Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP with malware removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HELP with malware removal

Unread postby walt5137 » February 12th, 2011, 6:21 pm

Hello askey127,
Did a flushdns.
Reset home pages to google and did a search. At first, google went to googleadservice and back and forth to google and finally a search page of outcomes. First few times I clicked on a particular item I got redirected as before.
Then, after another flushdns, google began working properly....only thing was after I would click on a search page to open, I would have to "allow pop ups temp," then reclick on the page to open it. Did this numerous times in google and had normal results.

Then set up Bing as home page. Did another flushdns (don't really know what this does......) and did some searches in Bing. Same outcome as with google ...click on search list item, temp allow popups, reclick on item, go to proper page.

Did thid numerous times.

So, of course, am wondering what all this means......can I uninstall/reinstall yahoo? What about all my yahoo mail?????
Also wondering about backup files stored on portable HD.....can they be infected?

I must say, it is very nice to have searches work.

Continued thanks....looks like you are geting closer to solving this problem....

Regards,

Walt
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm
Advertisement
Register to Remove

Re: HELP with malware removal

Unread postby askey127 » February 12th, 2011, 9:23 pm

Walt,
The FlushDNS routine works as follows:
There is a repository in your machine, called the DNS cache, that saves a list of what you asked for and where you ended up being sent.
It does that so it can pick off requests and answer them quickly.
The trouble is it also stores redirects and places you were sent that you did not want.
The machine uses the cache entries instead of precisely what you requested, if there is a matching request in its list.
So even after you fixed a redirect problem, it might take a few days before the searches would work, unless you clear the Cache using that flushDNS routine..

Do you have it set up so you get those little green checkmarks on sites that McAfee says are OK when you pass the mouse over search results ?
Do you search inside the McAfee toolbar or in the main search engine?

I am beginning to think this whole thing is related to McAfee SiteAdvisor and its Yahoo toolbar.
The Site advisor is not very good anyway, as far as protecting you from spyware and adware.
For example, it considers ask.com, funwebproducts.com and doubleclick.com as green checked sites.
Yet, they all appear in numerous blocklists and HOSTS files as purveyors of adware, tracking cookies and/or spyware.

Let's do this. It can't do any harm.
-----------------------------------------------------------
Remove Registry items with HijackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine

With th reboot, that should shut off the McAfee Site Advisor, its browser helper and toolbar.

Now, I would be very interested to see what results you get. Be sure to use the flushDNS routine for each test you make.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HELP with malware removal

Unread postby walt5137 » February 13th, 2011, 1:34 pm

Hello askey127,

RE the HijackThis....the "023....." entry did not remove even after three attempts.
The other two entrys did remove OK.

Bing and Google seem to work OK on searches. Have been using Bing home page and using computer normally. THE ONLY ODD THING WITH BING has been attackes from fake antivirus programs....one masquerading as AVG and taking over the computer for a search while in a Bing search.

AND, WHEN SWITCHING FROM BING TO YAHOO MAIL all sorts of redirects occur when looking at mail, sending email etc....this happend rarely in Yahoo mail before.
redirects also occur when reading news on the Yahoo home page.

So, that is what is happening now.

Should I flushdns frequently?
Can the contents of the flushdns cache be seen?
Can Yahoo be uninstalled and reloaded (does this even make sense??)

Continued thanks for your help,

Walt






T
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby askey127 » February 13th, 2011, 2:04 pm

I think your problem does have to do with McAfee Site Advisor and the Yahoo toolbar.

Are you actually PAYING for McAfee Security?
If it's not a financial issue, we can dump it and install a free AV, then get rid of all Yahoo stuff.
McAfee is not better than Microsoft Security Essentials or Antivir, and it loads up your machine with junk.

When we get this completed, you will not have to flushDNS any more.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HELP with malware removal

Unread postby walt5137 » February 13th, 2011, 3:19 pm

Hello askey127,

Yes, we pay for Mcfee but no matter.....

How do we proceed.

Don't mind the flushes....just wanted to lern more about them.

Oh yes, want to tell ypou I was looking at a piece in Drudge report from my "favorites" which seemed to be available in the Bing home page just as they were in Yahoo and while reading the news piece the page redirected a page that told me the connection was gone or lost so I went to the down arrow next to the forward/back arrows in the upper left hand corner of the page and clicked on Drudge.....the Drudge report returned OK......I have experienced these types of redirects before as well as the others. Don't understand why it happend in Bing unless it wasn't anylonger in Bing since I had used "favorites" to get to Drudge.

Continued thanks or your help,

Walt
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby askey127 » February 13th, 2011, 5:20 pm

Walt,
OK, let's go.
-----------------------------------------------
Download Antivir Free
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Click the Download button. Then when the "Download Locations" page comes up, choose the first External Mirror (exe)
Save the Installer to your desktop, but don't run it yet. The installer file will be named avira_antivir_personal_en.exe
Double check to be sure you know where to find it.
------------------------------------------------
Remove Programs Using the Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each of these Entries, one by one, if they exist, choose Uninstall/Change, and give permission to Continue:
Some may be missing.

McAfee Internet Security
McAfee Security Scan Plus
McAfee Virtual Technician
Yahoo! Music Jukebox
Yahoo! Software Update
Yahoo! Toolbar

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------
Install Antivir
Right Click the Avira Antivir Installer you saved on your desktop, choose "Run as administrator", and let it Install Antivir.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any items it finds.
IMPORTANT >> For Now, tell it to IGNORE any items it finds. Do not choose Quarantine or Delete.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HELP with malware removal

Unread postby walt5137 » February 14th, 2011, 12:40 am

Hello askey127,

Removed all but Mcaff sec Scan Plus, Yahoo Software Update, and Yahoo Tolbar as these were not present.

Removed Yahoo Bowser Plus 2.9.8.

Loaded Avira and did the scan. Results are below.

Did have one redirect on a Bing search prior to doing the above.

As usual, many thanks for your help,

Walt

Avira AntiVir Personal
Report file date: Sunday, February 13, 2011 22:13

Scanning for 2364983 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HP-PC

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 1/10/2011 19:23:31
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 1/10/2011 19:23:40
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 19:23:50
VBASE002.VDF : 7.11.0.1 2048 Bytes 12/14/2010 19:23:50
VBASE003.VDF : 7.11.0.2 2048 Bytes 12/14/2010 19:23:50
VBASE004.VDF : 7.11.0.3 2048 Bytes 12/14/2010 19:23:50
VBASE005.VDF : 7.11.0.4 2048 Bytes 12/14/2010 19:23:50
VBASE006.VDF : 7.11.0.5 2048 Bytes 12/14/2010 19:23:50
VBASE007.VDF : 7.11.0.6 2048 Bytes 12/14/2010 19:23:50
VBASE008.VDF : 7.11.0.7 2048 Bytes 12/14/2010 19:23:50
VBASE009.VDF : 7.11.0.8 2048 Bytes 12/14/2010 19:23:50
VBASE010.VDF : 7.11.0.9 2048 Bytes 12/14/2010 19:23:50
VBASE011.VDF : 7.11.0.10 2048 Bytes 12/14/2010 19:23:50
VBASE012.VDF : 7.11.0.11 2048 Bytes 12/14/2010 19:23:50
VBASE013.VDF : 7.11.0.52 128000 Bytes 12/16/2010 20:54:35
VBASE014.VDF : 7.11.0.91 226816 Bytes 12/20/2010 22:12:47
VBASE015.VDF : 7.11.0.122 136192 Bytes 12/21/2010 00:09:26
VBASE016.VDF : 7.11.0.156 122880 Bytes 12/24/2010 14:41:13
VBASE017.VDF : 7.11.0.185 146944 Bytes 12/27/2010 19:39:57
VBASE018.VDF : 7.11.0.228 132608 Bytes 12/30/2010 21:23:58
VBASE019.VDF : 7.11.1.5 148480 Bytes 1/3/2011 22:45:39
VBASE020.VDF : 7.11.1.37 156672 Bytes 1/7/2011 14:30:06
VBASE021.VDF : 7.11.1.65 140800 Bytes 1/10/2011 18:12:43
VBASE022.VDF : 7.11.1.87 225280 Bytes 1/11/2011 19:47:36
VBASE023.VDF : 7.11.1.88 2048 Bytes 1/11/2011 19:47:36
VBASE024.VDF : 7.11.1.89 2048 Bytes 1/11/2011 19:47:36
VBASE025.VDF : 7.11.1.90 2048 Bytes 1/11/2011 19:47:36
VBASE026.VDF : 7.11.1.91 2048 Bytes 1/11/2011 19:47:37
VBASE027.VDF : 7.11.1.92 2048 Bytes 1/11/2011 19:47:37
VBASE028.VDF : 7.11.1.93 2048 Bytes 1/11/2011 19:47:37
VBASE029.VDF : 7.11.1.94 2048 Bytes 1/11/2011 19:47:37
VBASE030.VDF : 7.11.1.95 2048 Bytes 1/11/2011 19:47:37
VBASE031.VDF : 7.11.1.117 94208 Bytes 1/13/2011 18:34:25
Engineversion : 8.2.4.140
AEVDF.DLL : 8.1.2.1 106868 Bytes 1/10/2011 19:23:26
AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 1/6/2011 22:51:44
AESCN.DLL : 8.1.7.2 127349 Bytes 1/10/2011 19:23:26
AESBX.DLL : 8.1.3.2 254324 Bytes 1/10/2011 19:23:26
AERDL.DLL : 8.1.9.2 635252 Bytes 1/10/2011 19:23:25
AEPACK.DLL : 8.2.4.7 512375 Bytes 1/6/2011 22:51:44
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 1/10/2011 19:23:25
AEHEUR.DLL : 8.1.2.64 3154294 Bytes 1/6/2011 22:51:44
AEHELP.DLL : 8.1.16.0 246136 Bytes 1/10/2011 19:23:19
AEGEN.DLL : 8.1.5.1 397683 Bytes 1/6/2011 22:51:43
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/10/2011 19:23:18
AECORE.DLL : 8.1.19.0 196984 Bytes 1/10/2011 19:23:18
AEBB.DLL : 8.1.1.0 53618 Bytes 1/10/2011 19:23:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/10/2011 19:23:32
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/10/2011 19:23:30
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 19:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 1/10/2011 19:23:31
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 1/10/2011 19:23:31
AVARKT.DLL : 10.0.22.6 231784 Bytes 1/10/2011 19:23:27
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/10/2011 19:23:28
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 1/10/2011 19:23:31
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 19:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 1/10/2011 19:23:52

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, February 13, 2011 22:13

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'taskeng.exe' - '24' Module(s) have been scanned
Scan process 'GPhotos.scr' - '52' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'sdclt.exe' - '44' Module(s) have been scanned
Scan process 'taskeng.exe' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '81' Module(s) have been scanned
Scan process 'avscan.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '66' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'CFSwMgr.exe' - '72' Module(s) have been scanned
Scan process 'soffice.bin' - '89' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '33' Module(s) have been scanned
Scan process 'unsecapp.exe' - '28' Module(s) have been scanned
Scan process 'SynToshiba.exe' - '22' Module(s) have been scanned
Scan process 'ehmsas.exe' - '19' Module(s) have been scanned
Scan process 'soffice.exe' - '17' Module(s) have been scanned
Scan process 'ehtray.exe' - '26' Module(s) have been scanned
Scan process 'CEC_MAIN.exe' - '86' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '25' Module(s) have been scanned
Scan process 'avgnt.exe' - '49' Module(s) have been scanned
Scan process 'AdobeARM.exe' - '47' Module(s) have been scanned
Scan process 'stxmenumgr.exe' - '30' Module(s) have been scanned
Scan process 'NDSTray.exe' - '94' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '28' Module(s) have been scanned
Scan process 'igfxpers.exe' - '20' Module(s) have been scanned
Scan process 'hkcmd.exe' - '23' Module(s) have been scanned
Scan process 'igfxtray.exe' - '24' Module(s) have been scanned
Scan process 'traybar.exe' - '23' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '49' Module(s) have been scanned
Scan process 'Explorer.EXE' - '145' Module(s) have been scanned
Scan process 'Dwm.exe' - '31' Module(s) have been scanned
Scan process 'taskeng.exe' - '83' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '58' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '52' Module(s) have been scanned
Scan process 'svchost.exe' - '9' Module(s) have been scanned
Scan process 'ULCDRSvr.exe' - '5' Module(s) have been scanned
Scan process 'TosBtSrv.exe' - '24' Module(s) have been scanned
Scan process 'TosCoSrv.exe' - '20' Module(s) have been scanned
Scan process 'TODDSrv.exe' - '23' Module(s) have been scanned
Scan process 'TNaviSrv.exe' - '5' Module(s) have been scanned
Scan process 'ThpSrv.exe' - '16' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'TeamViewer_Service.exe' - '61' Module(s) have been scanned
Scan process 'swupdtmr.exe' - '13' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'pinger.exe' - '24' Module(s) have been scanned
Scan process 'FreeAgentService.exe' - '45' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '70' Module(s) have been scanned
Scan process 'atashost.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '16' Module(s) have been scanned
Scan process 'ACService.exe' - '24' Module(s) have been scanned
Scan process 'eEBSVC.exe' - '24' Module(s) have been scanned
Scan process 'svchost.exe' - '59' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'spoolsv.exe' - '91' Module(s) have been scanned
Scan process 'svchost.exe' - '93' Module(s) have been scanned
Scan process 'svchost.exe' - '86' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '143' Module(s) have been scanned
Scan process 'svchost.exe' - '114' Module(s) have been scanned
Scan process 'svchost.exe' - '64' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'PresentationFontCache.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'winlogon.exe' - '31' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Initiating scan of system files:
Signed -> 'C:\Windows\system32\svchost.exe'
Signed -> 'C:\Windows\system32\winlogon.exe'
Signed -> 'C:\Windows\explorer.exe'
Signed -> 'C:\Windows\system32\smss.exe'
Signed -> 'C:\Windows\system32\wininet.DLL'
Signed -> 'C:\Windows\system32\wsock32.DLL'
Signed -> 'C:\Windows\system32\ws2_32.DLL'
Signed -> 'C:\Windows\system32\services.exe'
Signed -> 'C:\Windows\system32\lsass.exe'
Signed -> 'C:\Windows\system32\csrss.exe'
Signed -> 'C:\Windows\system32\drivers\kbdclass.sys'
Signed -> 'C:\Windows\system32\spoolsv.exe'
Signed -> 'C:\Windows\system32\alg.exe'
Signed -> 'C:\Windows\system32\wuauclt.exe'
Signed -> 'C:\Windows\system32\advapi32.DLL'
Signed -> 'C:\Windows\system32\user32.DLL'
Signed -> 'C:\Windows\system32\gdi32.DLL'
Signed -> 'C:\Windows\system32\kernel32.DLL'
Signed -> 'C:\Windows\system32\ntdll.DLL'
Signed -> 'C:\Windows\system32\ntoskrnl.exe'
Signed -> 'C:\Windows\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '370' files ).


Starting the file scan:

Begin scan in 'C:\' <SQ004464V01>


End of the scan: Sunday, February 13, 2011 23:24
Used time: 1:11:16 Hour(s)

The scan has been done completely.

21072 Scanned directories
312667 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
312667 Files not concerned
1889 Archives were scanned
0 Warnings
0 Notes
547704 Objects were scanned with rootkit scan
0 Hidden objects were found
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby walt5137 » February 14th, 2011, 12:51 pm

Hello askey127,

Have been doing some searches in Bing on various printers as my Epson just died.

On about the 3rd or 4th search item the redirects started occurring one after the other....the first redirect was some kind of "access denied...." warning followed ba brief return to the page I had actually selected, then followed by a series of redirects to various places.

So, this redirecting is starting to happen in Bing pretty much like it did in Yahoo.

I did a flushdns and thought it would be useful to up date you.

Regards and continued thanks,

Walt
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby askey127 » February 14th, 2011, 1:31 pm

Walt, let's check this out ourselves.
----------------------------------------------------
Check your Connection Routing:
Please highlight, copy (Ctrl+C) and paste (Ctrl+V) the text inside the quote into a new Notepad document.
ipconfig /all >> c:\ip.txt

Save it on your Desktop as file type "All Files" (NOT as "Text Documents"), and name it findip.bat
Close Notepad.
Right Click Findip.bat on your Desktop, choose "Run as administrator", and give permission.
A window may flash open and close. This is normal.
-----------------------------------
Now go to Start, Computer and double-click on C:\ drive.
Find a file on the C: drive named ip.txt
Right click the file and choose Edit
You should see Notepad popup with a few lines of information in it.
Please Copy the contents and paste back in a reply here.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HELP with malware removal

Unread postby walt5137 » February 14th, 2011, 1:52 pm

Hello askey127,

Did as directed.

continued thanks,

Here is the file ip 01.


Windows IP Configuration

Host Name . . . . . . . . . . . . : HP-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
Physical Address. . . . . . . . . : 00-1B-9E-28-D6-14
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::70a7:8d71:98d4:dfa2%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, February 14, 2011 6:26:22 AM
Lease Expires . . . . . . . . . . : Tuesday, February 15, 2011 6:26:20 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 218110878
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-CF-80-06-00-1B-24-52-FA-67
DNS Servers . . . . . . . . . . . : 213.109.68.247
213.109.73.249
1.1.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8101 Family PCI-E Fast Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-1B-24-52-FA-67
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{AE235EF4-7D2A-4A03-8E83-72EB035413B1}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{48706050-2FB4-4AEE-818C-8080727711C9}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Windows IP Configuration

Host Name . . . . . . . . . . . . : HP-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
Physical Address. . . . . . . . . : 00-1B-9E-28-D6-14
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::70a7:8d71:98d4:dfa2%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, February 14, 2011 6:26:22 AM
Lease Expires . . . . . . . . . . : Tuesday, February 15, 2011 6:26:21 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 218110878
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-CF-80-06-00-1B-24-52-FA-67
DNS Servers . . . . . . . . . . . : 213.109.68.247
213.109.73.249
1.1.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8101 Family PCI-E Fast Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-1B-24-52-FA-67
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{AE235EF4-7D2A-4A03-8E83-72EB035413B1}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{48706050-2FB4-4AEE-818C-8080727711C9}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby askey127 » February 14th, 2011, 2:43 pm

Walt,
The DNS Server listed in your Router is this :
DNS Servers . . . . . . . . . . . : 213.109.68.247
213.109.73.249

According to WhoIsView, this is the site:
213.109.68.247

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '213.109.64.0 - 213.109.79.255'

inetnum: 213.109.64.0 - 213.109.79.255
netname: PROLITE-NET
descr: ProLite Ltd.
country: RU
org: ORG-PL83-RIPE
admin-c: NF1275-RIPE
tech-c: NF1275-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-PROLITE
mnt-routes: MNT-PROLITE
mnt-domains: MNT-PROLITE
source: RIPE # Filtered

organisation: ORG-PL83-RIPE
org-name: ProLite Ltd.
org-type: OTHER
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
e-mail: prolite@p-lite.ru
mnt-ref: MNT-PROLITE
mnt-by: MNT-PROLITE
source: RIPE # Filtered

person: Nikolay N. Filimonov
address: Russia, Nizhniy Novgorod, Pecherskiy syezd 22, off.12
phone: +7 831 4284242
nic-hdl: NF1275-RIPE
source: RIPE # Filtered
mnt-by: MNT-PROLITE

% Information related to '213.109.64.0/20AS49727'

route: 213.109.64.0/20
descr: ProLite
origin: AS49727
mnt-by: MNT-PROLITE
mnt-routes: MNT-PROLITE
source: RIPE # Filtered

% Information related to '213.109.64.0/21AS49727'

route: 213.109.64.0/21
descr: ProLite
origin: AS49727
mnt-by: MNT-PROLITE
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HELP with malware removal

Unread postby walt5137 » February 14th, 2011, 2:55 pm

Hello askey127,

I'm not sure what you are telling me. Sounds like my router is speaking russian.

As I mentioned in an earlier communication, I contacted Lynksys when you introduced the potential problem with the router. They (after charging me $39.99) told me they had changed the admin password and updated the software and also that they found no evidence of anything unusual. I'm not clear on what they were looking at....but, that's what they said.

Sounds like you have found the router to be the problem and that we have been chasing ghosts.

Do you know what I should do to fix the router problem.....get a new router....re-contact Lynksys and see if they can fix...???

Continued thanks,

Walt
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby askey127 » February 14th, 2011, 3:51 pm

You need to use the new router password and sign in to the Router Setup procedure.

Then you need to change those Russian IP addresses (213.109.68.247 and 213.109.73.249) to addresses given to you by your Internet Provider for the DNS Server.
You may have to call your Internet Provider tech support to get their IP address(es).

The entire problem is that your Internet connections are being made through a strange server. They are giving you the redirects.
It occurred from not changing the Router password when it was first set up.

The Linksys guys may have checked the software and your password, but they may not know who your ISP is, or whether it's a Russian provider. Anyway they did a lousy job.

Call your Internet Provider first and get the correct IP address(es).
You don't need a new router. Just need to change the settings, and set another new password.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HELP with malware removal

Unread postby walt5137 » February 14th, 2011, 4:00 pm

Hello askey127,

Sounds like a good plan which I will follow.

I much appreciate your help, as you can guess. I did call Linksys; there young ladies in the Phillipines are nice over the phone but not much help.....they did not suggest doing what you suggested.....In fact, they suggested nothing at all.

My major problem, I guess, is not really understanding the terminology which makes it harder to understand what is going on.

Thanks again. I'll let you know what happend. If another process is run like the last one AFTER the changes you suggest are made would that verify that the hijacker is out of the picture?

Regards,

Walt
walt5137
Regular Member
 
Posts: 28
Joined: January 21st, 2011, 1:18 pm

Re: HELP with malware removal

Unread postby askey127 » February 14th, 2011, 4:06 pm

Yes it would. It would show the DNS servers as the new ones you are plugging in.
The DNS servers are the ones that handle Internet address requests, as you might guess.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware