19 replies to this topic

[Firerider]

ive ran malwarebytes 2 times to try and get rid of it, no luck. i downloaded trojan killer to try and get rid of it, it found it....but requires me to pay for the full version so here i am.

attach and dds have been attached

Attached Files

•  Attach.txt   11.4K   5 downloads
•  DDS.txt   17.77K   35 downloads

[Maniac]

Hello Firerider and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
  
  
• Click the Start Scan button.
  
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
  
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


Step 2

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

In your next reply, please include:

• TDSSKiller log
  
• OTL.Txt and Extras.Txt

[Firerider]

ok, downloaded both, tdsskiller refuses to run, running a scan with otl atm.
any suggestions on getting tdss to run?

[Firerider]

here is otl stuff

Attached Files

•  Extras.Txt   41.9K   8 downloads
•  OTL.Txt   80.43K   11 downloads

[Maniac]

Your system is seriously infected.

Please uninstall the following applications:

• BrotherSoft Extreme Toolbar
  
• Conduit Engine

Next,

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  PRC - [2012/01/22 10:30:11 | 000,360,328 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\FJ9xpFEPCujHfn.exe
  PRC - [2012/01/21 23:20:11 | 000,451,464 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\PIFoHdCpFL.exe
  IE - HKLM\..\URLSearchHook: {51a86bb3-6602-4c85-92a5-130ee4864f13} - SOFTWARE\Classes\CLSID\{51a86bb3-6602-4c85-92a5-130ee4864f13}\InprocServer32 File not found
  IE - HKU\S-1-5-21-952954040-3287241857-1714412192-1000\..\URLSearchHook: {51a86bb3-6602-4c85-92a5-130ee4864f13} - SOFTWARE\Classes\CLSID\{51a86bb3-6602-4c85-92a5-130ee4864f13}\InprocServer32 File not found
  O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O2 - BHO: (BrotherSoft Extreme Toolbar) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files (x86)\BrotherSoft_Extreme\prxtbBrot.dll File not found
  O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O3 - HKLM\..\Toolbar: (BrotherSoft Extreme Toolbar) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files (x86)\BrotherSoft_Extreme\prxtbBrot.dll File not found 
  O4 - HKLM..\Run: [PIFoHdCpFL.exe] C:\ProgramData\PIFoHdCpFL.exe (Microsoft Corporation)
  O4 - HKU\.DEFAULT..\Run: [4Y3Y0C3AUF7W0A0DJFHTG] C:\Recycle.Bin\B6232F3AD9B.exe /q File not found
  O4 - HKU\.DEFAULT..\Run: [UJ7J2I3X9GVE4BVVII] C:\sooi832.bin\CA0A4982D9B.exe /q File not found
  O4 - HKU\S-1-5-18..\Run: [4Y3Y0C3AUF7W0A0DJFHTG] C:\Recycle.Bin\B6232F3AD9B.exe /q File not found
  O4 - HKU\S-1-5-18..\Run: [UJ7J2I3X9GVE4BVVII] C:\sooi832.bin\CA0A4982D9B.exe /q File not found
  O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyeve.exe (SysDrive)
  O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyeve.exe (SysDrive)
  O4 - Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dauc.exe (SysDrive)
  O4 - HKU\S-1-5-21-952954040-3287241857-1714412192-1000..\Run: [{8776880D-3068-494C-A02F-912C816861B3}] C:\Users\FireRider\AppData\Roaming\Dauc\laboasm.exe (SysDrive)
  PRC - [2011/07/25 03:14:56 | 000,118,784 | -H-- | M] (SysDrive) -- C:\Users\FireRider\AppData\Roaming\Dauc\laboasm.exe
  O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
  [2012/01/22 10:30:11 | 000,360,328 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\FJ9xpFEPCujHfn.exe
  [2012/01/22 10:05:02 | 000,000,000 | -H-D | C] -- C:\Users\FireRider\AppData\Roaming\Unepgyi
  [2012/01/22 10:05:02 | 000,000,000 | -H-D | C] -- C:\Users\FireRider\AppData\Roaming\Dauc
  [2012/01/21 23:23:17 | 000,451,464 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\PIFoHdCpFL.exe
  [2012/01/22 11:57:06 | 000,000,655 | -H-- | M] () -- C:\Users\FireRider\Desktop\System Check.lnk
  [2012/01/22 10:32:25 | 000,000,464 | -H-- | M] () -- C:\ProgramData\FJ9xpFEPCujHfn
  [2012/01/22 10:30:27 | 000,000,272 | -H-- | M] () -- C:\ProgramData\~FJ9xpFEPCujHfn
  [2012/01/22 10:30:27 | 000,000,168 | -H-- | M] () -- C:\ProgramData\~FJ9xpFEPCujHfnr
  [2012/01/20 13:51:47 | 000,119,280 | -HS- | M] () -- C:\Users\FireRider\AppData\Local\dplayx.dll
  [2012/01/21 23:28:43 | 000,000,168 | -H-- | C] () -- C:\ProgramData\~dMHGVkeGtDP5VCr
  [2012/01/21 23:28:42 | 000,000,272 | -H-- | C] () -- C:\ProgramData\~dMHGVkeGtDP5VC
  [2012/01/21 23:28:40 | 000,000,679 | -H-- | C] () -- C:\Users\FireRider\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  [2012/01/22 10:24:21 | 000,000,000 | -H-D | M] -- C:\Users\FireRider\AppData\Roaming\Unepgyi
  
  :files
  C:\Program Files (x86)\ConduitEngine
  
  :Commands
  [emptytemp]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
  
• Post the log file.

[Firerider]

ok, ran it, so far no pop ups or annoying messages, gotta solve all hidden icons issue atm but i think i have some things to do that ill attach so u can check to see if their safe (they came with trojan killer)

log report will also be added

Attached Files

•  01222012_164937.log   13.73K   4 downloads
•  unhider and restore.rar   125.79K   4 downloads

[Firerider]

to add onto that, im still getting a redirect from that virus on some links...mainly google, im running a full scan with malwarebytes to see if that finds anything.

[Firerider]

after malwarebytes had finished it had found 2 files, deleted and restarted, no more redirects....for now. any test i should do to check if im fully safe again

[Maniac]

Do you want to help you? If you want, follow my instructions only, if not let me know.

[Firerider]

yes i would still like help.
also, i keep getting a message which says "are you sure you want to leave this page? message from webpage: Are you shure?" and gives 2 options leave page of stay on page the box says it's IE. i would give a screenshot but i cant locate paint it's gone from start menu

[Maniac]

I would like to do only what you instructed, so I can monitor the entire process. Let's try again with TDSSKiller.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
  
  
• Click the Start Scan button.
  
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
  
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


Step 2

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

[Firerider]

tdsskiller still wont run, tried running as admin still nothing

Attached Files

•  OTL.Txt   66.29K   4 downloads

[Maniac]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2012/01/22 20:01:18 | 000,000,000 | ---D | C] -- C:\Users\FireRider\AppData\Roaming\Efibqee
  [2012/01/21 23:28:40 | 000,000,000 | ---D | C] -- C:\Users\FireRider\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
  [2012/01/21 23:20:27 | 000,000,000 | ---D | C] -- C:\Users\FireRider\AppData\Roaming\Muitnes
  [2012/01/21 23:20:27 | 000,000,000 | ---D | C] -- C:\Users\FireRider\AppData\Roaming\Hua
  
  :Commands
  [emptytemp]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
  
• Post the log file.

[Firerider]

sorry for the long wait for a reply.
here's the log

Attached Files

•  01242012_163201.log   4.89K   1 downloads

[Maniac]

Don't worry about that.

Please try again with TDSSKiller and if not working, please generate a new fresh OTL log file.

[Firerider]

i gave up, did a clean install mainly cause, was still being redirected, computer was slowing down as things kept taking more ram, sleep mode wouldn't run, usb sticks/ipod werent showing

seemed like the easiest solution was just to pop in the CD and start from scratch rather than do alot of work to get to the same place. i dont mind redownloading what i had and all college work is backed up on the college pc's so that isnt an issue.

thanks for helping and sorry for bothering

[Firerider]

btw i tried to run the tdsskiller before i did the reinstall....still didn't run....maybe it's cause i runa 64bit system (i read that for those u have to run as admin but that never worked for me)

[Maniac]

Okay, please try to run ComboFix:
http://www.bleepingc...se-combofix#use

[Firerider]

ive already done a clean reinstall from the cd which came with the pc...everything seems to be fine now, still want me to run it? xD

[Maniac]

In case you have reinstalled the system, that's all. Here are some prevention:
http://forums.malwar...howtopic=104379

Sorry about that!