Repair your computer
  • At the the System Recovery Options screen click Windows 7 to highlight then Next>
  • Now click on/select Startup Repair
  • If prompted to use System Restore, select Cancel.
  • The same if prompted to Send information about this problem (recommended), select Don't send.
  • Click Finish when Startup Repair has completed, remove the Windows 7 64 bit Installation DVD and then click on Restart

Windows 7 - System File Checker:

You may require your Windows 7 64 bit Installation DVD for the below. If prompted insert the Windows 7 DVD into the Optical Drive.

  • Click on Start(Windows 7 Orb).
  • Click on All Programs >> Accessories
  • Right click on Command Prompt and select Run as Administrator.
  • Click on Continue in the UAC prompt.
  • At the Command Prompt C:\Windows\System32> type in the following exactly:
  • CD C:\
  • Then depress the Enter/Return key, then type in the following exactly:
  • sfc /scannow
  • Then depress the Enter/Return key.

Note: This may take awhile to finish. When completed close the Administrator Command Prompt window, via typing Exit then depress the Enter/Return key.

New Adobe Reader Installation:

Go here to download the latest version of Adobe Reader.

Deselect Yes, install Google Toolbar - optional, unless you want the toolbar that is. Myself think no need since you have IE8 at present and I will be advising upgrading this later on.

  • Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • After the new Reader is installed, Open Adobe Reader X. (Right click and Run as administrator with Windows 7)
  • OK the license.
  • Click on Edit and select Preferences.
  • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
  • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
  • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
  • Click the OK button

Next:

Let myself know when completed the above and if any further issues remaining. If not we will clean up all tools used during the Malware Removal process and I will provide some advice about online safety etc.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 19th, 2012, 6:07 pm

Im having issues with your first step i click repair and it does a quick scan and then i get this message

If you have recently attached a device to to this computer, such as a camera or portable music player, remove it and restart your computer. If you continue to see this message, contact your system administrator or computer manufacturer for assisstance.
The guide on bleeping computer wasnt very clear as to what to do in that situation either. Any ideas? =(
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 19th, 2012, 7:07 pm

Hi. :)

If you have recently attached a device to to this computer, such as a camera or portable music player, remove it and restart your computer. If you continue to see this message, contact your system administrator or computer manufacturer for assisstance.
This can be caused by a myriad of specific issues. A few possibility's could be when you ran ComboFix on your own absolutely anything may have occurred unbeknownst to your good self and or it is merely a consequence of malware to name a few examples.

Anyway carry out the following please exactly as the first part regarding a boot into Safe Mode is critical at times with this particular error...

Reboot your computer and during the POST(Power On Self Test) sequence continually depress Function Key 8(F8) to bring up the Advanced Boot Options screen.

Use the arrow keys to scroll down and select Safe Mode and hit the Enter/Return key.

Once your computer is running in Safe Mode...

  • Click on Start(Windows 7 Orb).
  • Click on All Programs >> Accessories
  • Right click on Command Prompt and select Run as Administrator.
  • At the Command Prompt C:\Windows\System32> type in the following exactly:
  • cd c:\
  • Then depress the Enter/Return key, then type in the following exactly:
  • chkdsk /r
  • Then depress the Enter/Return key.
CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)
  • Hit the Y key then at the Command Prompt C:\ >
  • Type in exit and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be cancelled and you computer will continue to boot-up as normal.

Next:

When completed the above, try my prior advice regarding...Run Windows 7 SRD again. If it works successfully, follow the rest of the advice in the post. If not merely inform myself and we will go from there, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 19th, 2012, 8:28 pm

Ok ill do that tomorrow as i am off to bed now but just thought id post quickly as i experienced another redirect. I think im getting redirected when im visiting a webpage i havent visited before or for a while. The page i was just going to was game.co.uk but i havent been on it for a while.
Here are the three websites i got redirected through
http://www.illbands.biz/?scat=true&dc=games&src=3377&qry=game
http://www.midbanduk.com/
and the last page was called gamingguy but it didnt load anything
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 19th, 2012, 8:50 pm

Hi. :)

Ok ill do that tomorrow as i am off to bed now but just thought id post quickly as i experienced another redirect.
OK.

I think im getting redirected when im visiting a webpage i havent visited before or for a while. The page i was just going to was game.co.uk but i havent been on it for a while.
I checked out the site you mentioned and it is safe/clean etc.

Did the redirect occur from a actual browser search for the site and or from a bookmark clicked upon you have saved?

Anyway do follow my prior advice for now and we can go from there.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 20th, 2012, 9:47 am

The websites it redirected me to are safe?
Game is safe i know that and it happened when i searched for game and then clicked the link from google.
And today when i searched for hmv which again i know is safe it redirected me to easyaz search website


Also i cant start my pc in safe mode, it hangs on atipcie.sys
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 20th, 2012, 10:44 am

Hi. :)

The websites it redirected me to are safe?
No they are not, you misunderstood myself. I was actually referring to the game site you mentioned.

it happened when i searched for game and then clicked the link from google.
And today when i searched for hmv which again i know is safe it redirected me to easyaz search website
OK and thanks for the confirmation.

Also i cant start my pc in safe mode, it hangs on atipcie.sys
This is not good at all and it may just be the actual Operating System on your machine is damaged and or some vital configuration settings are incorrect.

Which makes anything I can advice problematic since we cannot boot your machine up into the Start-Up Repair feature and Safe Mode now appears to be not working also. So we may need to perform what is known as a Repair Install on your machine before readdressing the current malware issues. Though ultimately I may just need to advise a reformat and reinstallation of the Windows Operating System, so be prepared for that eventuality and ensure you did/have created backups like I advised in my first reply to this topic.

OK for now please inform myself the exact make/modal of your machine and we will go from there, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Jump hijack malware

Unread postby elerrina » May 20th, 2012, 11:33 am

We built the computer ourselves.
elerrina
Regular Member
 
Posts: 27
Joined: May 9th, 2012, 1:42 pm

Re: Jump hijack malware

Unread postby Dakeyras » May 20th, 2012, 3:38 pm

Hi. :)

We built the computer ourselves.
OK.

Please check for me in the Advanced Boot Options, if there is a option named either Repair Computer or Repair your computer.

Next:

Run SystemLook then copy the below into the main textfield and click on Look, post the new log in your next reply.

Code: Select all
:filefind
atipcie.sys
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 347 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware