No sys restore/No connection

The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.


You need to uninstall SUPERAntiSpyware. The version you have is way out of date. Then download and install the one from the link in the READ & RUN ME. Run a new scan and attach the new log.

Once you can connect to the internet, you need to uninstall the below old Sun Java versions and install the current version as requested in step 1 of the READ & RUN ME:
Java(TM) 6 Update 6
Java(TM) 6 Update 7

Some items in the HijackThis fix given below may not longer exist. Just ignore any that you do not find and continue.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {09F7B221-760D-4865-93CF-6C5E771F53F5} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{668E2034-0CE4-4E27-BDC5-F66D93E857EC}: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 3: (no name) - (no file)

After clicking Fix, exit HJT.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

When you say resetting your cable modem, what exactly do you mean? Our you talking about power cycling it?


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Laura\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{668E2034-0CE4-4E27-BDC5-F66D93E857EC}: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 3: (no name) - (no file)

After clicking Fix, exit HJT.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run a full scan with SUPERAntiSpyware
Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• new SUPERAntiSpyware log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Well then it is not working since you are still infected. It looks like your modem firmware has been modified by the infection. This is happening all the time with this infection. If all you have is a cable modem and you do not have a router of your own in between the cable modem and your PC, then you need to get a new cable modem. If you have a real router of your own, you need to reset it to factory settings.

You are not using the current updates for SAS. You have:

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

And as of the time I'm writing this they are already on:

Core Rules Database Version : 3679
Trace Rules Database Version: 1658

You need to always check for updates before running a scan.

Formatting your PC will not fix the problem with an infected router and or cable modem. They have to be restored to factory settings because as they are now, they keep reinfecting your PC.

The below items in your HJT log (which did not get fixed) are signs of this DNS hijacker:
O17 - HKLM\System\CCS\Services\Tcpip\..\{668E2034-0CE4-4E27-BDC5-F66D93E857EC}: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20

 

You really are not going to have to much of a choice since you say your phone line is too slow to download or do any updates on. You have out dated versions of programs and we need them updated. However do the below before hooking up the new modem.

Did you fix those O18 lines I pointed out using analyse.exe. I will give you a step by step fix below.



Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{668E2034-0CE4-4E27-BDC5-F66D93E857EC}: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6;85.255.112.20

After clicking Fix, exit HJT.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now make sure you have all web browsers closed to do this next bullet list of steps.

• Go into Control Panel -->Network Connections.
• Right click on your connection
• and click Properties.
• On the Properties page, highlight Internet Protocol(TCP/IP)
• Click Properties. This will bring up another page.
• Select Obtain DNS Server Automatically.
• Click the ok button. The page will close.
• Press ok on the page in front of you.
• Restart the computer.
• Reconnect to the Internet using Internet Explorer and use you new cable modem.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Since you updated SUPERAntiSpyware, does the new version find anything. If so, attach the log.

Then perhaps the problem is with your cable providers connection.

Sorry I meant to say 017 lines and they are still in your HijackThis log and also your log shows that you are running in safe boot mode. You need run in normal boot mode and you must make sure that you are selecting the below lines and remembering to click the Fix checked button after all browsers are closed.

If you are physically disconnected from your cable mode there is no reason why these should not be getting fixed other than the below possibilities:

1. forgetting select them and then to click Fix checked
2. malware is blocking the fix. But no active malware was being seen.
3. the protection software you have installed (AVG AntiSpyware and CA ) are getting in the way of malware removal which would mean your next step should be to uninstall these and then reboot and try and fix the 017 lines again and make sure they really get fixed.

 

Not if they keep returning after we clean everything up. This normally means that your router or cable modem is infected. We have seen this many dozens of times. The only other reason would be that protection software that is installed is getting in the way of the fix.

Resetting the routers back to factory defaults always resolves the problem when the router is infected. As far as a cable companies modem/router goes, I'm not sure, but if it has the ability to set things back to factory defaults, it should also work.

However none of this matters now if you have reinstalled. However I would suggest that you make sure those O17 lines have not come back again.

I also suggest that you work thru this: How to Protect yourself from malware!