Browser re-directs occurring

[flexbert]

Hi,
I'm new here and have been having some browser problems for about a week now. I have been getting AVG anti-virus detections of a Trojan Horse "Collected.11.B". I have seen several ominous sounding detections (Backdoor.MSNMaker.ag; WinFixer; UWAS7_0001_N91M1112NetInstaller.exe; DriveCleaner) in AVG anti-spyware and Windows Defender.

I went through the process here https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/ and I have attached the HJT, ComboFix and AVG anti-spyware logs as per the instructions. Please note that AVG Antirootkit did not find any rootkits.

Any further suggestions would be much appreciated.

--flexbertView attachment 16216

View attachment 16217

View attachment 16218

 

[howard_hopkinso]

Hello and welcome to Techspot.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log. Let me know if you`re still having problems.

Regards Howard :wave: :wave:

This thread is for the use of flexbert only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[flexbert]

Next step

Thanks for that reply. The problems are on my home computer and I'm at work now, so I will give this a try tonight.

Cheers,

--flexbert

 

[flexbert]

Avenger done

I have run the Avenger program with the script that you had attached. The Avenger log file and a new HJT log file are attached.

When I run a HJT scan there is a list of items with the option to check them and then "Fix checked" - I see that this list is also included in the HJT log. Some of these I recognize, but others I do not. Should I be scrutinizing this list more closely and selecting some to be fixed ?

I have not done a lot of checking yet, but the initial indications are that the re-directs have stopped. I'll continue to monitor.

--flexbert

View attachment 16247
View attachment 16248

 

[howard_hopkinso]

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALCXMNTR.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

O16 - DPF: {F55C25D3-D16A-11D3-81DF-00A0C91F5E7D} (Gtek Print Control) - http://www.kiddonet.com/kiddonet/GtekPrt.ocx

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\ALCXMNTR.EXE

Reboot your system.

Other than the above, your HJT log is now clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of flexbert only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[flexbert]

Done with thanks

All complete and many thanks for the guidance.

--flexbert