The reason you may be re infected is because there may be a DNS changer which can infect your router.
1. Shut down your computer, and any other computer connected to your router.
2. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
3. With the router unplugged, start your computer. Run MBAM again.
4. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to aceess the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
5. Attach the new offline MBAM scan results here.
Run CFScript
Open
notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:
KillAll::
File::
c:\windows\system32\drivers\wmzolan.sys
c:\docume~1\Avin\LOCALS~1\Temp\ovfsthbdrtfqwgta.tmp
c:\docume~1\Avin\LOCALS~1\Temp\ovfsthdstraetspj.tmp
c:\docume~1\Avin\LOCALS~1\Temp\ovfsthmnrdvnnorx.tmp
Folder::
c:\docume~1\Avin\LOCALS~1\Temp\ovfsth000
c:\docume~1\Avin\LOCALS~1\Temp\ovfsthx000
Driver::
jplbozx
Rootkit::
c:\windows\system32\ovfsthbgradybewteceviqtvbqdrdkfgtuupqj.dll
c:\windows\system32\ovfsthcshqrcojcrqrgimapeonolhaohxhilgt.dat
c:\windows\system32\ovfsthibpnkhxcgtwipwkbbebcbairurlspwwq.dll
c:\windows\system32\ovfsthkkmfxfmfwmagbplbsuwkuhjmvshppwrt.dat
c:\windows\system32\ovfsthujcublovqmdhrnbypiqltnttynqfqedd.dl
c:\windows\system32\drivers\ovfsthlqvpxmobirviuamvxwbywslhyvbtuijx.sys
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthyqvdkmpmyqlvfboscprrothxrjnvdrwu]
"imagepath"=-
Save this as
CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
Please download
ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click
Exit on the Main menu to close the program.
For
Technical Support, double-click the e-mail address located at the bottom of each menu.