Browser redirect & won't let to update - virus

Inactive
By infected1999
Mar 28, 2010
Topic Status:
Not open for further replies.
  1. For last two days tried to get rid of this virus, run variety of scanners, nothing would help.
    Finally came acroos Combofix and out of desperation, used it.
    Worked!
    All antispyware programs will update now, google will not get redirected.
    But the problem is, when I run SOS, MBAM & AVG, two first ones dont see anything, AVG still sees one infection that it has seen before running Combofix and cant remove it.
    Second thing, when I run Combofix, computer seemed to be cleaned up. Then I started removing Spyware Doctor, and when did it, it reactivated the virus, browser got redirected again and SOS would not update. After restart, everything is ok, no sign of infection (I mean except AVG seeing it, but no other symptoms)
    How to clean up the remaining infection?
    Thank you.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please follow the steps HERE.

    Paste in the 3 logs for us to review.

    There is a thread with this title at the top of this forum:
    Do Not Run Combofix without our guidance
    The reason why you continue to see the malware is becuse you attempted to run programs without any guidance. I take no responsibility for what action-or reaction that may have caused on your system.

    But unless you give me something I scan see and review, I can't help you. You have an antivirus program showing malware off and on- how about a log when it finds it 'on'? How about letting us review what is and is not found in the scans you run?
  3. infected1999

    infected1999 Newcomer, in training Topic Starter

    I didn't realize how important it was to run it under guidance, until after I read few threads on this forum just now. I guess it must be frustrating for you since you must be getting it quite often.
    Anyways, I have a log from ComboFix saved, do you want me to post all of it here?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Go ahead an leave the Combofix report you saved.
  5. infected1999

    infected1999 Newcomer, in training Topic Starter

    How do you attach the text here, instead of copy/paste?
  6. infected1999

    infected1999 Newcomer, in training Topic Starter

    combofix & hijackthis logs

    combofix & hijackthis logs

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I recommend that you reformat and reinstall the operating system.

    When you do, put only one antivirus program on. stay away from programs like Hitman. Don't use a registry cleaner. Be wary of sites to evaluate your 'corrupt data'. And if you have a problem, come to us first.
  8. infected1999

    infected1999 Newcomer, in training Topic Starter

    Thank you for your time spent on the issue.

    I have some programs on my pc that I would not like to lose.
    I really, really don't want that.
    But if there is no other way to be safe...

    There is no other way to clean my pc up?
    The infection is so severe that reinstalling the system is the only way to go?
    Why?

    Thanks for you patience.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The main problem is because you messed up your system running a lot of programs with no guidance. You can try going back to our beginning. Recover the Combofix deletes first:

    Copy ComboFix from quarantine back to desktop:
    Click Start > Run > copy/paste the below into the run box and then click OK.

    Code:
    cmd /c Copy /y "C:\Qoobox\Quarantine\C\Documents and Settings\Home\Desktop\ComboFix.exe.vir" "C:\Documents and Settings\Home\Desktop\ComboFix.exe"
    
    You should now have a ComboFix icon back on your desktop.

    Now we need to use ComboFix to restore files. This will only restore, it will not delete anything.
    • Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
      [o] If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad ( Click Start > Run, type notepad then press Enter ) and copy/paste the text in the below quote box into it:
    Code:
    KILLALL::
    Dequarantine::
    C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile
    C:\Qoobox\Quarantine\C\Documents and Settings
    Quit::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    Do not mouseclick combofix's window while it is running. That may cause it to stall. Be patient. It can take awhile for all files to restore. You will slowly notice things appearing on the Desktop. Wait for ComboFix to finish. It will show you a De-Quarantine log when it is finished.

    Once that has been done, please follow the steps for preliminary removal HERE.

    Add the logs from Malwarebytes, Superantispyware and HijackThis to the new Combofix report.

    Please understand that this isn't going to restore removals from all the programs you ran. I have no way of knowing whether any legitimate entries were removed.
  10. infected1999

    infected1999 Newcomer, in training Topic Starter

    Tried to follow your directions:

    When ComboFix started running, window opened with following text:
    "Were you trying to run CFS script"
    The name CFS Script appears to be incorrectly spelled"

    When I "ok" it, ComboFix screen copied 1 file and blue screen disappeared.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Please understand that I have no idea what the malware is- whether it's a virus, Trojan, Worm, spyware, adware, etc.
  12. infected1999

    infected1999 Newcomer, in training Topic Starter

    Log 4 shows infection

    Also this is whar AVG scan says:
    C:\Windows\System32\drivers\atapi.sys;"Virus identified Win32/Patched.CG";"Object is white-listed (critical/system file that should not be removed)"

    Attached Files:

    • 1.txt
      File size:
      3 KB
      Views:
      1
    • 2.txt
      File size:
      3 KB
      Views:
      1
    • 3.txt
      File size:
      3 KB
      Views:
      1
    • 4.txt
      File size:
      3.3 KB
      Views:
      3
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Thank you. Please do the following:


    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
     
  14. infected1999

    infected1999 Newcomer, in training Topic Starter

    report submitted

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    We're not making a lot of progress! I'd like you to run Combofix again and an online AV scan:

    Uninstall ComboFix and all Backups of the files it deleted first:
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave the Combofix report and the Eset scan log in next reply.
    NOTE: Don't check for removal in the online scan- I'll handle that.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.