22 replies to this topic

[inzanity]

Hi,

Let's try this:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

--Next--

Please do Kaspersky Online Scanner or from Here. again.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Once the scan is complete, click on View scan report To obtain the report:
• Click on: Save Report As
• Next, in the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
• Then, click: Save
• Please post the Kaspersky Online Scanner Report in your reply.

To post in your next reply:
1. Gooredfix log.
2. Kaspersky online scan log.
3. How is your computer? Still having problems with explorer?

[Calvin.sparta]

GooredFix by jpshortstuff (27.11.09.1) Log created at 12:57 on 30/11/2009 (Calvin) Firefox version 3.5.5 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files (x86)\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [21:44 11/10/2009] {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [04:28 14/10/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] (Key not found) -=E.O.F=- -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, November 30, 2009 Operating system: Microsoft (build 7600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, November 30, 2009 17:39:48 Records in database: 3314350 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ Scan statistics: Objects scanned: 295799 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 02:30:45 No threats found. Scanned area is clean. Selected area has been scanned. I don't really know about any new item sin explorer. I haven't been at the computer for about a week cause of holidays. I've been doing most of the scans through remote control in teamviewer.

[inzanity]

Hi,

Download this file & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller.

----

Open a new Notepad session

• Click the Start button, click run
• in the run box type notepad
• click ok
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
• In the filename box, type (including quotation marks) as the filename: "fix.bat"
• Click save

It should look like this:
Double click on fix.bat & allow it to run

Post back with the Logit.txt.

[Calvin.sparta]

I got an error that it wasn't supported by 64 bit systems. Here is the log anyway. Host Name: THESWAN OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Calvin Registered Organization: Product ID: 00371-839-8577512-85886 Original Install Date: 10/11/2009, 5:36:00 PM System Boot Time: 11/24/2009, 11:16:17 AM System Manufacturer: MICRO-STAR INTERANTIONAL CO.,LTD System Model: MS-7376 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 16 Model 4 Stepping 2 AuthenticAMD ~2800 Mhz BIOS Version: American Megatrends Inc. V1.3, 1/24/2008 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,191 MB Available Physical Memory: 5,806 MB Virtual Memory: Max Size: 16,381 MB Virtual Memory: Available: 14,119 MB Virtual Memory: In Use: 2,262 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\THESWAN Hotfix(s): 8 Hotfix(s) Installed. [01]: KB973525 [02]: KB974332 [03]: KB974431 [04]: KB974455 [05]: KB974571 [06]: KB975467 [07]: KB976098 [08]: KB976749 Network Card(s): 4 NIC(s) Installed. [01]: Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) Connection Name: Local Area Connection 2 DHCP Enabled: Yes DHCP Server: 192.168.2.1 IP address(es) [01]: 192.168.2.2 [02]: fe80::30e7:5cc:af7c:ab32 [02]: Comodo EasyVPN Adapter Connection Name: Local Area Connection 3 Status: Hardware not present [03]: VMware Virtual Ethernet Adapter for VMnet1 Connection Name: VMware Network Adapter VMnet1 DHCP Enabled: No IP address(es) [01]: 192.168.116.1 [02]: fe80::d994:4ae0:9c10:dbc9 [04]: VMware Virtual Ethernet Adapter for VMnet8 Connection Name: VMware Network Adapter VMnet8 DHCP Enabled: No IP address(es) [01]: 192.168.142.1 [02]: fe80::38ed:d8da:eb3a:4812 1:52:35:178 5060 Utility doesn't support x64 system

[inzanity]

Hi,

Sorry about the delay. Let's check some files as this may be the cause of the redirects.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  atapi.sys
  iaStor.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[Calvin.sparta]

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 13:04 on 04/12/2009 by Calvin (Administrator - Elevation successful) ========== filefind ========== Searching for "atapi.sys" C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys --a--- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys --a--- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C Searching for "iaStor.sys" No files found. -=End Of File=- there you go!

[inzanity]

Hi,

Please delete the following:
Gooredfix, DDS, GMER, Rooter, TDSSKiller and all the logs we've created.

--Next--

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

--Next--

Your computer now looks clean!

You can keep Malwarebytes, it is an excellent malware removal tool. Update atleast once a week then run a complete scan.

--Next--

You need to create a new Clean restore point.
Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Remove all previous Restore Points
Click Start Menu > Run > copy and paste

cleanmgr

At top, click on More Options tab. Click Clean up... button in the System Restore box. Click on Yes button. When finished, click on Cancel button to exit.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

--Next--

To keep your operating system up to date visit

• Secunia Software inspector to check your program update status.
• Microsoft Windows Update .

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  
  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. SpywareBlaster - Download and install SpywareBlaster. This program prevents the installation of ActiveX-based spyware and other potentially unwanted programs.

7. Protect your computer from internet threats with SandboxIE. This program isolates Internet Explorer from the rest of your operating system, 'sandboxing' it away - so malicious websites can't do damage to the rest of your system. There is a Getting Started guide on their website.

8. Some excellent free firewalls. Note: Use only one firewall at a time.
Agnitum Outpost Firewall
Comodo Firewall - If you are installing this and already have an anti spyware then please do not install Comodo's anti spyware program.
Online Armor Personal Firewall

9. And finally, please read these excellent articles:
Malware: Help prevent the Infection by Sandi Hardmeier,
Preventing Malware - Tools and Practices for Safe Computing

For more safe computing tips please read the guide by Rorschach112 on how to prevent malware and about safe computing here.

With regards to Explorer.exe having a problem, you can open a new topic at the Microsfot Windows sub forum but please have a read here first.
Provide also a link back here so that the Tech Team can see your logs.


Goodluck, happy computing and stay clean!

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.