Log Files

You did not attach the C:\MGlogs.zip

 

Yes you have a DNS infection.

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

You have two antivirus installed and one needs to go:

• Microsoft Security Essentials
• AVG 2011

I would suggest you uninstall AVG 2011 and use their removal tool afterwards AVG Remover(32bit) 2011
(avg_remover_stf_x86_2011_1165.exe) But what you uninstall is your choice of course.

Uninstall these:

• Ask Toolbar
• Viewpoint Media Player

Uninstall outdated Java:

• Java(TM) 6 Update 5

Important Notice: A new version of SUPERAntiSpyware is available.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this log later.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,5b,3c,6e,b5,04,ad,42,8e,aa,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,5b,3c,6e,b5,04,ad,42,8e,aa,04,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
Registry::
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
"DhcpNameServer"="1.1.1.1"
HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters
"DhcpNameServer"="1.1.1.1"
HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters
"DhcpNameServer"="1.1.1.1"

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Run the new C:\MGTools.exe and attach the C:\MGlogs.zip.

How about now?

 

When removing malware it is best to keep the ball rolling. Reply to this as soon as you can, do not leave it as long as you did!

Ask Toolbar <--- You still have this installed.

AVG Remnants you can delete:

Delete this folder too if it exists:

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:services
Viewpoint Manager Service
:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
"DhcpNameServer"="1.1.1.1"
HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters
"DhcpNameServer"="1.1.1.1"
HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters
"DhcpNameServer"="1.1.1.1"
:files
c:\programdata\SPL39D4.tmp
c:\programdata\SPLDA45.tmp
:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let's see if that gets rid of the DNS infection which must have still been in place all the time since you first came to me for help.

 

Run C:\MGTools.exe and then see if you have a C:\MGlogs.zip. I need to verify the infection has gone.

 

Something seems to be blocking this fix. Make sure all antivirus and antispyware applications are disabled before we do the following.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now I want you to reboot into safe mode and do the above reg fix again.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

We only want you to run MGtools in normal boot mode unless otherwise specifically requested.

Let's use ComboFix again to apply a fix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

That's great but a piece of the infection still remains and needs to be fixed. The last fix still did not work. Did you have ALL protection software shutdown (Like Microsoft Security Essentials) ??? According to your last log you did not shut it down as requested. Make sure you do this time before doing the below modified fix.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

 

• Open MSE and go to Settings > Real Time Protection.
• Then uncheck "Turn on real time protection".
• Exit MSE when done.

 

Well the good news is the fix worked this time. But the bad news is that it only stayed fixed for a short time frame. One of the first logs in MGlogs.zip showed it got fix but then a later log shows it came back.

The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

After doing the above power down your computer and then your router and cable or DSL modem ( or similar ) for about 1 minuter. Then turn them back on.

No re-run the last fix I gave you again and attach new logs.