Jump to content

malware bytes not updating


zanepro

Recommended Posts

I'm also having an annoying issue with pages redirecting me. The update problem is on all computers, desktops and laptops. Please let me know if I need to do anything else on my end.

Sorry for the bump, my post made page 2 pretty quick and I understand there are a lot of problems being addressed and experts are doing their best to help everyone.

thank you

Link to post
Share on other sites

Hi,

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done with your internet connection disabled, so you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

It sounds like a case of Zlob/DNSchanger that change the router's DNS settings.

1. Very important: First disconnect your computer from the internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

3. Reset the IP/DNS settings of your interent connection:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    • Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".

    [*]Click OK twice to save the settings.

    [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

1. Reset the IP/DNS settings of your interent connection:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    • Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".

    [*]Click OK twice to save the settings.

    [*]Reboot if you had to change any setting.

2. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

3. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

After that, reboot (very important!).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If that didn't resolve the internet issue, then please tell me your router specifications.

Link to post
Share on other sites

Thanks! I'm back online.

here is the combofix.exe log

ComboFix 10-09-12.04 - Thomases 09/13/2010 16:28:16.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1584 [GMT -6:00]

Running from: c:\documents and settings\Thomases\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Thomases\Application Data\Def\CnsMin.dsc

c:\program files\pdfforge Toolbar\IE\1.1.2\pdFForgetoolbarie.dll

c:\program files\pdfforge Toolbar\SeARchsettings.dll

c:\windows\BackUp

c:\windows\patch.exe

c:\windows\regsvr32.exe

c:\windows\system32\zlibwapi.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))

.

2010-09-10 23:32 . 2010-09-10 23:32 -------- d-----w- c:\program files\Trend Micro

2010-09-05 19:39 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-05 19:39 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-05 19:39 . 2010-09-05 19:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-05 14:35 . 2010-09-05 14:35 -------- d-----w- c:\documents and settings\Thomases\Application Data\SUPERAntiSpyware.com

2010-09-05 14:35 . 2010-09-05 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-09-05 14:34 . 2010-09-05 14:35 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-09-02 23:10 . 2010-09-02 23:10 -------- d-----w- c:\program files\NZCSM

2010-09-02 23:07 . 2010-09-02 23:07 -------- d-----w- c:\program files\Common Files\Cadsoft

2010-09-02 23:06 . 2010-09-02 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\IMSIDesign

2010-09-02 23:06 . 2010-09-02 23:06 -------- d-----w- c:\program files\IMSIDesign

2010-08-31 22:57 . 2010-08-31 22:57 -------- d-----w- c:\program files\Common Files\Skype

2010-08-30 16:39 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr

2010-08-30 16:38 . 2010-08-30 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-13 22:45 . 2008-11-18 00:05 -------- d-----w- c:\documents and settings\Thomases\Application Data\Skype

2010-09-13 22:37 . 2009-09-24 18:36 -------- d-----w- c:\program files\pdfforge Toolbar

2010-09-13 22:37 . 2005-04-24 13:35 -------- d-----w- c:\documents and settings\Thomases\Application Data\Def

2010-09-13 22:01 . 2008-11-18 00:09 -------- d-----w- c:\documents and settings\Thomases\Application Data\skypePM

2010-09-12 13:09 . 2007-12-20 00:09 -------- d-----w- c:\program files\Tournament Indicator

2010-09-12 06:00 . 2006-12-09 01:22 -------- d-----w- c:\program files\PokerStars

2010-09-07 15:11 . 2008-06-12 14:52 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2008-06-12 14:53 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2008-06-12 14:53 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2008-06-12 14:53 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2008-06-12 14:53 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2008-06-12 14:53 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2008-06-12 14:53 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2008-06-12 14:53 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-05 19:39 . 2008-07-05 03:44 -------- d-----w- c:\documents and settings\Thomases\Application Data\Malwarebytes

2010-09-05 19:39 . 2008-07-05 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-02 23:09 . 2002-07-29 22:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-09-02 23:05 . 2010-09-02 23:05 0 ----a-w- c:\windows\system32\_r_a_p_.tmp

2010-09-01 16:46 . 2001-08-17 18:58 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys

2010-08-31 22:57 . 2008-11-18 00:04 -------- d-----r- c:\program files\Skype

2010-08-31 22:56 . 2008-11-18 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-08-30 20:33 . 2008-07-10 19:29 -------- d-----w- c:\program files\mIRC

2010-08-30 19:03 . 2007-09-10 05:33 -------- d-----w- c:\documents and settings\Thomases\Application Data\mIRC

2010-08-30 16:41 . 2008-04-13 20:55 -------- d-----w- c:\program files\Alwil Software

2010-07-25 17:24 . 2008-06-12 21:16 -------- d-----w- c:\program files\Cinemaware Marquee

2010-07-25 17:22 . 2009-07-19 05:08 -------- d-----w- c:\program files\Microsoft Games

2010-07-25 17:22 . 2010-05-11 23:40 -------- d-----w- c:\documents and settings\Thomases\Application Data\Microsoft Games

2010-07-23 02:52 . 2008-11-12 20:09 -------- d-----w- c:\program files\IntelliTipster

2010-06-30 12:31 . 2001-08-18 11:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2001-08-18 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2002-02-20 23:46 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-08-18 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-08-18 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2006-09-09 00:09 . 2006-09-09 00:09 7704343 -c--a-w- c:\program files\FullTiltPokerNetSetup.exe

2006-08-24 02:49 . 2006-08-24 02:49 15807701 -c--a-w- c:\program files\pt2su.exe

2006-06-22 15:14 . 2006-06-22 15:14 5763072 -c--a-w- c:\program files\WindowsDefender.msi

2006-06-04 00:11 . 2006-06-04 00:11 6851106 -c--a-w- c:\program files\drbclientinstall_cd.exe

2006-05-21 20:06 . 2006-05-21 20:05 357405 -c--a-w- c:\program files\SetupPoker.exe

2006-04-29 22:26 . 2006-04-29 22:26 501 -c--a-w- c:\program files\symantec_kb_05.html

2006-04-29 21:02 . 2006-04-29 21:02 42873781 -c--a-w- c:\program files\NSWBE06901.exe

2006-04-29 20:48 . 2006-04-29 20:48 45511639 -c--a-w- c:\program files\NIS06910_2YR.exe

2006-01-30 22:40 . 2006-01-30 22:40 24630127 -c--a-w- c:\program files\NAV11_Microsoft.exe

2006-01-25 04:12 . 2006-01-25 04:12 3983840 -c--a-w- c:\program files\PartyPokerSetup.exe

2005-12-21 04:28 . 2005-12-21 04:28 4027561 -c--a-w- c:\program files\bettinggenius30full.exe

2002-06-18 15:04 . 2002-06-18 15:04 1783 -c--a-w- c:\program files\Enhancements_Import_1_0.dtd

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2007-10-25 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

2007-10-25 23:35 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-06-02 5451536]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-03 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]

"FLMK08KB"="c:\program files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2007-04-02 207360]

"LWBMOUSE"="c:\program files\Belkin Mouse 1.0\MOUSE32A.EXE" [2001-11-20 356352]

"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2010-01-08 974848]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-2-20 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]

backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinDefend"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=

"c:\\Program Files\\VCOM\\Web Easy Professional 6\\WebEasy6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Tournament Indicator\\Indicator.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamservice.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [6/12/2008 8:53 AM 165584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]

R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [6/12/2008 8:53 AM 17744]

R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/20/2009 7:36 PM 24652]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\SYSTEM32\DRIVERS\pc22nd5.sys [1/24/2003 1:54 PM 17648]

S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\SYSTEM32\DRIVERS\pc22unic.sys [1/24/2003 1:53 PM 69744]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

.

Contents of the 'Scheduled Tasks' folder

2010-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Thomases\Start Menu\Programs\UltimateBet\UltimateBet.lnk

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

Trusted Zone: turbotax.com

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} - hxxp://racing.youbet.com/wr_6_2/controls/YBUICtrl.cab

FF - ProfilePath - c:\documents and settings\Thomases\Application Data\Mozilla\Firefox\Profiles\m12vpfzn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=788008&p=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-wtvbcgea - c:\documents and settings\Thomases\Local Settings\Application Data\aifwlgjrl\kgyeptnshdw.exe

HKCU-Run-qwvyjskv - c:\documents and settings\Thomases\Local Settings\Application Data\jkvtmklwy\ketjgwgshdw.exe

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

HKLM-Run-POEngine - (no file)

SafeBoot-klmdb.sys

AddRemove-SymSetup.{830D8CBD-C668-49e2-A969-C2C2106332E0} - c:\program files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_2_0_29\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe

AddRemove-Yahoo! Internet Mail - c:\windows\regsvr32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-13 16:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]

"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]

"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3689853989-1376643981-488748980-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]

@DACL=(02 0000)

@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2964)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\program files\Belkin Mouse 1.0\MOUDL32A.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe

c:\progra~1\COMMON~1\AOL\ACS\acsd.exe

c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe

c:\program files\PostgreSQL\8.4\bin\postgres.exe

c:\windows\system32\wwSecure.exe

c:\program files\PostgreSQL\8.4\bin\postgres.exe

c:\program files\PostgreSQL\8.4\bin\postgres.exe

c:\program files\PostgreSQL\8.4\bin\postgres.exe

c:\program files\PostgreSQL\8.4\bin\postgres.exe

c:\program files\PostgreSQL\8.4\bin\postgres.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-09-13 16:59:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-13 22:59

Pre-Run: 3,988,004,864 bytes free

Post-Run: 3,985,895,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A08F0CF5B96D022E13BC0657CF30FBBA

Link to post
Share on other sites

Hi,

What was the solution? I'd like to know. :)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services
    Application Updater

    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchSettings"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"=-

    :Files
    ipconfig /flushdns /c
    c:\documents and settings\Thomases\Application Data\Def
    c:\program files\pdfforge Toolbar
    c:\program files\Application Updater

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

I still get he error message when I click update, I hope I did everything right. Here is the log of the last step you asked me to do.

All processes killed

========== PROCESSES ==========

========== SERVICES/DRIVERS ==========

Service Application Updater stopped successfully!

Service Application Updater deleted successfully!

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SearchSettings deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer deleted successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Thomases\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Thomases\Desktop\cmd.txt deleted successfully.

c:\documents and settings\Thomases\Application Data\Def folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF\components folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF\chrome\skin folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF\chrome\locale\en-US folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF\chrome\locale folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF\chrome\content folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF\chrome folder moved successfully.

c:\program files\pdfforge Toolbar\SSFF folder moved successfully.

c:\program files\pdfforge Toolbar\Res folder moved successfully.

c:\program files\pdfforge Toolbar\IE\1.1.2 folder moved successfully.

c:\program files\pdfforge Toolbar\IE folder moved successfully.

c:\program files\pdfforge Toolbar\FF\components folder moved successfully.

c:\program files\pdfforge Toolbar\FF\chrome\skin folder moved successfully.

c:\program files\pdfforge Toolbar\FF\chrome\locale\EN-US folder moved successfully.

c:\program files\pdfforge Toolbar\FF\chrome\locale folder moved successfully.

c:\program files\pdfforge Toolbar\FF\chrome\content folder moved successfully.

c:\program files\pdfforge Toolbar\FF\chrome folder moved successfully.

c:\program files\pdfforge Toolbar\FF folder moved successfully.

c:\program files\pdfforge Toolbar folder moved successfully.

c:\program files\Application Updater folder moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->Flash cache emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: postgres

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Thomases

->Temp folder emptied: 1420 bytes

->Temporary Internet Files folder emptied: 143688 bytes

->Java cache emptied: 27 bytes

->FireFox cache emptied: 97363666 bytes

->Flash cache emptied: 7640 bytes

%systemdrive% .tmp files removed: 14656 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 1160192 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 109335 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 3026160 bytes

RecycleBin emptied: 2144075 bytes

Total Files Cleaned = 99.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.16.0 log created on 09142010_175037

Files moved on Reboot...

File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Here is the ESET scan log

C:\Documents and Settings\All Users\Application Data\Symantec\ErrLogs\{830D8CBD-C668-49e2-A969-C2C2106332E0}a554a886.zip probably a variant of Win32/Genetik trojan

C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application

C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL Win32/Toolbar.AskSBar application

C:\Qoobox\Quarantine\C\Program Files\pdfforge Toolbar\SearchSettings.dll.vir Win32/Adware.Toolbar.Dealio application

C:\Qoobox\Quarantine\C\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll.vir Win32/Adware.Toolbar.Dealio application

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP824\A0043074.dll Win32/Adware.Toolbar.Dealio application

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP824\A0043075.dll Win32/Adware.Toolbar.Dealio application

C:\_OTM\MovedFiles\09142010_175037\c_program files\pdfforge Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application

C:\_OTM\MovedFiles\09142010_175037\c_program files\pdfforge Toolbar\SearchSettingsRes409.dll Win32/Adware.Toolbar.Dealio application

C:\_OTM\MovedFiles\09142010_175037\c_program files\pdfforge Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application

Link to post
Share on other sites

Hi,

Open notepad by going to Start > Run and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:

@echo off

>Router_Log_Gammo.txt (

ipconfig /all

nslookup data-cdn.mbamupdates.com

ping data-cdn.mbamupdates.com

tracert data-cdn.mbamupdates.com

route print

)

start Router_Log_Gammo.txt

del %0

In Notepad click on the "File" menu > Save As...

Under "File name" type Router_Gammo.bat

Change "Save as type" to All Files

Save it to your Desktop

Double click on Router_Gammo.bat. It will open a notepad windows. Please post the contents of this file in your next reply.

Link to post
Share on other sites

Hey I think I made a mistake when I ran the ESET, I checked "scan archives" but "remove infected files" was left unchecked. Please let me know if I have to run it again.

Windows IP Configuration

Host Name . . . . . . . . . . . . : Jeremy

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Belkin

Ethernet adapter Local Area Connection 8:

Connection-specific DNS Suffix . : Belkin

Description . . . . . . . . . . . : ASIX AX88772 USB2.0 to Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-50-B6-04-70-78

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

Lease Obtained. . . . . . . . . . : Tuesday, September 14, 2010 5:53:06 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 9:14:07 PM

Server: UnKnown

Address: 192.168.2.1

Ping request could not find host data-cdn.mbamupdates.com. Please check the name and try again.

Unable to resolve target system name data-cdn.mbamupdates.com.

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x10003 ...00 50 b6 04 70 78 ...... ASIX AX88772 USB2.0 to Fast Ethernet Adapter - Packet Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.2.0 255.255.255.0 192.168.2.3 192.168.2.3 20

192.168.2.3 255.255.255.255 127.0.0.1 127.0.0.1 20

192.168.2.255 255.255.255.255 192.168.2.3 192.168.2.3 20

224.0.0.0 240.0.0.0 192.168.2.3 192.168.2.3 20

255.255.255.255 255.255.255.255 192.168.2.3 192.168.2.3 1

Default Gateway: 192.168.2.1

===========================================================================

Persistent Routes:

None

Link to post
Share on other sites

Hi,

I still get he error message when I click update

On this PC only now, or still on all your PC's?

Hey I think I made a mistake when I ran the ESET, I checked "scan archives" but "remove infected files" was left unchecked. Please let me know if I have to run it again.

No, you don't have to run it again. ESET didn't find anything that should be removed.

Link to post
Share on other sites

Hey, I was able to clear out the virus on both computers. I don't know if I did it right but it worked.

I'm still having the problem with the re-direct issue and when I click links sometimes another stupid ad window opens.

Malwarebytes still won't update, even when I try to click links that go directly to the mbam-rules.exe, I get an error page "cannot connect"

Here is the process I took on both computers to remove the main threat, so you know what may have changed.

The virus was "security suite"

1) I paused the virus with Rkill, then located the file listed "security suite" I deleted the file and folder then emptied the recycling bin

2) I uninstalled malwarbytes and superantispyware (antispyware wouldn't update on my computer, but it did on the other maybe because it was a fresh 1st time install?)

3) I rebooted into safe mode with networking, disabled the proxy, downloaded malwarebytes and superantispyware. Then Malware wouldn't update but superantispyware did.

--on the computer where I couldn't update superantispyware I found an update setup file on the site that worked.

4) I ran superantispyware on both computers then restarted and it was gone.

I know that little bastard is still in there waiting to attack again, I won another battle but I'm still at war.

Link to post
Share on other sites

Hi,

Some infection is/was infecting the router. Please reset the router again. If the problem isn't resolved after that, then one of your PC's is still infected.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done with your internet connection disabled, so you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

1. Very important: First disconnect your computer from the internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

3. Reset the IP/DNS settings of your interent connection:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    • Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".

    [*]Click OK twice to save the settings.

    [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

Link to post
Share on other sites

Hi,

What about the redirection problem? Is that resolved?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please run ComboFix on all 4 PC's.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you (C:\ComboFix.txt).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please rename all four log files, so that I know which one correspondents with which PC (laptop 1, laptop 2, desktop 1, desktop 2).

Please attach all 4 log files in your next post.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

Hi,

I see some bad things on Desktop 2 (a Sony VAIO??). Please run the following steps on that PC.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *kernel32*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:27811

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.