[Trojan: Win32/Alureon.CO - and others - Mbam etc not updating]

Hello, sorry for my late reply..Please delete your version of ComboFix and download a fresh version of it.. then rerun ComboFix again and post the log here..

[help me get rid of Shi5Aiku and file.exe]

Hello.. Sorry for my late reply.. Somehow I missed the topic..

1. How's the computer now?

[av.exe removal -- HELP!!!]

Please run as per my instruction above and post all logs here

[help needed removing trojan.BHO.H]

combofix appears to have removed my trojan. Programs and Features have an entry for 'Coupon Bar' which could not and cannot be uinstalled. Is that a problem?

Can you recommend an antispyware product?

Thanks so much for your help. I am really impressed. I will become a paying member.

can you post me the screenshot of it?

[help needed removing trojan.BHO.H]

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".
  

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[help me get rid of Shi5Aiku and file.exe]

Try reinstall Firefox.. Will you got the similar warning?

[help me get rid of Shi5Aiku and file.exe]

Can you run ComboFix once again? If the similar things happen, pls tell me

[trojan.bho.h removal help]

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".
  

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[File can not be opened for scanning]

NO THANK U VERY MUCH. SHOULD I NEED TO DELETE THE LOG I POSTED FOR YOU IN ORDER FOR YOU TO HELP ME??

THANKS AGAIN

You can use the button to edit your log

[av.exe removal -- HELP!!!]

Please download The Comedian.exe by Rorschach112 to your desktop

• Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  
• Double click the program to run it. It will only take around several minutes to run.
  
• It will do a series of tasks and tell you when each one is finished.
  
• You will be prompted to press any key after each step
  
• When it is done it will close and exit itself automatically.
  
• You can delete The_Comedian.exe once it is finished
  

STOP! if you can't complete this step.. Tell me more about it..

NEXT

Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• At the top, tick on Scan All Users section
  
• At File Age set it to 90 Days
  
• In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  
• In the Files Created Within and Files Modified Within section, set it to File Age
  
• At the bottom, tick on all Safe List and Use Company Name WhiteList option
  
• Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
  
  • Reg - Disabled MS Config Items
    Reg - Drivers32
    Reg - Ext
    Reg - IE Explorer Bar
    Reg - NetSvcs
    Reg - Safeboot Minimal
    Reg - Safeboot Network
    File - Lop Check
    File - Purity Scan
    
    
  • Please copy/paste below script into Custom Scans box
    

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

    
    

  [*]Do NOT change any other settings.

  [*]Now click the Run Scan button on the toolbar.

  [*]Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

NEXT

Please download GMER and unzip it to your Desktop. <<mirror>>

Please rename the random filename or GMER into GAMERS

[*]Open the renamed program and click on the Rootkit tab.

[*]Make sure all the boxes on the right of the screen are checked, EXCEPT for

[Trojan: Win32/Alureon.CO - and others - Mbam etc not updating]

I saw you run ComboFix..

Please uninstall these programs first.. While they are excellent programs, I prefer not to let them interfere with our diagnosis and fixes..

1. AVG Anti-Virus

2. McAfee VirusScan

3. McAfee Personal Firewall

4. Spybot S&D

Since you already run ComboFix, please delete your version of ComboFix >> download a fresh copy >> run it again >> post the log here

Link 2
Link 3

[File can not be opened for scanning]

Begin scan in 'C:\' <PRESARIO>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

Begin scan in 'D:\' <PRESARIO_RP>

Both files are ok and actually needed.. The warning appear simply because it can't access the files and they really should access it.. Please read below..

http://www.cknow.com/cms/articles/what-are...gefile-sys.html

Do you have any other computer problem?

[MSASCui Virus]

Please download The Comedian.exe by Rorschach112 to your desktop

• Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  
• Double click the program to run it. It will only take around several minutes to run.
  
• It will do a series of tasks and tell you when each one is finished.
  
• You will be prompted to press any key after each step
  
• When it is done it will close and exit itself automatically.
  
• You can delete The_Comedian.exe once it is finished
  

STOP! if you can't complete this step.. Tell me more about it..

NEXT

Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• At the top, tick on Scan All Users section
  
• At File Age set it to 90 Days
  
• In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  
• In the Files Created Within and Files Modified Within section, set it to File Age
  
• At the bottom, tick on all Safe List and Use Company Name WhiteList option
  
• Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
  
  • Reg - Disabled MS Config Items
    Reg - Drivers32
    Reg - Ext
    Reg - IE Explorer Bar
    Reg - NetSvcs
    Reg - Safeboot Minimal
    Reg - Safeboot Network
    File - Lop Check
    File - Purity Scan
    
    
  • Please copy/paste below script into Custom Scans box
    

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

    
    

  [*]Do NOT change any other settings.

  [*]Now click the Run Scan button on the toolbar.

  [*]Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

NEXT

Please download GMER and unzip it to your Desktop. <<mirror>>

Please rename the random filename or GMER into GAMERS

[*]Open the renamed program and click on the Rootkit tab.

[*]Make sure all the boxes on the right of the screen are checked, EXCEPT for

[help me get rid of Shi5Aiku and file.exe]

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".
  

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[help needed removing trojan.BHO.H]

Hello.. Lets do this first...

Please download CleanUp! by stevengould.org and save it to your Desktop.

• Double-click CleanUp452.exe and install CleanUp! to your computer
  
• Open CleanUp! and click on Options.. button.
  
• Under General tab, choose Standard CleanUp! and then click Ok
  
• Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  
• Let your Windows rebooted (or do it manually) and then scan again with Malwarebytes'.. Is it still there?
  

[trojan.bho.h removal help]

Hello.. Lets do this first...

Please download CleanUp! by stevengould.org and save it to your Desktop.

• Double-click CleanUp452.exe and install CleanUp! to your computer
  
• Open CleanUp! and click on Options.. button.
  
• Under General tab, choose Standard CleanUp! and then click Ok
  
• Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  
• Let your Windows rebooted (or do it manually) and then scan again with Malwarebytes'.. Is it still there?
  

[Search Page Hijack - Redirects]

Ok, I've run OTC. Cleaned up and restarted. Defogger is now gone, I thought I needed to do a re-enable??

Everything seems good. I'm not seeing any redirects right now.

Tim

Just download Defogger and reenable them back

[Happy Birthday Net_Surfer]

[Search Page Hijack - Redirects]

Looks good to me.. Lets do some cleanup...

Please download OTC and save it to Desktop.

• Make sure you have internet connection..
  
• Double-click OTC
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes
  

Please read these excellent articles write by my friends:

Preventing Malware and Safe Computing by Rorschach112

What makes your machine slow? by Artellos

Also, please read these excellent articles by miekiemoes :

Help! My computer is slow!

How to prevent Malware

Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp

http://bluefive.pair.com/practice_safe_surfing.htm

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread B)

Have a safe and happy computing day!

Regards

fenzodahl512

[Search Page Hijack - Redirects]

Update your Malwarebytes' and run a quick scan.. Remove everything that it found and post the log here B)

[Search Page Hijack - Redirects]

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".
  

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[Rootkit virus? GMER Log]

Hello,

C:\ProgramData\mswintmp.dat (Malware.Trace) -> No action taken.

Not sure why "No action taken".. Can you re-run Malwarebytes' and then remove all that it found? I'm glad your computer is okay now

[Rootkit virus? GMER Log]

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

1. Go HERE and download ERUNT
   (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
   
2. Install ERUNT by following the prompts
   (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
   
3. Start ERUNT
   (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
   
4. Choose a location for the backup
   (the default location is C:\WINDOWS\ERDNT which is acceptable).
   
5. Make sure that at least the first two check boxes are ticked
   
6. Press OK
   
7. Press YES to create the folder.
   

For detailed instruction on how to back-up registry via ERUNT, please visit HERE

NEXT

Please download The Avenger by Swandog46 and unzip it to your Desktop

Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Drivers to disable:
_VOIDd.sys
qrzrtx

Drivers to delete:
_VOIDd.sys
qrzrtx

Files to delete:
C:\ProgramData\_VOIDkrl32mainweq.dll
C:\ProgramData\_VOIDmainqt.dll 
C:\Users\Tahveli\AppData\Local\Temp\_VOID64ae.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOID99c2.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOIDe501.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOIDefab.tmp
C:\WINDOWS\System32\drivers\_VOIDssinettpco.sys
C:\WINDOWS\System32\_VOIDarijntaiwr.dll
C:\WINDOWS\System32\_VOIDqpgxwpdwkn.dll
C:\WINDOWS\System32\_VOIDqrkpiivfvm.dll
C:\WINDOWS\System32\_VOIDryxcvbtbwh.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Now, click on Execute. Just say Yes at every prompted
  

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

Please copy/paste the content of c:\avenger.txt into your reply.

NEXT

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

[Cant update mbam and others, getting redirected, etc]

Hello.. Sorry I'm late.. Was outstation for three days..

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O17 - HKLM\System\CCS\Services\Tcpip\..\{10D5D574-4818-4953-9E0E-218BFEAA6B97}: NameServer = 93.188.162.96,93.188.166.34

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.

Then, please reset the router back to its factory setting.. Refer below if you do not know how..

http://www.ehow.com/how_2110924_router-bac...t-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it

http://www.routerpasswords.com/

http://www.phenoelit-us.org/dpl/dpl.html

Then reboot the computer and tell me if you still got the redirect issues

[Disabled.SecurityCenter, Hijack.Regedit, Hijack.TaskManager]

I've Google the "80070490" error and got various answers.. Since I don't know the right answer for your current issue, and determine that your computer is now malware-free, I suggest you to post the Windows Update problem at our PC Help forum.. Link below.. Tell them I send you there

http://forums.malwarebytes.org/index.php?showforum=6