Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirecting Virus...ugh

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirecting Virus...ugh

Unread postby xixo_12 » December 9th, 2009, 8:41 am

Hi,

First,
ERUNT by Lars Hederer - Backup
  • Double click on ERUNT.
  • When prompt, click OK.
  • At the configuration screen, make sure all 3 checkboxes are checked.
  • Click Ok to run the backup process.
  • When prompt, click Yes > OK.

Note:
The backups can be restored from here:
C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,
OTM by Old Timer.
  • Double-click OTM.exe.
  • Copy the lines in the codebox below.
    :processes
    explorer.exe
    :reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Security Suite]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\Program Files\LimeWire\LimeWire.exe"=-
    "C:\Documents and Settings\All Users\Application Data\1d0b3d6\WI1d0b.exe"=-
    :files
    C:\Program Files\Avira
    C:\Documents and Settings\All Users\Application Data\1d0b3d6
    C:\Program Files\LimeWire
    :commands
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.

Note:
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
  • If you are asked to reboot the machine choose Yes.
  • In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next,
CKScanner by askey 127.
Please download from HERE and save to the desktop.
Note: If you are using Vista, right click and choose Run as Administrator.
  • Double click on CKScanner.exe to run it and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Next,
Discussion.
Does you still face any problem?

Next,
Checklist.
Please post.
  • Content OTM log
  • Content of CKFiles.txt
  • Answer for the discussion
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia
Advertisement
Register to Remove

Re: Redirecting Virus...ugh

Unread postby makrinosplumbing » December 9th, 2009, 6:17 pm

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Security Suite\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\LimeWire\LimeWire.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Documents and Settings\All Users\Application Data\1d0b3d6\WI1d0b.exe deleted successfully.
========== FILES ==========
File/Folder C:\Program Files\Avira not found.
File/Folder C:\Documents and Settings\All Users\Application Data\1d0b3d6 not found.
File/Folder C:\Program Files\LimeWire not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: John Makrinos
->Temp folder emptied: 1439357 bytes
->Temporary Internet Files folder emptied: 36988040 bytes
->Java cache emptied: 330502 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 16889 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 103202 bytes

Total Files Cleaned = 37.14 mb


OTM by OldTimer - Version 3.1.2.0 log created on 12092009_170943

Files moved on Reboot...

Registry entries deleted on Reboot...


CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----


Yay its fixed! No more redirectring from all the known websites. No hijacking of my homepage. No slow internet! Thank you so much. Is there anywhere I can donate money to for all the help you have provided, such as a donation paypal account? T hanks for everything.
makrinosplumbing
Active Member
 
Posts: 10
Joined: November 18th, 2009, 2:09 pm

Re: Redirecting Virus...ugh

Unread postby xixo_12 » December 10th, 2009, 5:03 pm

Hi,

Yay its fixed! No more redirectring from all the known websites. No hijacking of my homepage. No slow internet! Thank you so much.
Is there anywhere I can donate money to for all the help you have provided, such as a donation paypal account? T hanks for everything.

Hold on. I still have a few instructions before I can release you. :)
Yes, we accept the donation and I will redirect you to that page later.
Let's proceed.

First,
Remove programs.
Please Click on Start > Control Panel > Add/Remove Programs
Remove the listed program(s) by clicking Remove
Adobe Reader 9.1
Java(TM) 6 Update 15

If some programs listed above are not in present, please do not panic and proceed to the next step.

Next,
Java SE Runtime Environment (JRE).
Please download from HERE.
  • Find Java SE Runtime Environment (JRE) 6 Update XX.
    XX denotes as latest version.
  • Click on Download.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.

Next,
Update Adobe Reader.
  • Recently there have been vunerabilities detected in older versions of Adobe Reader.
  • It is strongly suggested that you update to the current version.
  • You can download it from HERE

Note : Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from Foxit Software
Reminder : Do not install anything dealing with AskBar presented as an installation option.

Next,
Kaspersky Online AV Scan
Note: Internet Explorer should be used.
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next.

Next,
Checklist.
Please post.
  • Content of kaspersky log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Redirecting Virus...ugh

Unread postby makrinosplumbing » December 11th, 2009, 12:16 am

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, December 10, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, December 10, 2009 21:43:22
Records in database: 3354383
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Objects scanned: 73845
Threats found: 4
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 02:54:52


File name / Threat / Threats count
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Incomplete\T-4506748-here we go steelers 2009-HQ.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Incomplete\T-4529671-semi charmed life.snd Infected: Trojan-Downloader.WMA.GetCodec.af 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Incomplete\T-4656091-Taken - Semi-charmed life (from Third Eye Blind).wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Incomplete\T-5299854-numb encore remix (unreleased live record).mp3 Infected: Trojan-Downloader.WMA.GetCodec.af 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Incomplete\T-5970745-fingertips katy perry new single.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Saved\brightest green anarbor.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Saved\numb and encore remix.au Infected: Trojan-Downloader.WMA.GetCodec.af 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Saved\numb encore remix new single.mp3 Infected: Trojan-Downloader.WMA.GetCodec.af 1
C:\Documents and Settings\John Makrinos\My Documents\LimeWire\Saved\semi charmed life.au Infected: Trojan-Downloader.WMA.GetCodec.af 1

Selected area has been scanned.
makrinosplumbing
Active Member
 
Posts: 10
Joined: November 18th, 2009, 2:09 pm

Re: Redirecting Virus...ugh

Unread postby xixo_12 » December 13th, 2009, 4:45 pm

Hi,
Let' proceed.
There is a little bit.

First,
OTM by Old Timer.
  • Double-click OTM.exe.
  • Copy the lines in the codebox below.
    :processes
    explorer.exe
    :files
    C:\Documents and Settings\John Makrinos\My Documents\LimeWire
    :commands
    [emptytemp]
    [start explorer]
    [reboot]

  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.

Note:
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
  • If you are asked to reboot the machine choose Yes.
  • In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next,
ATF by Atribune
Please download HERE and save to the desktop. Double-click ATF Cleaner.exe to open it.
Under Main choose:
    choose: Select All
    Click the Empty Selected button.
if you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,
ESET Online Scanner
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Next,
Checklist.
Please post.
  • Content of OTM log
  • Content of log.txt (Find it in C:\Program Files\Eset\Eset Online Scanner)
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Redirecting Virus...ugh

Unread postby NonSuch » December 17th, 2009, 1:27 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware