Internet Redirect

I am not seeing anymalware in your logs. I also am not seeing any AV software. What are you using for protection?

Are the redirects happening in all browsers? If you boot into safe mode w/networking, do you still get redirected?

 

I am sorry for the delay, I was out of town yesterday.
Are you going to the microsoft website to check on updates? Are you using a router? Have you tried plugging in directly to the modem and checking to see if you still get redirects?

 

It has been three weeks since your last post. We would need you to re-run all the scans again. You can also try running this online scan:

eSet Online Scan.

 

You are faced with a few choices. It could be that your registry is corrupt in which case you can try doing this:
How to recover from a corrupt registry.

Or you can try creating one of these disc's and boot to it:

Kaspersky Rescue Disk.
BitDefender Rescue Disk-with-auto-update.

 

It's easy enough to follow, though you may want to create one of the other discs first in case it is malware that is blocking you from starting up properly.

 

No. You will not be any worse off than you are now. Do you have your OS CD?

 

You need to get into the bios ( maybe F2 on startup? ) and change the boot order to cd-rom as first boot device. Then put the cd in the drive and reboot. It should ask if you want to boot to the cd.

 

You still have the boot order with the hard drive being the first choice. You need to move the optical drive to first boot device and then the hard drive down to second boot device.

 

Is this how it is now set?
internal optical drive
internal hard disk drive
floppy disk drive
network

 

Try doing this. It will create a disc of just the Recovery console in xp. You can then try booting to the RC and typing in fixboot.

 

Not if you can already access the Recovery console.

You can try the various commands ( thought you might want to post in the software forum for additional help with this ):
Fixmbr
FixBoot
chkdsk /r

 

The question is does it now boot up? I suggest you post in the software forum as we need you to be able to boot to a stable system before we can address any malware issues.

 

I will try to keep an eye on your software thread!! Good luck. Do consider trying to find, beg and borrow an xp cd of the same version as what you have installed.

 

Your combo log is showing a file replicator virus. First case of that that I have seen.

You were also infected with this file:
c:\program files\microsoft\desktoplayer.exe which also corrupted your winlogon reg. key.

And these files needed to go as well:
C:\Documents and Settings\Adam\Application Data\YTKIQ
C:\WINDOWS\explorerSrv.exe

As to the file on your desktop, you need to reset files to be hidden. Do that in the control panel, folder options, view. Set your system files to be hidden again.

 

You are saying that you already have system files set to be hidden? If so, I don't know why it is there. Right click it, choose properties and tell me what it says.

 

You mean that the files I found in your logs are still there? I thought this was from before you fixed it. Ok, then let's remove them. You will need to have ComboFix downloaded to your desktop.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\program files\microsoft\desktoplayer.exe
C:\WINDOWS\explorerSrv.exe
Folder::
C:\Documents and Settings\Adam\Application Data\YTKIQ 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\program files\adobe\photoshop elements 4.0\photoshopelementsfileagentsrv.exe"

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You are still very badly infected.

Please immediately do the below. You must do this immediately and you must complete all 3 scans one after the other with only the delay to post logs in between. DO NOT use your PC for anything else but these instructions.

Run this Using ESET's Online Scanner and immediately attach the log.

Then run the Eset scan a second time and attach the 2nd log.

Then run the Eset scan a third time and attach the 3rd log.

After attaching the 3rd log, if any Ramnet infections were found by Eset, try to repeat the above until it comes up clean. The only infections of Ramnet you can ignore, are ones that may be found in the System Volume Information folder which is System Restore and cannot be cleaned. We will remove them later by disabling System Restore.

Now run combofix again by double clicking it.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Yes, you have a Ramnit infection. Please continue running the eSet scans. Attach the logs. Keep doing it until we tell you to stop.

 

Run it just one more time. In the meantime, see if you can use windows explorer to find and delete:
C:\WINDOWS\system32\termsrv.dll

After this next scan, when it is done, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We will use Combo to remove it once you are finished with the scans.

 

We are going to replace it (the one that could not be cleaned) from another location on your machine. ESET seems to think there is something wrong with it.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll | C:\WINDOWS\system32\termsrv.dll

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let us know how things are running.

 

Good, let's continue to sweep up -

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Folder::
c:\documents and settings\Adam\Application Data\Lyond
c:\program files\tmp
c:\documents and settings\Adam\Application Data\Sabu
File::
c:\windows\system32\tojedel.dll
c:\documents and settings\Adam\Application Data\Sabu\mubo.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\toiz.exe
C:\Windows\System32\toiz.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ubfis.exe
C:\Windows\System32\ubfis.exe
c:\documents and settings\My Guest\Start Menu\Programs\Startup\yzyx.exe
C:\Windows\System32\yzyx.exe
DirLook::
c:\program files\windows
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{6537A7C6-510E-82F3-550E-4D08BD773C4B}"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Run another ESET scan, attach the results.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Please tell us how things are running now. I am not seeing any malware remaining in your logs. But you need to be aware that you have very little hard drive space left which could be the cause of your slowness.

 

You should pare down what you have on your hard drive or get a backup external and transfer as much as you can. In the meantime, why don't you let this ride for a day or two and see how things are working.

 

Yes, you can reinstall AVG, but I am concerned about how little hard drive space you have left. You have too little to even do a defrag.