Solved Spyware (HJT log included) Re-directing to spam sites

Please upload winlogon.old too.

Thanks! I'm gonna catch some zzzzz's now. I'll get back with you tomorrow evening (hopefully not so late).

Oh ....... I've become pretty fond of Kaspersky. They do have a free trial period on the Internet Security Suite. Some of the universities require you use Symantec. Make sure before switching.

 

Noah,

Done and done. "winlogon.old" is uploaded along with winlogon.exe and xrt_itcq.

I appreciate you taking time out tonight to address these issues. I look forward to hearing from you tomorrow. I'll check with ITS regarding Kaspersky and Symantec. Have a nice night.

Sincerely,
SteelyDan99

 

xrt_itcq.exe is indeed infected, and I can't put my finger on what, but something just isn't right with winlogon.exe
Lets do a simple command line fix.

Highlight and copy the contents of the code box below.

Code:

@echo off
del /q %userprofile%\Chris\xrt_itcq.exe
del /q %userprofile%\Chris\xrt_log.dat
copy %systemroot%\ServicePackFiles\i386\winlogon.exe %systemroot%\system32\dllcache
if exist %systemroot%\system32\dllcache\winlogon.exe ren %systemroot%\system32\winlogon.exe winlogon.exe.old& echo winlogon renamed>log.txt
if not exist %userprofile%\Chris\xrt_itcq.exe echo xrt_itcq.exe deleted>>log.txt
if not exist %userprofile%\Chris\xrt_log.dat echo xrt_log.dat deleted>>log.txt
start notepad log.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command window will close on it's own and log.txt will open.
Please post log.txt here.

 

Noah,

I have input your CMD code and the following log has been produced:

I hope this helps us move forward in our attempts to clean my computer. Thank you for the help and I hope to hear from you soon. I apologize for the late response.

Sincerely,
SteelyDan99

 

I have to assume then, that xrt_itcq.exe and xrt_log.dat are still present? Can you delete them manually?

 

Noah,

Nice to hear from you. They were indeed still existent on my computer. I have manually deleted both without any issue. Hopefully that is the end of them. Any idea what we should do next?

Sincerely,
SteelyDan99

 

Yes! Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Now, lets get an online scan. Do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log and one more fresh HijackThis log.

 

Noah,

I used the ATF cleaner and selected ALL, for good measure. In addition, I ran the Kaspersky Scanner and again, the only infected files were those in quarantine. Here's the virus scan:

In addition, here is the HijackThis log:

 

Looks great! How's the computer running now?

I don't see any antivirus running now. Make sure you get something on there ASAP! Lets clean up after ComboFix. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Click Start>Run and type or paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd


You can also remove the folder created by RSIT located at C:\rsit, as well as RSIT.exe, gmer.exe, clock_fix.exe and the fix.reg we created and any other logs saved. Empty the recycle bin when done.

Looks as though your Java might need updating too. There's a handy tool available for that now. Please download JavaRa and save the file to your desktop.

• Right click and Extract All
• Once extracted, open and run JavaRa.exe
• Click Search For Updates
• Select Update Using jucheck.exe
• Click Search
• If a newer version is found, allow it to be installed
• When complete, click Remove Older Versions in the JavaRa interface and allow it to proceed
• When that is complete, click Additional Tasks, then select Remove Useless JRE Files and click Go
• Exit the tool when complete.

Note - should any of the older version files or folders fail the removal process, reboot the machine and run the Remove Older Versions option again.

Restart the machine when done for all changes to take effect.

 

Noah,

Thanks for all the helpful tips. I am almost sure that I have erased all tools and logs that we have come across in this cleaning process over the past couple of days. I have also updated Java; thanks for the reminder!

However, to my dismay, I came across perhaps more issues. I had uninstalled Symantec and installed avast!, which was a good move in my opinion. However, after running it, I came across 3 issues:

I had deleted the first one, because I was a bit timid and didn't know what to do. However, I noticed that it suggest I place them in the "chest" section of avast!, which is what I did with the remaining 2 infections. Any idea what these have done/are doing/may do to my computer? Also, should I take further action? Perhaps I should delete the other 2 sitting in the "chest "??? Any help from this point would be icing on the cake, Noah.

Much appreciative,
SteelyDan99

 

Those are actually legitimate files and safe to add to avast's exclusion list.

 

Noah,

LOL, woops. Oh well. At least they aren't real viruses. I guess I'll do my homework next time I freak out over a detection in avast!. I guess I'd have to say that everything appears to be solved. My latest Hijack log didn't show any concerns. Nor did my latest virus scan. Clock seems to be on time .

I think it's safe to say that unless there is some cleanup that needs to be done, we appear to be finished? If that is the case, I can't stress enough how much I appreciate the work that you and everyone else do around here. I'm sure you hear it thousands of times a day, but the dedication that you people show (for free!) is beyond me. I can't explain it, but I am certainly thankful for it. I hope I don't have to come back here again, and if I do, it's because I am the helper and not the one that needs to be helped. Again Noah, thank you very much.

Sincerely,
SteelyDan99

 

Cleanup up is done. I'm happy I was able to help, and you're most welcome.