paddykool
asked on
Antimalware - now gone but can't search the internet!!!
Hi all,
I'm having serious difficulties with my PC. I had Antimalware Doctor on it but got it removed by a long process of, well trial and error. Ended up getting Avenger and running a script a guy gave me.
Anywho, I have Norton on it and scanned it and it's now clean BUT, every time I go onto google and perform a search, whatever link I click it take me to a shopping website. Plus, my laptop is really really slow.
Can someone please help me!??!? I've spent 3 evening just trying to get antimalware doctor removed and now this! Aaaghhhhhh
All help with this greatly appreciated. If you need logs of any kind just ask
Thanks in advance
I'm having serious difficulties with my PC. I had Antimalware Doctor on it but got it removed by a long process of, well trial and error. Ended up getting Avenger and running a script a guy gave me.
Anywho, I have Norton on it and scanned it and it's now clean BUT, every time I go onto google and perform a search, whatever link I click it take me to a shopping website. Plus, my laptop is really really slow.
Can someone please help me!??!? I've spent 3 evening just trying to get antimalware doctor removed and now this! Aaaghhhhhh
All help with this greatly appreciated. If you need logs of any kind just ask
Thanks in advance
you may need to run
start->cmd
>cd\ windows\system32\drivers\e tc\
>attrib -r hosts
>attrib -s hosts
>attrib -h hosts
>notepad hosts
(> just signafies the shell, dont actually type it)
start->cmd
>cd\ windows\system32\drivers\e
>attrib -r hosts
>attrib -s hosts
>attrib -h hosts
>notepad hosts
(> just signafies the shell, dont actually type it)
ASKER
No joy,
I think something is downloading cookies that re-directing me
This is actually depressing :(
I think something is downloading cookies that re-directing me
This is actually depressing :(
Ok. I'll bet it changed your DNS settings.
on xp, Start->Control Panel(Classic view)->Network Connections-{Your Active Connection}
Look at the TCP.IP Settings (ipv4) and change the dns settings to your router/gateway address.
If that doesn't work, change your DNS address to 4.2.2.2, an ATT DNS server
Look at the TCP.IP Settings (ipv4) and change the dns settings to your router/gateway address.
If that doesn't work, change your DNS address to 4.2.2.2, an ATT DNS server
Hi.
Download Combofix to desktop>disable AV scanners/shields before running Combofix in Normal Mode.
Let Combofix install recovery console.
Leave machine alone as Combofix is running otherwise scan will freeze....
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post logfile here after
Download Combofix to desktop>disable AV scanners/shields before running Combofix in Normal Mode.
Let Combofix install recovery console.
Leave machine alone as Combofix is running otherwise scan will freeze....
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post logfile here after
Your problem is your trusting a Norton product to tell you your system is clean. I can almost guarantee you that its not. First thing you should do is download Malwarebytes anti malware, probably from a different machine that has internet access, and if it says your clean then start thinking about your IP settings.
Download and run HiJackThis and look for suspicious entries. You may still be infected and something may be actively redirecting your queries and traffic. Look specifically for DNS IP addresses in the results and check them off to be fixed.
Also use BartPE to delete the malware off of your PC as some of the nastier ones will infect running processes in memory and put their files back after you've deleted them.
You can also try Malwarebytes AntiMalware which is pretty good at catching these bugs.
Good luck.
-J
Also use BartPE to delete the malware off of your PC as some of the nastier ones will infect running processes in memory and put their files back after you've deleted them.
You can also try Malwarebytes AntiMalware which is pretty good at catching these bugs.
Good luck.
-J
Did you try TDSSKiller Or ComboFix as suggested and attach the log here/.
1. Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Or TDSSKiller, and OTL (OTL will not remove any bad file without a script).
2. Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe
•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dl l /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\conf ig\*.sav
%systemroot%\system32\user 32.dll /md5
%systemroot%\system32\ws2_ 32.dll /md5
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
•When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
1. Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Or TDSSKiller, and OTL (OTL will not remove any bad file without a script).
2. Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe
•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dl
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\conf
%systemroot%\system32\user
%systemroot%\system32\ws2_
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
•When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
ASKER
Cheers for all the input folks!!
What I have done since is go with HiJackThis and deleted all the suspious entries and my PC seems to be running again!! (Loads of entries with IP addresses on them) But, I'm not convinced that everything is gone.
I'll put up another HiJackThis log, ComboFix, TDSSKiller, and OTL (as suggested by rpggamer girl) to see what ye all think. Much appreciate the input people.
What I have done since is go with HiJackThis and deleted all the suspious entries and my PC seems to be running again!! (Loads of entries with IP addresses on them) But, I'm not convinced that everything is gone.
I'll put up another HiJackThis log, ComboFix, TDSSKiller, and OTL (as suggested by rpggamer girl) to see what ye all think. Much appreciate the input people.
ASKER
Ok,
Apologies for the delay.
Firstly, below is what I deleted using HiJackThis on the 4th June. . .
O4 - HKCU\..\Run: [{B7CB6238-2328-7F00-AC5C- 3505C28B52 C5}] "C:\Documents and Settings\Claire\Applicatio n Data\Ygsu\yqawy.exe"
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\Claire\LOCALS~ 1\Temp\Yrd .exe
O17 - HKLM\System\CCS\Services\T cpip\..\{0 809E9CC-90 56-45F0-92 04-B05DA71 ED6F7}: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CCS\Services\T cpip\..\{2 1F1654F-4F FA-4A99-B0 4F-6B95D68 76964}: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CCS\Services\T cpip\..\{5 0E1F326-DD EE-4734-97 3E-A35C905 9EEA5}: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CS1\Services\T cpip\Param eters: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CS1\Services\T cpip\..\{0 809All ovE9CC-9056-45F0-9204-B05D A71ED6F7}: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CS2\Services\T cpip\Param eters: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CS2\Services\T cpip\..\{0 809E9CC-90 56-45F0-92 04-B05DA71 ED6F7}: NameServer = 93.188.164.135,93.188.166. 179
O17 - HKLM\System\CCS\Services\T cpip\Param eters: NameServer = 93.188.164.135,93.188.166. 179
After, my machine seemed fine in that I could click the links presented by a google search and they would bring to the correct website. BUT, when browsing for an amount of time I'd get loads of ad's popping up and directed to credit card sites:(
So, I ran HiJackThis again and I also ran ComboFix which reported ws2_32.dll was infected.
Attached are the HiJckThis & ComboFix logs ran today.
As always, much appreciation to anyone how want to take a look.
ComboFix-20100606.txt
hijackthis-20100606
Apologies for the delay.
Firstly, below is what I deleted using HiJackThis on the 4th June. . .
O4 - HKCU\..\Run: [{B7CB6238-2328-7F00-AC5C-
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\Claire\LOCALS~
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
After, my machine seemed fine in that I could click the links presented by a google search and they would bring to the correct website. BUT, when browsing for an amount of time I'd get loads of ad's popping up and directed to credit card sites:(
So, I ran HiJackThis again and I also ran ComboFix which reported ws2_32.dll was infected.
Attached are the HiJckThis & ComboFix logs ran today.
As always, much appreciation to anyone how want to take a look.
ComboFix-20100606.txt
hijackthis-20100606
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Street-Ads
Sky-Banners
Did you install the above programs on purpose?
ComboFix shows one file is infected(possibly 2).
You have 2 AVs showing there you only need one, having two only creates conflict and makes the system vulnerable.
Download the attachment to replace the infected file (it's the same version SP3).
and extract it to C:\
Close any open browsers.
Disable anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the bolded text (between the lines) into it:
-------------------------- ---------- ---------- ---------- ---------- ---
Fcopy::
C:\ws2_32.dll | c:\windows\system32\ws2_32 .dll
C:\ws2_32.dll | c:\windows\ServicePackFile s\i386\ws2 _32.dll
DirLook::
c:\program files\$NtUninstallWTF1012$
-------------------------- ---------- ---------- ---------- ---------- ---
Save this as CFScript.txt, in the same location as ComboFix.exe
Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and replace the infected file.
ws2-32.zip
Sky-Banners
Did you install the above programs on purpose?
ComboFix shows one file is infected(possibly 2).
You have 2 AVs showing there you only need one, having two only creates conflict and makes the system vulnerable.
Download the attachment to replace the infected file (it's the same version SP3).
and extract it to C:\
Close any open browsers.
Disable anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the bolded text (between the lines) into it:
--------------------------
Fcopy::
C:\ws2_32.dll | c:\windows\system32\ws2_32
C:\ws2_32.dll | c:\windows\ServicePackFile
DirLook::
c:\program files\$NtUninstallWTF1012$
--------------------------
Save this as CFScript.txt, in the same location as ComboFix.exe
Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and replace the infected file.
ws2-32.zip
Btw, where's the OTL log?
OTL log will help us identify if "user32.dll" is also infected and if there's any clean copy somewhere in the system.
OTL log will help us identify if "user32.dll" is also infected and if there's any clean copy somewhere in the system.
optoma, I didn't refresh and didn't see your post there.
I asked if he did install those programs I asked because those files you're deleting belongs to them.
One is a folder it's not a file... so your "File::" script won't work on that anyway.....
If you can please refer with another Expert before you make a script just to make sure as CF is a very powerful tool and we can't just do a guessing game with it, :)
I asked if he did install those programs I asked because those files you're deleting belongs to them.
One is a folder it's not a file... so your "File::" script won't work on that anyway.....
If you can please refer with another Expert before you make a script just to make sure as CF is a very powerful tool and we can't just do a guessing game with it, :)
optoma,
You could also just point them to my old post next time when patching the same file, you downloaded it too, :)
http://www.experts-exchang e.com/OS/M icrosoft_O perating_S ystems/Win dows/XP/Q_ 26205697.h tml
You could also just point them to my old post next time when patching the same file, you downloaded it too, :)
http://www.experts-exchang
Hi Rpg,
Point taken ;)
(Forgot about that thread!)
Point taken ;)
(Forgot about that thread!)
ASKER
Ok
Firstly, I used add/remove programs to remove both Street-Ads & Sky-Banners. I'm pretty sure I didn't install them. Possibly shouldn't have used add/remove programs to remove?!? Ah well, its done now.
Then:
Combofix ran again with:
Fcopy::
C:\ws2_32.dll | c:\windows\system32\ws2_32 .dll
C:\ws2_32.dll | c:\windows\ServicePackFile s\i386\ws2 _32.dll
DirLook::
c:\program files\$NtUninstallWTF1012$
. . dragged in as the CFScript.txt. New dll also copied to root of C:
I also ran OTL with . . .
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dl l /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\conf ig\*.sav
%systemroot%\system32\user 32.dll /md5
%systemroot%\system32\ws2_ 32.dll /md5
. . . copied into the custom scan panel.
Attached is the ComboFix log and the 2 OTL logs.
Hows things looking now?!?!?!
ComboFix2-20100606.txt
OTL-20100606.Txt
Extras-20100606.Txt
Firstly, I used add/remove programs to remove both Street-Ads & Sky-Banners. I'm pretty sure I didn't install them. Possibly shouldn't have used add/remove programs to remove?!? Ah well, its done now.
Then:
Combofix ran again with:
Fcopy::
C:\ws2_32.dll | c:\windows\system32\ws2_32
C:\ws2_32.dll | c:\windows\ServicePackFile
DirLook::
c:\program files\$NtUninstallWTF1012$
. . dragged in as the CFScript.txt. New dll also copied to root of C:
I also ran OTL with . . .
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dl
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\conf
%systemroot%\system32\user
%systemroot%\system32\ws2_
. . . copied into the custom scan panel.
Attached is the ComboFix log and the 2 OTL logs.
Hows things looking now?!?!?!
ComboFix2-20100606.txt
OTL-20100606.Txt
Extras-20100606.Txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, is Avira still installed? You only need one antivirus installed in the system.
ASKER
Hi
Ok, ran ComboFix again and attached is the log.
Ive removed Avira but I would like your advice on this one. I now running norton but my laptop is tiny. Would norton be too heavy for it and slow everrything.
Anywho, thanks a mill for all your help and I hope my computer is now cool.
Many thanks
ComboFix-20100607.txt
Ok, ran ComboFix again and attached is the log.
Ive removed Avira but I would like your advice on this one. I now running norton but my laptop is tiny. Would norton be too heavy for it and slow everrything.
Anywho, thanks a mill for all your help and I hope my computer is now cool.
Many thanks
ComboFix-20100607.txt
Just one more run.... those leftover folders are still there and also one Avira remnant.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
-------------------------- ---------- ---------- ---------- ---------- ------
Folder::
c:\documents and settings\Claire\Applicatio n Data\Street-Ads
c:\documents and settings\Claire\Applicatio n Data\Ywze
c:\documents and settings\Claire\Applicatio n Data\Sky-Banners
SecCenter::
{AD166499-45F9-482A-A743-F DD3350758C 7}
-------------------------- ---------- ---------- ---------- ---------- ------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
"I now running norton but my laptop is tiny. Would norton be too heavy for it and slow everrything."
I'm not keen on any security suite... I prefer standalone security programs because I think they're more efficient and light, whereas a suite is more of a resource hog.
Personally I would dumped NIS and go for standalone AV and standalone Anti-malware.
I'm using the free Avast as my antivirus for 2 years now and it's been okay so far.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
Folder::
c:\documents and settings\Claire\Applicatio
c:\documents and settings\Claire\Applicatio
c:\documents and settings\Claire\Applicatio
SecCenter::
{AD166499-45F9-482A-A743-F
--------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
"I now running norton but my laptop is tiny. Would norton be too heavy for it and slow everrything."
I'm not keen on any security suite... I prefer standalone security programs because I think they're more efficient and light, whereas a suite is more of a resource hog.
Personally I would dumped NIS and go for standalone AV and standalone Anti-malware.
I'm using the free Avast as my antivirus for 2 years now and it's been okay so far.
ASKER
Absolutely Excellent. If you search through the rest of the posts from rpggamergirl & optoma too it's all quality. Many thanks again folks and keep up the good work!!
You're welcome, and thanks for the excellent feedback.
Glad to know the problem is resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Or simply rename ComboFix.exe to uninstall.exe and double click it.
Thank you for using Experts-Exchange!
Glad to know the problem is resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Or simply rename ComboFix.exe to uninstall.exe and double click it.
Thank you for using Experts-Exchange!
c:\windows\system32\driver
Start->run->notepad c:\windows\system32\driver
Erase all but the 127.0.0.1 entries.