how-to block ads
|
JonS1983
@btcentralplus.com
1 edit | [Trojan] Trojan Removal?
Hey guys,
Please see this
click to enlarge
So I have a Win32 Trojan Downloader, and would very much like to know how to get rid of it. Windows defender finds it, but then it seems to come back each time, almost exactly every hour on the hour it returns (whether this is when Windows Defender is searching or just when it is re-created I don't know).
Other programs don't seem to find the Trojan, again I'm not sure whether this is because of conflicts with Windows Defender?
I tried Hijack this, but every time I launch it, I get the error message "...has stopped responding".
Whilst using firefox and google, when clicking on a search entry it redirects me to a completely different page altogether.
Thanks to anyone that has read this, special thanks to anyone that can help!  | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| Hi JonS1983
Please read »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance and follow the instructions for running Malwarebytes' Anti-Malware. If it won't run after installation, go to it's program folder at C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe to a randon name (such as myprogram.exe), and double-click on the file to run it. If it won't install, do the same thing to the installer file, renaming it to a random name.
After that, if HijackThis still doesn't work, rename it to a random name and run it, and then post the logs for both HijackThis and MBAM.
--
Proud ASAP member since 2005 | |
JonS1983
@btcentralplus.com
2 edits | reply to JonS1983
Re: [Trojan] Trojan Removal?
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 6.0.6001 Service Pack 1
11/06/2009 22:05:03
mbam-log-2009-06-11 (22-05-02).txt
Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 330014
Time elapsed: 59 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{334d1067-913a-46b0-b67b-37fcbb2476c0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7f4d6420-a3c8-4aee-a256-013b68992699}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{334d1067-913a-46b0-b67b-37fcbb2476c0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7f4d6420-a3c8-4aee-a256-013b68992699}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{334d1067-913a-46b0-b67b-37fcbb2476c0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7f4d6420-a3c8-4aee-a256-013b68992699}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.24,85.255.112.118 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logfile of HijackThis v1.99.1
Scan saved at 21:05:03, on 11/06/2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\schtasks.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\hp\kbd\kbd.exe
C:\Program Files\HijackThis\peanutbutter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »forum.videoediting.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: Nokia Nseries PC Suite.lnk = C:\Program Files\Nokia\NNPCS\RunLauncher.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - »messenger.zone.msn.com/binary/ms···6986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »gfx1.hotmail.com/mail/w3/resourc···n-gb.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···6907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{334D1067-913A-46B0-B67B-37FCBB2476C0}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F4D6420-A3C8-4AEE-A256-013B68992699}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\..\{334D1067-913A-46B0-B67B-37FCBB2476C0}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\..\{334D1067-913A-46B0-B67B-37FCBB2476C0}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\Windows\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\Windows\system32\AvidStartup.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Do we think thats that? | |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| quote:
C:\Program Files\HijackThis\peanutbutter.exe
How appropriate, after I used some on a mousetrap this morning. :) :)
Your version of HijackThis is outdated.
Please download the current version of 'Hijack This!:
»www.trendsecure.com/portal/en-US···download
Please save it in a convenient permanent folder such as C:\HJT\,
and be sure the next log is with the newer version.
If it won't run (you may find that it will run now), rename it as last time.
Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
You need to run an antivirus program and keep it up-to-date. I don't see one in your HijackThis log, although I see en entry that shows you had AVG 8 installed at one time. I recommend you go to Control Panel's Add or Remove Programs, and uninstall AVG 8 if there is still an entry for it. Then you need to reinstall an antivirus program. You can re-install AVG 8, but I would recommend that for now you try Avira AntiVir PersonalEdition Classic available at http://www.free-av.com. It's an excellent scanner, and it will give a log to post, and there is a tutorial available on it's installation here:
»www.free-av.com/en/pages/20/Inst···Vir.html.
After installing AntiVir and updating it, perform a full system scan and clean everything found.
When the system scan completes, reboot.
After rebooting, open your Avira AntiVir and select "Reports".
Double-click the report from the full scan you just completed. Click the "Report File" button and copy and paste this report in your next reply.
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{334D1067-913A-46B0-B67B-37FCBB2476C0}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F4D6420-A3C8-4AEE-A256-013B68992699}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS1\Services\Tcpip\..\{334D1067-913A-46B0-B67B-37FCBB2476C0}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CS2\Services\Tcpip\..\{334D1067-913A-46B0-B67B-37FCBB2476C0}: NameServer = 85.255.112.24,85.255.112.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118
Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.
Please Run Malwarebytes' Anti-Malware.
- Click the Update tab.
- Click Check for Updates, your database version is outdated.
- If an update is found, it will download and install.
- Click the Scanner tab.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Download ComboFix© by sUBs from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix
- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.
Please post a new HijackThis log, the log from MBAM, the log from Avira, and in a second reply as it could get too long, the log from ComboFix (combofix.txt), and note any errors encountered.
--
Proud ASAP member since 2005 | |
JonS1983
@btcentralplus.com | reply to JonS1983
Thank you, in the process of doing this now, you must have taken ages doing this for me, really appreciate it.
| |
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA | Not a problem. Remember though that even if symptoms are gone, you still need to post the logs as there will be more to do. We just don't know how much to do until the logs are reviewed.
--
Proud ASAP member since 2005 | |
-
|
