Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware / Browser Hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware / Browser Hijack

Unread postby EricArsenal » April 30th, 2011, 2:13 pm

I ran the fixes, i reset my router. i changed my router password and changed my dns to google's dns, which boosted my speed nicely. on my pc, when i visit cnn.com i still get redirects. I have no google chrome access still on my pc. i still get generic host errors which impact the functionality of my pc.

here is the log.

All processes killed
========== FILES ==========
File\Folder c:\windows\system32\drivers\hprupbe.sys not found.
File\Folder c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKsl25400abc.sys not found.
File\Folder c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7561ED23-D702-48AE-A507-0CE9E723D71D}\MpKsl43daddbb.sys not found.
File\Folder c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5FFE1E20-1976-47A6-B20B-7E488D3E49DE}\MpKsled0fceeb.sys not found.
File\Folder c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DE0ACC7D-6BC9-4AAF-B9D5-D462F89EC676}\MpKslf96f46df.sys not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Eric Grafnitz\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Eric Grafnitz\Desktop\cmd.txt deleted successfully.
========== SERVICES/DRIVERS ==========
Error: No service named MpKsl25400abc was found to stop!
Service\Driver key MpKsl25400abc not found.
Service MpKsl43daddbb stopped successfully!
Service MpKsl43daddbb deleted successfully!
Service MpKsled0fceeb stopped successfully!
Service MpKsled0fceeb deleted successfully!
Service MpKslf96f46df stopped successfully!
Service MpKslf96f46df deleted successfully!
Service tmfag stopped successfully!
Service tmfag deleted successfully!
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"AntiVirusOverride"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"FirewallOverride"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Eric Grafnitz
->Flash cache emptied: 3134 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 22192 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Eric Grafnitz
->Temp folder emptied: 549070795 bytes
->Temporary Internet Files folder emptied: 3921466 bytes
->Java cache emptied: 560 bytes
->FireFox cache emptied: 58959567 bytes
->Google Chrome cache emptied: 6099312 bytes
->Apple Safari cache emptied: 23570432 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33438 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 14712 bytes
->Temporary Internet Files folder emptied: 106771858 bytes
->Java cache emptied: 7023 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 26744683 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 739.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04302011_122551

Files\Folders moved on Reboot...
C:\Documents and Settings\Eric Grafnitz\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully.
C:\Documents and Settings\Eric Grafnitz\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully.

Registry entries deleted on Reboot...
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm
Advertisement
Register to Remove

Re: Malware / Browser Hijack

Unread postby Gary R » April 30th, 2011, 5:58 pm

Your logs are showing clean, and resetting your router should have cleared any DNS poisoning. There's not many other reasons for a re-direct.

One of the latest TDL infections does not show on most rootkit scans and I can only presume your re-directions are as a result of you contracting this infection.

We cannot remove it whilst your computer is booted to normal Windows, we need to boot to Recovery Console which was installed when you ran Combofix.

This process is not without risk, so I strongly recommend you back up your personal files and folders before progressing further.

Earlier I had you create a backup of your Master Boot Record (MBR), before we go further please make sure that you still have the file C:\Backup_MBR_0.bin on your computer.

ONLY if you do ....

Next

  • Restart your computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select the Recovery Console option and click Enter.
  • Enter the number that corresponds to your XP installation (usually 1) and hit Enter.
  • Type in your password and hit Enter, if you don't use a password just hit Enter.
  • You should now get a prompt ... C:\Windows
  • Type in fixmbr
  • The MBR should now be re-written with a new default XP Master Boot Record.
  • Type Exit then hit Enter to boot into Normal Mode.

Next

Once you've rebooted into Normal Mode, run a new scan with aswMBR (as detailed below).

  • Double click aswMBR.exe to run it
Image
  • Click the SCAN button to start the scan.
Image
  • On completion of the scan click SAVE LOG and save it to your desktop.
  • Post the log contents in your next reply please.

Next

Run a scan with Malwarebytes Anti-Malware.

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Check all items except items in the C:\System Volume Information folder and click on Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

Also let me know whether you are still being re-directed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » May 2nd, 2011, 8:52 pm

I think I am clear. I get no redirects at cnn.com through firefox. I can use Chrome again. I think ill delete internet explorer and safari and just leave the other 2 browsers...

I do now get an error upon start up, "Error loading: CTMBHA.dll A Dynamic link library (dll) initialization routine failed."

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-05-02 18:39:10
-----------------------------
18:39:10.968 OS Version: Windows 5.1.2600 Service Pack 3
18:39:10.968 Number of processors: 2 586 0xF06
18:39:10.968 ComputerName: ERIC UserName:
18:39:31.046 Initialize success
18:39:39.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:39:39.359 Disk 0 Vendor: ST332063 3.AD Size: 305245MB BusType: 3
18:39:39.484 Disk 0 MBR read successfully
18:39:39.500 Disk 0 MBR scan
18:39:39.578 Disk 0 scanning sectors +625137345
18:39:39.765 Disk 0 scanning C:\WINDOWS\system32\drivers
18:40:10.343 Service scanning
18:40:11.562 Disk 0 trace - called modules:
18:40:11.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
18:40:11.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b023660]
18:40:11.578 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b024030]
18:40:11.578 Scan finished successfully
Last edited by EricArsenal on May 2nd, 2011, 8:57 pm, edited 1 time in total.
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby EricArsenal » May 2nd, 2011, 8:55 pm

When i was running Malware bytes, MS Security caught VirTool:Win32/CeeInject.gen!Q - it was the second time ms security caught that specific bug. It also caught Java/Exdoer earlier too.

Here is the log.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6494

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/2/2011 6:49:19 PM
mbam-log-2011-05-02 (18-49-19).txt

Scan type: Quick scan
Objects scanned: 166137
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby EricArsenal » May 2nd, 2011, 8:56 pm

So I guess I'll ask, since you brought it up earlier in our long conversation, How would I get rid of the Edward Jones entries that are no longer needed or useful to me?
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » May 3rd, 2011, 2:08 am

Glad to hear you're not being re-directed any longer, we were rapidly running out of options.

To get rid of the Edward Jones entries .....

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
O15 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\..Trusted Domains: edwardjones.com ([securera-pilot] http in Trusted sites)
O15 - HKU\S-1-5-21-542624359-4108094095-3092757597-1006\..Trusted Domains: edwardjones.com ([securera-pilot] https in Trusted sites)
O16 - DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (OPSWAT AntiViruses Class)
O16 - DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (OPSWAT FireWalls Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://securera-pilot.edwardjones.com/ ... 9,327,1558 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {49EC7987-E331-44E3-B170-748B58A268B9} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (OPSWAT ProcessesScanner Class)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} https://securera-pilot.edwardjones.com/ ... ,0327,1547 (F5 Networks Policy Agent Host Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} https://securera-pilot.edwardjones.com/ ... 5,2,3790,0 (Microsoft RDP Client Control (redist))
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://securera-pilot.edwardjones.com/ ... 9,327,1548 (F5 Networks Host Control)
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} https://securera-pilot.edwardjones.com/ ... ,0327,1557 (F5 Networks OS Policy Agent)
O16 - DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} https://securera-pilot.edwardjones.com/ ... ,1218,2305 (F5 Networks OPSWAT Help

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Let me know if you're still having any problems. If not, then I'll be able to give you instructions for safely removing the programs we've used to clean you up, and a few recommendations about security.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » May 4th, 2011, 8:48 pm

It feels good to be able to post from the computer that i was running on instead of saving the logs on a flash drive and bringing them to my laptop to post...

========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\edwardjones.com\securera-pilot\ not found.
Registry key HKEY_USERS\S-1-5-21-542624359-4108094095-3092757597-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\edwardjones.com\securera-pilot\ not found.
Starting removal of ActiveX control {195538FD-1C39-44B1-A7C3-5D7137A8A8F1}
C:\WINDOWS\Downloaded Program Files\f5opswati.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{195538FD-1C39-44B1-A7C3-5D7137A8A8F1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195538FD-1C39-44B1-A7C3-5D7137A8A8F1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{195538FD-1C39-44B1-A7C3-5D7137A8A8F1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195538FD-1C39-44B1-A7C3-5D7137A8A8F1}\ not found.
Starting removal of ActiveX control {30CF9713-6614-4556-B5F5-66F8C7F9DEF1}
C:\WINDOWS\Downloaded Program Files\f5opswati.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{30CF9713-6614-4556-B5F5-66F8C7F9DEF1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30CF9713-6614-4556-B5F5-66F8C7F9DEF1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30CF9713-6614-4556-B5F5-66F8C7F9DEF1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30CF9713-6614-4556-B5F5-66F8C7F9DEF1}\ not found.
Starting removal of ActiveX control {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E}
C:\WINDOWS\Downloaded Program Files\f5tunsrv.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41EF3CD2-D8CC-4438-84B1-280BB4E77C8E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41EF3CD2-D8CC-4438-84B1-280BB4E77C8E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{41EF3CD2-D8CC-4438-84B1-280BB4E77C8E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41EF3CD2-D8CC-4438-84B1-280BB4E77C8E}\ not found.
Starting removal of ActiveX control {49EC7987-E331-44E3-B170-748B58A268B9}
C:\WINDOWS\Downloaded Program Files\f5opswati.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{49EC7987-E331-44E3-B170-748B58A268B9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49EC7987-E331-44E3-B170-748B58A268B9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{49EC7987-E331-44E3-B170-748B58A268B9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49EC7987-E331-44E3-B170-748B58A268B9}\ not found.
Starting removal of ActiveX control {57C76689-F052-487B-A19F-855AFDDF28EE}
C:\WINDOWS\Downloaded Program Files\f5InspectionHost.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{57C76689-F052-487B-A19F-855AFDDF28EE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{57C76689-F052-487B-A19F-855AFDDF28EE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{57C76689-F052-487B-A19F-855AFDDF28EE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{57C76689-F052-487B-A19F-855AFDDF28EE}\ not found.
Starting removal of ActiveX control {7584c670-2274-4efb-b00b-d6aaba6d3850}
C:\WINDOWS\Downloaded Program Files\msrdp.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7584c670-2274-4efb-b00b-d6aaba6d3850}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7584c670-2274-4efb-b00b-d6aaba6d3850}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7584c670-2274-4efb-b00b-d6aaba6d3850}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7584c670-2274-4efb-b00b-d6aaba6d3850}\ not found.
Starting removal of ActiveX control {E0FF21FA-B857-45C5-8621-F120A0C17FF2}
C:\WINDOWS\Downloaded Program Files\urxhost.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E0FF21FA-B857-45C5-8621-F120A0C17FF2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0FF21FA-B857-45C5-8621-F120A0C17FF2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E0FF21FA-B857-45C5-8621-F120A0C17FF2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0FF21FA-B857-45C5-8621-F120A0C17FF2}\ not found.
Starting removal of ActiveX control {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}
C:\WINDOWS\Downloaded Program Files\f5syschk.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}\ not found.
Starting removal of ActiveX control {EBDC91CB-F23F-477D-B152-3F7243760D04}
C:\WINDOWS\Downloaded Program Files\f5opswati.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EBDC91CB-F23F-477D-B152-3F7243760D04}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDC91CB-F23F-477D-B152-3F7243760D04}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBDC91CB-F23F-477D-B152-3F7243760D04}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBDC91CB-F23F-477D-B152-3F7243760D04}\ not found.

OTL by OldTimer - Version 3.2.22.3 log created on 05042011_194539
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » May 5th, 2011, 1:31 am

Looks like everything went without problem. Time to do a little tidying up.

First

Let's clear out Combofix and the files/folders it created
  • Click Start > Run
  • Copy/Paste ComboFix /Uninstall into the Run box.
  • Click OK
  • Combofix will now delete its files and folders and also perform the following function.
    • Clears System Restore cache and creates a new Restore point. This will remove any "malicious" System Restore files, which may have been created whilst your computer was infected.
IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller, SystemLook, and GMER (except for the random named .exe file)
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete the following ....

MGADiagnostic Tool
aswMBR.exe
MBRFix
C:\Backup_MBR_0.bin
RootkitUnhooker
Any remaining log files from the tools we've used.


As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Malware / Browser Hijack

Unread postby EricArsenal » May 5th, 2011, 9:54 pm

OTL is gone. Combofix wasnt found. i cleaned up the logs that i saw. Things are clean on my end that i can see.

That was a superb job you did. Being a quarter of the world away certainly made things more difficult and i appreciate your patience.

Thanks. Now add me to the list of things the victims say...
EricArsenal
Regular Member
 
Posts: 33
Joined: April 16th, 2011, 11:59 pm

Re: Malware / Browser Hijack

Unread postby Gary R » May 6th, 2011, 1:14 am

You're welcome, glad we could help, and even more glad that we found what the cause of the problem was. ;)

Eric Arsenal wrote:Thanks. Now add me to the list of things the victims say...


No problem.

Keep safe.

Gary

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 141 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware