Kenny94

Running a System Recovery is a band aid fix most of the time. Yes please post the logs...

The other entities are in System Restore and Qoobox is part of ComboFix. We'll remove them in the next post. Let's remove these two files and due some house cleaning as well. Please download the OTM by OldTimer. Save it to your desktop. Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :Processes :Services :Reg :Files C:\JasonsDownloads\BandooV3.exe C:\JasonsDownloads\SmitfraudFix.zip :Commands [purity] [resethosts] [emptytemp] [CREATERESTOREPOINT] [EMPTYFLASH] [Reboot] Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTM If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Hi Ken Download FixPolicies.exe by Bill Castner and save it to your desktop. Double click on FixPolicies.exe to run it. Click on Install. It will create a folder named FixPolicies on your desktop. Open the FixPolicies folder. Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal. Reboot your computer after it runs It will repair any policies that have been affected by malware. Next We need to look at some information about what is going on in your computer: Please perform the following scan: Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pif [*]Double click on the DDS icon, allow it to run. [*]A small box will open, with an explanation about the tool. [*]When done, DDS will open two (2) logs 1. DDS.txt 2. Attach.txt [*] Save both reports to your desktop. [*] The instructions here ask you to attach the Attach.txt. [*]Instead of attaching, please copy/past both logs into your Thread [*]Close the program window, and delete the program from your desktop. Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Those errors are related to ThinkPad. Do you use the ThinkPad 11a/b/g/n Wireless LAN Mini-PCI Express Adapter? Or any of the ThinkPad products? Please run this online scan to help look for remnants. ESET Online Scanner Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here. Please go here then click on: Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked. Now click on Advanced Settings and select the following: Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology [*]Now click on: [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection. [*]When completed the Online Scan will begin automatically. [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall. [*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first! [*]Now click on: [*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. [*]Copy and paste that log as a reply to this topic. Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

The search redirections should have stopped now. Have they? Also, your PC is missing some files. We'll use Dial-A-Fix to replace them. Please download Dial-A-Fix from one of the following mirrors:Primary Mirror Secondary Mirror [*]Extract the zip file to your desktop. [*]Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click to continue. [*]Press the green double checkmark box (Looks like this: [*]UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this: [*] [*]Click on Go [*]Wait for Dial-A-Fix to finish (All the checks marks will be all gone) [*]Close Dial-A-Fix Next Run CFScript Close any open browsers. Open Notepad by click start Click Run Type notepad into the box and click enter Notepad will open Copy and Paste everything from the Code box into Notepad: KILLALL:: Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000 Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply. Also, let me know how your PC is doing?

Hi, Combofix log resides in your C: Drive. C:\ look for the most current log. ComboFix.txt If you can't find it. Then run Combofix again and post the log please.

Hi ts1971 Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. --------------------------------------------------------------------------------------------- Download ComboFix from below: Combofix download * IMPORTANT !!! Place combofix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. You can get help on disabling your protection programs here Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. ---------------------------------------------------------------------------------------------

Purge old temporary files. Now that we are done.... Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. You should keep TFC and run it once a week. Your Computer is Clean Some final items: Follow these steps to uninstall Combofix and tools used in the removal of malware To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer: Save it to your Desktop. Double click OTC.exe. Click the CleanUp! button. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. It's a good idea to Flush your System Restore after removing malware and create a new restore point. To SET A NEW RESTORE POINT: 1. Go to Start > Programs > Accessories > System Tools and click "System Restore". 2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. 3. Then go to Start > Run and type: Cleanmgr 4. Click "OK". 5. Click the "More Options" Tab. 6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. Graphics for doing this are in the following links if you need them. How to Create a Restore Point. How to use Cleanmgr. Here are some additional links for you to check out to help you with your computer security. Browsers Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE. If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust) NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website. Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Additional Security Measures Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash. Tips for Speeding Up Your PC Visit My Blog for Malware and Spyware Tips

Hi, Is Java installed? To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml When all is well, you should see Java Version: 1.6.0_26 from Sun Microsystems Inc.

Please copy and paste this post to a new text document or print it for reference later. Drag combofix icon into the recycle bin. Download a updated copy. Download ComboFix from below: Combofix download * IMPORTANT !!! Place combofix.exe on your Desktop Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select Safe Mode with Networking and press Enter. ILogin as the same user you were previously logged in at. Then run combofix.exe in Safe Mode with Networking. Post that log (C:\ComboFix.txt) in your next reply.

Sorry the link I gave you was broken As for Java. Go to the site below: http://forums.whatthetech.com/index.php?showtopic=104537 Scroll Down to: Here's how to fix Java: Follow the instructions there. Post back and let me know how your computer is doing.

Go ahead and shut it down, then do the following: You may have corrupted files on your disk. Please try running the following. First close ALL Applications as this routine will automatically restart your computer. Click on START - RUN and copy / paste the following entry into the box and click OK CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30 As for Java. Go to the site below: http://forums.whatthetech.com/index....owtopic=104537 Scroll Down to: Here's how to fix Java: Follow the instructions there. Then post the OTM\MovedFiles report.

I'm a big time believer of back ups. Blog about it at: http://kdiamondkenny.blogspot.com/2010/03/meat-and-potatoes.html

volsnap.sys is still infected and we need to replace it with a clean copy. If we remove it, your PC will not boot into windows anymore. So lets see if this works. By the way, do you have the windows 7 CD? Run CFScript Close any open browsers. Open Notepad by click start Click Run Type notepad into the box and click enter Notepad will open Copy and Paste everything from the Code box into Notepad: KILLALL:: FCopy:: C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys | C:\WINDOWS\system32\drivers\volsnap.sys Note make sure you copy the complete script. Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply. Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Note that the script has a scroll bar; make sure you copy the complete script.

We'll remove one program folder and do so some house cleaning at the same time. Please download the OTM by OldTimer. Save it to your desktop. Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :Services :Reg :Files C:\Program Files\TopSearch\TopSearch.dll ipconfig /flushdns /c :Commands [purity] [resethosts] [emptytemp] [CREATERESTOREPOINT] [EMPTYFLASH] [Reboot] Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTM If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run CFScript Close any open browsers. Open Notepad by click start Click Run Type notepad into the box and click enter Notepad will open Copy and Paste everything from the Code box into Notepad: KILLALL:: TDL:: c:\windows\system32\drivers\volsnap.sys Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply. Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Yes move on to the ESET Online Scanner...

I'll post some tips on how to keep your PC cleaned. Purge old temporary files. Now that we are done.... Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. You should keep TFC and run it once a week. Your Computer is Clean Some final items: Follow these steps to uninstall Combofix and tools used in the removal of malware To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer: Save it to your Desktop. Double click OTC.exe. Click the CleanUp! button. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. It's a good idea to Flush your System Restore after removing malware and create a new restore point. To SET A NEW RESTORE POINT: 1. Go to Start > Programs > Accessories > System Tools and click "System Restore". 2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. 3. Then go to Start > Run and type: Cleanmgr 4. Click "OK". 5. Click the "More Options" Tab. 6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. Graphics for doing this are in the following links if you need them. How to Create a Restore Point. How to use Cleanmgr. Here are some additional links for you to check out to help you with your computer security. Browsers Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE. If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust) NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website. Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Additional Security Measures Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash. Tips for Speeding Up Your PC Visit My Blog for Malware and Spyware Tips

Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :filefind Volsnap* Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Please download aswMBR from here Save aswMBR.exe to your Desktop Double click aswMBR.exe to run it Click the Scan button to start the scan as illustrated below Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Once the scan finishes click Save log to save the log to your Desktop Copy and paste the contents of aswMBR.txt back here for review

There are some older versions of Adobe Acrobat Reader on your computer. These can be a source of the infection/infections. Go to Start > Control Panel > Add/Remove Programs. Please remove these entries from Add/Remove Programs in the Control Panel Adobe Reader 7.0.9 Reboot your computer once Adobe Reader components are removed. Please go to the link below to update. Adobe Reader Uncheck Include in your download (optional Free McAfee Security Scan Plus ) Let me know of any remaining issues with your computer poppy2?

Please download and run UnHide.exe by Grinler. Double-click unhide.exe to run the program. After running it, your files should reappear. Please let us know the result.

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK. "%userprofile%\desktop\combofix.exe" /killall When finished, it shall produce a log for you. Post that log in your next reply.

Download ComboFix from below: Combofix download * IMPORTANT !!! Place combofix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. You can get help on disabling your protection programs here Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. ---------------------------------------------------------------------------------------------

Let's kill two birds with one stone, as the old saying goes. We need a good free virus program for your PC and do a full scan. Download and run: Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support. Perform a full scan with Avira and let it delete everything it is finding. Then reboot. After reboot, open your Avira and select "reports". There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply

You may have corrupted files on your disk. Please try running the following. First close ALL Applications as this routine will automatically restart your computer. Click on START - RUN and copy / paste the following entry into the box and click OK CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30 Next Please run the BitDefender QuickScan Beta You can use either Internet Explorer or Mozilla FireFox and Google Chrome for this scan. Accept the plug-in installation by clicking the bar above. From the contextual menu please choose 'Install ActiveX" control and you will be prompted to install the application. Once done, press the View Report link. Post that log in your next reply. Next Click here to download HJTInstall.exe Save HJTInstall.exe to your desktop. Doubleclick on the HJTInstall.exe icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Come back here to this thread and Paste the log in your next reply. DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this: To get an Uninstall List from HijackThis: Open HijackThis, click Config, click Misc Tools Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post. In your next reply, please include these log(s): * HijackThis Uninstall List * HijackThis log and BitDefender report