TechSpot

It started with redirecting links.

By surrogatepeople
Jun 24, 2010
  1. Hi everyone, this is my first time posting my tech problems on an online forum, because i really don't know what to do anymore..

    it started with my firefox browser redirecting search links to adwords online secure.. after some googling I figuerd my computer is infected with some malware. the computer is also much slower than before and freezes sometimes.

    I tried to follow the 8 Step removal instructions and installed Avira Free but it kept freezing during the virus scan (I had Mc Afee installed prior to it but virus scan wasn't active anymore) I removed it again and re-installed Mc Afee but it did not find any viruses.

    I then followed steps 2,3 and 4 but I'm having trouble running Gmer.. the screen runs blue and I got a 'pfn list corrupt' message..
    may something be wrong with my ram (aswell)?

    any help/advice much appreciated...thanks.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your system is badly infected. Please try running GMER either of the 2 following ways:
    1. Uncheck 'Devices' or
    2. Boot in to safe Mode and scan.

    We need the other program in the thread: DDS (2 logs)

    For the 'pfn list corrupt' message. please go through the sites HERE and see if you can identify your particular problem..
    =================================
    When you have completed the above:
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Include the following logs in your next reply:
    GMER
    DDS> both logs
    Combofix
    Eset Nod32

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. surrogatepeople

    surrogatepeople TS Rookie Topic Starter

    Thank you for the help, Bobbye.

    I ran Gmer and DDS in Safe Mode. Mc Afee caused problems again, too.. so I uninstalled it with the remover tool (again) :(

    here are my logs..
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, the active entries in the Eset log are part of the Help Assistant malware, so instead of removing those 3 entries, I'd like you to run the following program. Hopefully it will remove this infection along with it's many entries showing in Combofix:

    Please print the instructions below for this program. You will not have access to the directions once you have started

    Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop
    • Close out all other open programs and windows.
    • Double-click on it to run the tool and follow any prompts.
    • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
      Make sure you leave a space between helpasst -mbrt.
    • Click OK or press Enter.
    • HelpAsst fix will create and open a log when done.
    • Copy and paste the contents of that log into your next reply.
    In the event the tool does not detect an mbr infection and completes, do this:
    • Go to > Run> in the Open dialog box type: mbr -f
    • Click OK or press Enter.
    • Now, please do the Start > Run > mbr -f command a second time.
    • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
    • After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
      Make sure you leave a space between helpasst and -mbrt.
    • Click OK or press Enter.
    • HelpAsst fix will create and open a log when done.
    • Copy and paste the contents of that log into your next reply.

    -- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
    Source: BleepingComputer
    ================================
    When you have finished this program, please run a new scan with Combofix and leave both logs. Be sure you disable the security as instructed as it was running in first Combofix scan.
    There's a lot of work to be done and it's really important that you follow what I list in the order I give it.

    You also have uTorrent scheduled to do some kind of Task. Please open the Scheduled Tasks in the Control Panel and remove this from the schedule. I would encourage you to uninstall uTorrent and any other files sharing programs you're using. It's going to take a lot of work to get your system clean-if we can get it clean-and I hate to see malware coming in the back door from file sharing!

    This is the entry> looks like it was set up in 2006 and has been updating ever since:
    2010-06-24 c:\windows\Tasks\ĀµTorrent.job
    - c:\dokume~1\MELISS~1\EIGENE~1\utorrent.exe [2006-01-06 12:32]
     
  5. surrogatepeople

    surrogatepeople TS Rookie Topic Starter

    sorry, I hope I turened off all the security this time.
    I removed the schedule from the task and deleted uTorrent.
    (btw I used it for live recording sites like dimeadozen.org, are those unsafe, too?)

    there seemed to be some error with 'catchme' during combofix, but it disappeared before I could read it all?

    thank you :)
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Based on the number of entries I can't identify and the fact that the system is more infected now with Help Assistant even after running the removal program, I am going to suggest that you reformat and reinstall the operating system.

    The chance I take with so many unknown entries is 1. Not removing all bad entries and/or 2. Removing good entries in your language.

    I seldom recommend this, but in this case, I think it is the best thing for you to do.

    You will ind excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...