Need some help.

I'll review your logs and see if there's a need to run a tool in its place.

dr.m

 

Hello, MaKiNoMaN

What av application is currently installed and working? I see these references:

• CyberDefender
• Norton
  LiveUpdate 3.2 (Symantec Corporation)
  LiveUpdate Notice (Symantec Corporation)

Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  If it asks you to overide the previous file with the same name, click YES.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right-click and select Run As Administrator).

Please attach the new C:\MGlogs.zip file to your next reply.

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

Please get your friend to give the exact wording of the error messages he receives, as this may not be malware related.
Also - does it happen in Safe Mode? With other browsers?

Step 1:
Uninstall these:
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice

Then run the below, re-boot and run it again:
Norton Removal Tool (SymNRT) 2009.0.5.26

Step 2:
Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files". Once you have saved it double click it and allow it to merge with the registry.

* Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work.

Step 3:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 4:
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
• If TDSSKiller does not run, try renaming it.
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
• Click the Start Scan button.
• Do not use the computer during the scan
• If the scan completes with nothing found, click Close to exit.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
• Attach this log to your next message.

Please attach the TDSSKiller log.txt and answer my questions.

dr.m

 

Hello, MaKiNoMaN

Are you certain that he saved the file as type "all files"? Please make sure!


To temporarily disable all IE add-ons
Click the Start button , click All Programs, click Accessories, click System Tools, and then click Internet Explorer (No Add-ons).

Now do this:
With Internet Explorer opened

1. From the Safety menu in the upper right, click Delete Browsing History... .
2. Deselect "Preserve Favorites website data", and select "Temporary Internet files, Cookies, and History".
3. Click Delete.
4. Close IE 8.

See the following link to flush Java cache
http://www.java.com/en/download/help/plugin_cache.xml

To flush DNS in Windows Vista

1. Click the Microsoft Vista Start logo in the bottom left corner of the screen
2. Click All Programs
3. Click Accessories
4. RIGHT-click on Command Prompt
5. Select Run As Administrator
6. In the command window type the following and then hit enter: ipconfig /flushdns
   You should receive a "Successfully flushed the DNS Resolver Cache" message
7. Exit the command window

Then "open" CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY! Then re-boot the pc.

Please install another browser to test the machine, such as listed in:
How to Protect yourself from malware! 7) Install a backup browser just incase you run into problems with Internet Explorer

* What problems are you still having?

 

Let's get rid of that reg value this way, then we can finish up.

Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box

Code:

:Processes
explorer.exe

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{44DC8FA0-6795-4601-9524-3DB5CF170E48}]

:Commands
[purity]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

dr.m

 

Good!

You're very welcome!!

Now - we can do the final cleanup steps in our malware cleaning procedure. I would suggest that you post about any remaining software issues with IE8 in our Software Forum.

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove programs (Programs and Features if using Vista or Windows 7) and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif