Massive virus?? Possible google redirect?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Texasrebel, Aug 11, 2011.

Page 1 of 2
  1. Texasrebel

    Texasrebel Private E-2

    Hello everyone. I'm new to this forum and you guys and gals came highly recommended from a friend.

    I'm not sure whats going on, or how it happened. I can tell you what is going on.

    When I go to a search on google, my search takes me to pages that have nothing to do with my google search.

    I went through all the Run and Read me, all the programs installed, however, they would not run. When I clicked on them to run, they would start for a breif second then shut down. On the second try, A message would pop up that read, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the items"

    For the record, I am logged in as administrator.

    Note....I was able to run MGTOOLS after a reboot.

    Windows XP 32 bit service pack 3

    Any help would be much appreciated.
     

    Attached Files:

    Texasrebel, Aug 11, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please Disable Spybot's TeaTimer --> Should have been done as per the R&R instructions!

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Now download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    • Run avenger.exe by double-clicking on it.
    • Click OK at the warning to continue to use The Avenger
    • Do not change any of the check box options!
    • Shut down your protection software now to avoid possible conflicts.
    • Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    • Now click the [​IMG] button
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now see if you can run the other scans.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 11, 2011
    #2
  3. Texasrebel

    Texasrebel Private E-2

    Apologize missed tea timer which is now done.

    Ran the Avenger

    Tried to run other scans still not working. Only tool working is MGTOOLS

    Combo fix says AVG is still present even though I uninstalled it and used the removal tool.

    Thanks for the quick reply and help!
     

    Attached Files:

    Texasrebel, Aug 11, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not sure why you are still having problems. Let's do this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now see if you can run Combo and the other scans.

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...

    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Be sure to click yes to the pop up to run HJT, you need to agree to it twice.

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 11, 2011
    #4
  5. Texasrebel

    Texasrebel Private E-2

    Okay all anti-virus programs have been deleted. I actually unistalled AVG before starting this process as I wanted to install Trendmicro to get rid of virus or malware, but now my CD drive wont show up on my computer. There is still a AVG folder in program files that I cant get rid of, and it appears to have a DLL file that wont let me delete.

    Ran the avenger again

    Tried the read and run me scans: This time Super Anti Spyware ran for almost 3 hours before shutting down on its on. No logs recorded. Note: Super Anti Spyware could not be opened from desktop icon, had to open from alternate start.

    Malware Bytes does not run

    Combo Fix still has AVG warning, but is saying we can run Combo fix but may damge computer. Should I run it anyway?

    MGTOOLS ran

    MBR Check showed "done press enter to exit"

    Also FYI: As I try each one of these programs, Im unable to use the start button at times, and I have to reboot computer. Sometimes start button is okay and sometimes cant be used.

    Thanks
     

    Attached Files:

    Texasrebel, Aug 11, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go to C:\MGTools\analyse.exe and run it. Do a system scan and save the log. Attach it to your next reply.


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now go ahead and run ComboFix, regardless of what it tells you.

    I don't think you are having malware issues so much as you are having system issues.
     
    TimW, Aug 12, 2011
    #6
  7. Texasrebel

    Texasrebel Private E-2

    Went to C:\MGTools\analyse.exe to run it. It would not run. Message said," you do not have permission to access this file or folder".

    Ran avenger

    Ran Combo Fix: still recieving AVG message. Once Combo fix was updated, it starts, and then message returned is Access Denied 7 times. Nothing happens after that.

    Thanks
     

    Attached Files:

    Texasrebel, Aug 12, 2011
    #7
  8. Texasrebel

    Texasrebel Private E-2

    FYI: Im definately having google redirect problems.
     
    Texasrebel, Aug 12, 2011
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Aug 12, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Once you finish doing the TDSSKiller scan, please go here and run an online scan:

    eSet Online Scan.
     
    TimW, Aug 12, 2011
    #10
  11. Texasrebel

    Texasrebel Private E-2

    Tried to run TDDSKLLER.

    After downloading......started program, however, just like all the other programs we have tried to run, it too ran for about 2 seconds and shut down. Once this happens, you cant open again and you get that message "Windows cannot access the specified device, path, or file"

    Renamed the download and tried it again, and samething happened.

    Thanks
     
    Texasrebel, Aug 12, 2011
    #11
  12. Texasrebel

    Texasrebel Private E-2

    Ran online scan "eset"

    Heres the log

    Thanks
     
    Texasrebel, Aug 12, 2011
    #12
  13. Texasrebel

    Texasrebel Private E-2

    Ooops..for some reason it wouldnt let me attach the text log?

    Anyway. I heres a copy and paste of the eset log

    C:\MGtools\Process.exe Win32/PrcView application cleaned by deleting - quarantined
    C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan error while cleaning
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE Win32/Patched.HN trojan error while cleaning

    Thanks
     
    Texasrebel, Aug 12, 2011
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you have your XP boot CD?
     
    Kestrel13!, Aug 13, 2011
    #14
  15. Texasrebel

    Texasrebel Private E-2

    I cant seem to find the CD. Im not sure I even got a CD when I bought the computer, which I did buy new.
     
    Texasrebel, Aug 13, 2011
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Curiouser and curiouser. We have a few more items to remove, but I am not seeing what I would expect to see with a redirection problem. Are you running through a router? Are there other computers also running through the router if you are? Do they have similar issues with redirects?


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 13, 2011
    #16
  17. Texasrebel

    Texasrebel Private E-2

    Yes I am running through a netgear router. My other computer does not have any problems.

    Avenger log attached

    Registry addition was successful

    MG log attached
     

    Attached Files:

    Texasrebel, Aug 13, 2011
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding any malware. Are you being redirected in all browsers?
     
    TimW, Aug 13, 2011
    #18
  19. Texasrebel

    Texasrebel Private E-2

    All I have is IE

    If I dont have malware issues, then why is it when I go to Google, do a search find the link I want, click it, and it takes me to something totally off base from my search. Also, why cant I run any of the malware tools or install trend micro?

    Maybe I should use this thing a s a boat anchor? :eek:) Actually this is computer is only a year old.

    Thanks for your help
     
    Texasrebel, Aug 13, 2011
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Aug 13, 2011
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We aren't going to give up. I have asked for a consultation with your issues. Hang in there. ;)
     
    TimW, Aug 13, 2011
    #21
  22. Texasrebel

    Texasrebel Private E-2

    Yes....I have gone through the re-direct instructions. I just ran spy-bot. For some reason, I can run spybot, but the stuff spy-bot is finding is probably a hoax due to the virus? Anyway...heres what spy-bot has found...

    Double Click - 1 entry

    Media Plex - 3 entries

    Early on I ran spy bot and it found these..

    Win32.agent.chh
    Double Click
    Statcounter

    It seems no matter what...some of these just come right back after deletion.

    FYI - when I go to my C drive, there is no D or E drive visible? I have no idea whats up with this.

    Thanks for your help. I will be as patient as it takes :eek:)
     
    Texasrebel, Aug 13, 2011
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTL to your desktop.


    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    TimW, Aug 15, 2011
    #23
  24. Texasrebel

    Texasrebel Private E-2

    Here ya go!!

    Logs attached.

    Thanks
     

    Attached Files:

    Texasrebel, Aug 15, 2011
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
    Code:
    :processes
:otl
PRC - C:\WINDOWS\1151866976:2682738619.exe File not foundMOD - [URL="file://\\?\globalroot\systemroot\system32\mswsock.dll"]\\?\globalroot\systemroot\system32\mswsock.dll[/URL] ()
SRV - (AVG Security Toolbar Service) --  File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} -  File not found
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} -  File not found
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} -  File not found
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  File not found
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKLM\..\Toolbar: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} -  File not found
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} -  File not found
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} -  File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (IMVU Inc Toolbar) - {90B49673-5506-483E-B92B-CA0265BD9CA8} -  File not found
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 -  File not found
 
:services
6018a844
AVGIDSDriver
Avgmfx86
AVGIDSEH
AVGIDSShim
AVGIDSFilter
Avgldx86
 
:files
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\1151866976:2682738619.exe
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:DFC5A2B2
C:\WINDOWS\1151866976
C:\ComboFix
C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
 
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Aug 15, 2011
    TimW, Aug 15, 2011
    #25
  26. Texasrebel

    Texasrebel Private E-2

    Oky....did as you said.

    During the process, it never finished and shut down on its own.

    There is no notepad text, and it never asked me to restart computer.

    Now I have another problem. Since doing so, computer will not log onto the internet, and runsd slower than a turtle uphill. Im actually having to go through my other computer to type this.
     
    Texasrebel, Aug 15, 2011
    #26
  27. Texasrebel

    Texasrebel Private E-2

    Also....when I tried to play a game on the computer, I get this message Title: waveOutGetNumDevs()
    Message: No wave devices. Windows does not have any sound drivers installed. Please install your sound drivers to get sound
    Then theres a "OK" button

    This is a new thing. The game is not an online game, it is saved on my computer as a non online game. Just clicked on it out of curiosity and got that message. First time thats ever happened.
     
    Texasrebel, Aug 15, 2011
    #27
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    My fix was edited. Have you tried running this edited fix?
     
    TimW, Aug 16, 2011
    #28
  29. Texasrebel

    Texasrebel Private E-2

    not sure what you mean about "edited". I did exactly as your last response said. Your response that I used is still there today.

    Not going to be able to do anything now until we can get the "connection" fixed. Im not able to log onto the internet.

    It sure takes a long time for my desk top to load now

    Once it finally does, it does not connect

    I didnt have these problems until running your last instructions if that helps figure out whats wrong now.

    Thanks
     
    Texasrebel, Aug 16, 2011
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have a USB flash stick that you can copy files back and forth from?

    Does the below file exist?

    C:\Windows\system32\mswsock.dll
     
    chaslang, Aug 16, 2011
    #30
  31. Texasrebel

    Texasrebel Private E-2

    Im pretty sure I dont have a USB flash stick as I have never used one, bought one, and wouldnt know the name of one and or what it would do :) Dont mean to sound ignorant, but I have never had the need for a flash stick.
     
    Texasrebel, Aug 16, 2011
    #31
  32. Texasrebel

    Texasrebel Private E-2

    I ran a search for C:\Windows\system32\mswsock.dll on the computer and its there
     
    Texasrebel, Aug 16, 2011
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you powered down your PC since running the last fix? If not, please power it down for a few minutes then boot it back up. Then check your internet settings to make sure that they are setup properly to Obtain an IP address automatically. This is commonly referred to being setup to use DHCP.

    See this: http://uits.iu.edu/page/aiyy
     
    chaslang, Aug 16, 2011
    #33
  34. Texasrebel

    Texasrebel Private E-2

    Okay....I have one of my wenmasters calling me in half an hour. Hes going to read the instructions per your post, and relay to me via phone while Im on the computer checking for connection.

    Thanks
     
    Texasrebel, Aug 16, 2011
    #34
  35. Texasrebel

    Texasrebel Private E-2

    Oppps yes, I have powered down several times.
     
    Texasrebel, Aug 16, 2011
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How are you posting here?
     
    chaslang, Aug 16, 2011
    #36
  37. Texasrebel

    Texasrebel Private E-2

    I have 2 computers. This is my main computer, the one down I bought a year ago as a back up as I own and run an internet business. I have webmasters that I pay to help with the admin. They are the ones that actually recommended you guys. I know you know what your doing. I have learned to be very patient in life :)
     
    Texasrebel, Aug 16, 2011
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then you should be able to compare the settings on the PC that works with the one that does not.


    Also do the below on the one with the problem.

    Click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /all
    • Hit Enter

    See if above command shows the below information which was seen in a previous log of yours:
    Code:
    Windows IP Configuration
 
        Host Name . . . . . . . . . . . . : user09-020da4b8
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Local Area Connection:
 
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1
        Lease Obtained. . . . . . . . . . : Saturday, August 13, 2011 2:36:46 PM
        Lease Expires . . . . . . . . . . : Sunday, August 14, 2011 2:36:46 PM
     
    chaslang, Aug 16, 2011
    #38
  39. Texasrebel

    Texasrebel Private E-2

    Looks like somethings have changed after running cmd.

    Node Type changed from unknown to now Broadcast. Looks like I have no IP numbers any longer on the Ethernet Adapter Local Area Connection. Heres what it says now....

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : user09-020da4b8
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
    Physical Address...............: xx-xx-xx-xx-xx-xx
    Dhcp enabled...................: Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 0.0.0.0
    Subnet Mask . . . . . . . . . . . : 0.0.0.0
    Default Gateway . . . . . . . . . : 0.0.0.0
    DHCP Server . . . . . . . . . . . : 0.0.0.0
    DNS Servers . . . . . . . . . . . : 0.0.0.0
     
    Last edited by a moderator: Aug 17, 2011
    Texasrebel, Aug 16, 2011
    #39
  40. Texasrebel

    Texasrebel Private E-2

    This seems to be new as well:

    Physical Address...............:

    This wasnt on our first cmd but now is.
     
    Last edited by a moderator: Aug 17, 2011
    Texasrebel, Aug 16, 2011
    #40
  41. Texasrebel

    Texasrebel Private E-2

    Okay...you probably wont agree with what I just did, and if so, Im sorry.

    First off, we tried to manually enter all ip information. After doing so, it showed me to be online, bit IE would not connect.

    Then, my webmaster told me to go to system restore after spending 2 hours on it. I did so, but it would only allow me to restore to the day I received this malware or virus.

    Then we decided to re-run OTL from Tims prior post to get new logs. The new logs matched the old logs I previous posted.

    Then we copied Tims 2nd OTL post and pasted all the info into OTL again as the first time we did it, the program shut down, and we thought maybe it was an error on me.

    Well.....this time when running OTL, I watched, and it hung up while deleting AVGIS for about 4 minutes, then the program shut down again, and this is where I lose all my desktop icons, internet, etc.

    We saved a restore point prior to doing this again. Now I have internet service etc, but virus or malware is still present.

    Thought this may get us a new starting point. Im sorry if not. I just need to be able to type and read from this computer as Im wearing out the button on my KVM switch and its really hard to remember a bunch of stuff :)

    Thanks guys!
     
    Texasrebel, Aug 16, 2011
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is valid. We just edit it out of the logs to not show your physical address ( MAC ) online. I will edit your post too. ;)
     
    chaslang, Aug 17, 2011
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It may not be the AVG cleanup that is the problem. It could be the removal of the malware itself. So let's try removing AVG stuff from the fix and see what happens.



    Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
    Code:
    :processes
:otl
PRC - C:\WINDOWS\1151866976:2682738619.exe File not foundMOD - [URL="http://[URL]file://\\?\globalroot\systemroot\system32\mswsock.dll"]\\?\globalroot\systemroot\system32\mswsock.dll[/URL[/URL]] ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} -  File not found
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} -  File not found
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} -  File not found
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKLM\..\Toolbar: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} -  File not found
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} -  File not found
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} -  File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (IMVU Inc Toolbar) - {90B49673-5506-483E-B92B-CA0265BD9CA8} -  File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 -  File not found
 
:services
6018a844
 
:files
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\1151866976:2682738619.exe
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:DFC5A2B2
C:\WINDOWS\1151866976
C:\ComboFix
 
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 17, 2011
    #43
  44. Texasrebel

    Texasrebel Private E-2

    Okay....copied and pasted info....OTL started running....seconds after starting I lost all desk top icons, and OTL shut down. I was left with a blue screen and no internet connection.

    Had to go back to system restore
     
    Texasrebel, Aug 17, 2011
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OKay then it would appear that I was correct in that the problem was not occurring while the AVG items were being removed. Seems like the malware itself ( and you have a least two infections ) are the cause of the problem. Let's change the fix again to take things more slowly and see what we can do.



    Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
    Code:
    :processes
:otl
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} -  File not found
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} -  File not found
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} -  File not found
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKLM\..\Toolbar: (IMVU Inc Toolbar) - {90b49673-5506-483e-b92b-ca0265bd9ca8} -  File not found
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} -  File not found
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} -  File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (IMVU Inc Toolbar) - {90B49673-5506-483E-B92B-CA0265BD9CA8} -  File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found

:services
6018a844
 
:files
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\1151866976:2682738619.exe
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:DFC5A2B2
C:\WINDOWS\1151866976
C:\ComboFix
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 18, 2011
    #45
  46. Texasrebel

    Texasrebel Private E-2

    Did as you asked. OTL began to run and shut down. I was left with a blue screen.

    I left the blue screen up for about 5 minutes to see if anything would happen...it didnt. I rebooted and for some reason, I didnt have to "restore to and earlier time".

    One other thing... I have to down load OTL everytime before I can use it. Once I use it, and it quits, I lose the actually yellow icon, it goes to a white looking square icon, and when I double click it, it says the same thing as all the other malware programs,

    "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the items"

    It never asked for a reboot and there was never an "ok" button
     
    Texasrebel, Aug 18, 2011
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, then please run GetLogs.bat as requested and attach the new MGlogs.zip file.
     
    chaslang, Aug 18, 2011
    #47
  48. Texasrebel

    Texasrebel Private E-2

    Did as you asked. Logs attached.

    Also....while scanning the following message popped up:

    NSLOOKUP.EXE - ORDINAL NOT FOUND.
    The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll

    I then have to click "okay" and the scan continues
     

    Attached Files:

    Texasrebel, Aug 18, 2011
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below file is for?

    C:\WINDOWS\anshnmsv.dll


    I would like to get some more info on the C:\WINDOWS\anshnmsv.dll file. Right click Start and select Explore to bring up Windows Explorer. Use it to navigate to the file and right click on it and select Properties. Now see if there is a Version[ tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.


    Also see if the below tool will run for you. If it does, try to attach a log from it.

    Kaspersky Virus Removal Tool
     
    chaslang, Aug 18, 2011
    #49
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also forgot to ask, what files do you see in the below folder?

    C:\_OTL


    Also please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.

    If analyse.exe does complete a scan, please attach the C:\MGtools\hijackthis.log file.
     
    chaslang, Aug 18, 2011
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds