- Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.
- complaining of fake alerts -
- Without supporting logs, anything caught by HJT is used to suggest changes.
- However, the MBAM and/or SAS logs will improve handling of this thrreat.
- Scan with HJT. Tick & Fix. Restart the computer
Code:
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\Naveed\LOCALS~1\Temp\a.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Naveed\LOCALS~1\Temp\~tmpa.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{11D858EB-A02E-4CE6-B9F4-6FA714D996F3}: NameServer = 85.255.113.146,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{B11297A5-628C-416C-8B2C-840BA0140092}: NameServer = 85.255.113.146,85.255.112.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146,85.255.112.66
- Delete folders / files - if present - from the list inside code box
Code:
C:\Program Files\tintinyproxyy\tinyproxy.exe
C:\DOCUME~1\Naveed\LOCALS~1\Temp\a.exe
C:\DOCUME~1\Naveed\LOCALS~1\Temp\~tmpa.exe
C:\WINDOWS\system32\1C21MQ6Q.exe
- Post new logs if problems are still present.
This section applied to first HJT log -
HJT did not raise any flags.
- O23 - tinyproxy was missed. - As a first step, power off all computers connected to your local network. Remove and restore power to router and/or the broadband modem. Re-establish computers' connection to the internet. And yes, this is based on
folklore.
If that fails try to work around the malware, as follows.
Your are describing an exploit to frustrate reaching anti-malware sites. Here are methods that have been used recently. The alternative was offered by a new member.
- Since you are discribing a case of difficulty. attempt this method (follow link for 'How To')
- Use this method to stop any 'non-plug and play' driver that is named in this guide.
- Please report its name for changes to the method
- For infections that have more severe symptoms, Unable to run or update via TechSpot 8 Steps or manually run MBAM or SAS
- Message #3 - link to 'fixit download' has demonstrated its effectiveness in many cases. Go to message # 3 'fixit download'. Part of the method renames the executable to get the application to run. Here is another member that used renaming.
- Alternative - Web site has a link to download-dot-com - phonetic spelling used
- There appears to be a connection with 'sagipsul' popups.
- Read this post. from member.
- phonetic spelling for web site
- w.dot-simplysup.dot-com/tremover/download.html
01-07-2009
