Serious Malware infection

Welcome to Major Geeks!

You are extremely out of date with Malwarebytes. Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Make sure you fix the problems found before saving a log. Attach the new log.


Do the above while I look thru all of your logs and create a fix.

 

Then uninstall the version you have and just download the version given in the READ & RUN ME. You are more than a year out of date even with the program versions. At least you will h ave a more updated version. Run it and attach the new log. Then move on to the below instructions.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

NOTE: The below prorgams are way out of data and are security risks. If you are going to use them, you need to update to the current versions.
Adobe Acrobat 5.0
FileZilla Client 3.1.4.1
Mozilla Firefox (3.0.19)

What is the below? If does not belong in this folder no matter what it is. If it is an executable program that you know and use, it should be in its own folder under the C:\Program Files folder.

Code:

2009-05-10 10:07 . 2009-05-24 03:40 2085376 c:\program files\Cortex Command.exe

 

ComboFix was deleted because you last downloaded and ran it on August 15th and that version was now out of date.


Your logs showed that you have a DNS hijacker infection. Your router is quite possibly infected. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay the last fix removed the remaining signs of the DNS infection. Your logs are clean but you do need to delete the below and any other similar cracks/illegal software

Code:

"C:\"
Jun 2009              "Cortex.Command.(build.23).fixed.cracked-SND"
Aug 2010     3213147  "Cortex.Command.(build.23).fixed.cracked-SND.zip"
Jun 2009     1119844  "Microprocessor.8085.Simulator.1.6.cracked-SND.zip"                
"C:\Documents and Settings\Brian Delahunty\My Documents\
Aug 2010     3213101  "Cortex.Command.(build.23).cracked-SND.zip"

and you need to stop downloading these. See Warning about Porn, Keygens, Cracks, and other Illegal Software


If you are still having malware problems, you will have to explain the exact details since your logs are clean.

 

There was a typo in my previous fix that caused it to fail to remove something and I did not notice it until you said you still had a problem. Let's do fix with some redundancy.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F24D6B95-F2FD-47A0-AA90-41D6D78187BA}: NameServer = 85.255.116.170 85.255.112.140

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Well you did have a DNS infection that would cause hijacks. It looks like we go the last registry entries in the last fix. Now we need to find any residual issues that the infection may have caused.

Click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

If you are still having hijack problems, does it occur with both FireFox and Internet Explorer. Make sure you check.

 

That's what my instructions asked you to do.

Can you access them via IP address rather than by URL? Shutdown your firewall before trying to access them and see what happens.

 

Yes that is correct.

Then as suggested in my last message, make sure you are not blocking it with your firewall.

Are you using any kind of server to connect this PC to the internet?

Do other user accounts on this PC have the same problem?


Also do the below!


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Quite normal.


Have you checked to see if the problem still occurs in both Internet Explorer and with FireFox?



Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Also please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

There is nothing in any of your logs that would indicate reasons for having redirections. And you also indicated that you are on dial-up so that ruled out a hardware type infection that could have explain why all user accounts have the problem. The only other possible reason may be any special software you use to go online since it would be common for all users. Perhaps you should try uninstalling it and then rebooting. After a reinstall, see if it works better. If not, disable all addons that you have made to IE and FireFox and see if anything changes.

Also try running the below if still having a problem and attach the log from ESET:

Using ESET's Online Scanner


If all of this still comes up with no problems then you should install proper protection software ( an antivirus and also a real firewall ) to see if this helps.

 

Which page is hijacked? The link I gave to you in my last message or the actual link to the ESET Online Scanner page? If the link to the ESET Online Scan then try putting in the below into your browsers address bar and see if you can get to ESET.

http://[URL="http://cqcounter.com/traceroute/?query=72.3.254.86"]72.3.254.86[/URL]

and if the above works then look at the bottom of the page and click the Online Scanner link.

 

My last post got messed up. Please just enter the 72.3.254.86 IP address into your browsers address bar and see if that gets you to ESET.

Also please disable the Windows firewall and see if that changes any of your problems.


And also Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

 

There does not appear to be any remaining malware that is causing this and since you are on dial-up, it is not the typical case of it being in the router. Let's see if it is some how related to something else that you load at startup. We will temporarily remove all of your startup processes to check this.

Make sure you first download and save both registry patches below. One will remove startups and one will restore them after a reboot and testing to see the effects.


Copy the bold text below to notepad. Save it as Remove.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

NOW BEFORE YOU REBOOT, download and save the below registry patch too but DO NOT run it. But if you run into any problems after the reboot that is requested below, you can run this to restore to your previous state.

Copy the bold text below to notepad. Save it as Restore.reg to your desktop. Be sure the "Save as" type is set to "all files" DO NOT RUN IT.

Now if you have run the first (Remove.reg) registry patch reboot your PC and see if there is any change to your ability to connect to sites.

Also while in this state run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Did this have any affect?

If no change, then you can run the Restore.reg patch to now restore all of your startups.

 

Okay then you can use the Restore.reg patch to put everything back.

While it is not impossible that something on your PC has been changed that is causing this, it is looking like we will not be able to find it. If there is an infection, it has likely gotten into system files which is making it more difficult to impossible to find especially since you cannot run many things we want to run

Also I'm not sure if it is possible that your external modem or somehow the DNS server that your ISP uses has been impacted, but based on everything we have tried thus far, nothing points to remaining visible malware issues with your PC.

If you can try a different PC at your home using all the same modem/connection and if that PC works, then yes something remains in your PC somewhere.


There are 2 possible courses of action:

1. Give up and just format and reinstall in hopes of repairing the problem
2. Since you cannot run any online scanners, make one or more of the below special CDs that can be used to boot and scan your PC without Windows running. If lucky, they will possible find and remove any malware.

• Avira Rescue CD
• AVG Rescue CD
• F-Secure Rescue CD
• Kaspersky Rescue Disk.
• SystemRescueCD
• Trinity Rescue CD

 

Okay let me know which disk you make and the results of trying to run a scan when you boot from the CD without Windows running.