Link to home
Start Free TrialLog in
Avatar of paddykool
paddykool

asked on

Antimalware - now gone but can't search the internet!!!

Hi all,
I'm having serious difficulties with my PC. I had Antimalware Doctor on it but got it removed by a long process of, well trial and error. Ended up getting Avenger and running a script a guy gave me.
Anywho, I have Norton on it and scanned it and it's now clean BUT, every time I go onto google and perform a search, whatever link I click it take me to a shopping website. Plus, my laptop is really really slow.
Can someone please help me!??!? I've spent 3 evening just trying to get antimalware doctor removed and now this! Aaaghhhhhh
All help with this greatly appreciated. If you need logs of any kind just ask
Thanks in advance
Avatar of themrrobert
themrrobert
Flag of United States of America image

Have you opened
c:\windows\system32\drivers\etc\hosts ?

Start->run->notepad c:\windows\system32\drivers\etc\hosts

Erase all but the 127.0.0.1 entries.
you may need to run

start->cmd
>cd\ windows\system32\drivers\etc\
>attrib -r hosts
>attrib -s hosts
>attrib -h hosts
>notepad hosts

(> just signafies the shell, dont actually type it)
Avatar of paddykool
paddykool

ASKER

No joy,
I think something is downloading cookies that re-directing me
This is actually depressing :(
Ok. I'll bet it changed your DNS settings.
on xp, Start->Control Panel(Classic view)->Network Connections-{Your Active Connection}

Look at the TCP.IP Settings (ipv4) and change the dns settings to your router/gateway address.

If that doesn't work, change your DNS address to 4.2.2.2, an ATT DNS server
Hi.
Download Combofix to desktop>disable AV scanners/shields before running Combofix in Normal Mode.
Let Combofix install recovery console.
Leave machine alone as Combofix is running otherwise scan will freeze....
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post logfile here after
Your problem is your trusting a Norton product to tell you your system is clean. I can almost guarantee you that its not. First thing you should do is download Malwarebytes anti malware, probably from a different machine that has internet access, and if it says your clean then start thinking about your IP settings.
Download and run HiJackThis and look for suspicious entries. You may still be infected and something may be actively redirecting your queries and traffic. Look specifically for DNS IP addresses in the results and check them off to be fixed.

Also use BartPE to delete the malware off of your PC as some of the nastier ones will infect running processes in memory and put their files back after you've deleted them.

You can also try Malwarebytes AntiMalware which is pretty good at catching these bugs.

Good luck.

-J


Avatar of rpggamergirl
Did you try TDSSKiller Or ComboFix as suggested and attach the log here/.

1. Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 


Or TDSSKiller, and OTL (OTL will not remove any bad file without a script).

2. Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe 
•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Under the Custom Scan box paste this in

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
 
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
•When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Cheers for all the input folks!!

What I have done since is go with HiJackThis and deleted all the suspious entries and my PC seems to be running again!! (Loads of entries with IP addresses on them) But, I'm not convinced that everything is gone.

I'll put up another HiJackThis log, ComboFix, TDSSKiller, and OTL (as suggested by rpggamer girl) to see what ye all think. Much appreciate the input people.
Ok,

Apologies for the delay.

Firstly, below is what I deleted using HiJackThis on the 4th June. . .

     O4 - HKCU\..\Run: [{B7CB6238-2328-7F00-AC5C-3505C28B52C5}] "C:\Documents and Settings\Claire\Application Data\Ygsu\yqawy.exe"
       O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\Claire\LOCALS~1\Temp\Yrd.exe
       O17 - HKLM\System\CCS\Services\Tcpip\..\{0809E9CC-9056-45F0-9204-B05DA71ED6F7}: NameServer = 93.188.164.135,93.188.166.179
            O17 - HKLM\System\CCS\Services\Tcpip\..\{21F1654F-4FFA-4A99-B04F-6B95D6876964}: NameServer = 93.188.164.135,93.188.166.179
            O17 - HKLM\System\CCS\Services\Tcpip\..\{50E1F326-DDEE-4734-973E-A35C9059EEA5}: NameServer = 93.188.164.135,93.188.166.179
       O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.135,93.188.166.179
       O17 - HKLM\System\CS1\Services\Tcpip\..\{0809All ovE9CC-9056-45F0-9204-B05DA71ED6F7}: NameServer = 93.188.164.135,93.188.166.179
            O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.135,93.188.166.179
       O17 - HKLM\System\CS2\Services\Tcpip\..\{0809E9CC-9056-45F0-9204-B05DA71ED6F7}: NameServer = 93.188.164.135,93.188.166.179
       O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.135,93.188.166.179

After, my machine seemed fine in that I could click the links presented by a google search and they would bring to the correct website. BUT, when browsing for an amount of time I'd get loads of ad's popping up and directed to credit card sites:(

So, I ran HiJackThis again and I also ran ComboFix which reported ws2_32.dll was infected.
Attached are the HiJckThis & ComboFix logs ran today.

As always, much appreciation to anyone how want to take a look.
ComboFix-20100606.txt
hijackthis-20100606
SOLUTION
Avatar of optoma
optoma
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Street-Ads
Sky-Banners

Did you install the above programs on purpose?


ComboFix shows one file is infected(possibly 2).
You have 2 AVs showing there you only need one, having two only creates conflict and makes the system vulnerable.


Download the attachment to replace the infected file (it's the same version SP3).
and extract it to C:\
Close any open browsers.
Disable anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the bolded text (between the lines) into it:
---------------------------------------------------------------------
Fcopy::
C:\ws2_32.dll | c:\windows\system32\ws2_32.dll
C:\ws2_32.dll | c:\windows\ServicePackFiles\i386\ws2_32.dll

DirLook::
c:\program files\$NtUninstallWTF1012$

---------------------------------------------------------------------

Save this as CFScript.txt, in the same location as ComboFix.exe
Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and replace the infected file.

ws2-32.zip
Btw, where's the OTL log?
OTL log will help us identify if "user32.dll" is also infected and if there's any clean copy somewhere in the system.
optoma, I didn't refresh and didn't see your post there.
I asked if he did install those programs I asked because those files you're deleting belongs to them.
One is a folder it's not a file... so your "File::" script won't work on that anyway.....

If you can please refer with another Expert before you make a script just to make sure as CF is a very powerful tool and we can't just do a guessing game with it, :)
optoma,

You could also just point them to my old post next time when patching the same file, you downloaded it too,  :)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_26205697.html
Hi Rpg,
Point taken ;)

(Forgot about that thread!)
Ok

Firstly, I used add/remove programs to remove both Street-Ads & Sky-Banners. I'm pretty sure I didn't install them. Possibly shouldn't have used add/remove programs to remove?!? Ah well, its done now.

Then:

Combofix ran again with:

Fcopy::
C:\ws2_32.dll | c:\windows\system32\ws2_32.dll
C:\ws2_32.dll | c:\windows\ServicePackFiles\i386\ws2_32.dll

DirLook::
c:\program files\$NtUninstallWTF1012$

 . . dragged in as the CFScript.txt. New dll also copied to root of C:

I also ran OTL with . . .

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5

 . . . copied into the custom scan panel.

Attached is the ComboFix log and the 2 OTL logs.

Hows things looking now?!?!?!

ComboFix2-20100606.txt
OTL-20100606.Txt
Extras-20100606.Txt
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
BTW, is Avira still installed? You only need one antivirus installed in the system.
Hi

Ok, ran ComboFix again and attached is the log.
Ive removed Avira but I would like your advice on this one. I now running norton but my laptop is tiny. Would norton be too heavy for it and slow everrything.

Anywho, thanks a mill for all your help and I hope my computer is now cool.
Many thanks

ComboFix-20100607.txt
Just one more run.... those leftover folders are still there and also one Avira remnant.

Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
c:\documents and settings\Claire\Application Data\Street-Ads
c:\documents and settings\Claire\Application Data\Ywze
c:\documents and settings\Claire\Application Data\Sky-Banners

SecCenter::
{AD166499-45F9-482A-A743-FDD3350758C7}
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
 

"I now running norton but my laptop is tiny. Would norton be too heavy for it and slow everrything."

I'm not keen on any security suite... I prefer standalone security programs because I think they're more efficient and light, whereas a suite is more of a resource hog.
Personally I would dumped NIS and go for standalone AV and standalone Anti-malware.
I'm using the free Avast as my antivirus for 2 years now and it's been okay so far.
Absolutely Excellent. If you search through the rest of the posts from rpggamergirl & optoma too it's all quality. Many thanks again folks and keep up the good work!!
You're welcome, and thanks for the excellent feedback.
Glad to know the problem is resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

Or simply rename ComboFix.exe to uninstall.exe and double click it.

Thank you for using Experts-Exchange!