Avast WEBforum
Other => Viruses and worms => Topic started by: darkmata on March 12, 2012, 01:59:50 PM
-
Hi, my PC is infected with sirefef and/or ZEROACCESS and i think i've followed your instructions on this post(if not please tell me..):http://forum.avast.com/index.php?topic=53253.0
i'm attaching the results on the tests and the logs. I'll be so thankful for your help!
thanks in advance.
-
Also i have to say, that i have purchased the Avast!internet security for 2 years, and everytime i'm installing it, on the next reboot pc doesn't load windows, then it automatically goes to windows will try to scan for errors and try to fix them, well Windows is not able to repair, so all i can do is turn off PC or go to restore windows to previous date, well i restore and then i go when the Antivirus is not installed...and this forever an ever in a loop...
thanks again.
P.D:i'm attaching the last file i have...
-
Hi,
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
--------------------------------------------------------------------
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
File::
C:\Windows\SysNative\bb-run.dll
C:\Windows\SysNative\dds_log_ad13.cmd
C:\Windows\SysNative\dds_log_trash.cmd
Registry::
Netsvc::
snoopfreesvc
Driver::
snoopfreesvc
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
-
Hi Jeffce,
thanks for your help, ok now i run combofix but i cannot see the report, also it never restarts the pc, seems like it has finished scanning, window disappear and that's it...i'm not even touching the mouse or anything.
-
Hi,
Go to your C:\ folder and look for a file named Combofix.txt If you see that please post that into your next reply. :)
-
sorry but there is no combofix.txt file... :-\
-
would you like a tdsskiller report?
-
i was reading on the essexboy post, and when i have to run OTL he says select ALL USERS..what does it mean, i'm never asked for that or cannot even see that to check it.
-
Hi darkmata,
Seems like the ZeroAccess infection is preventing some of our tools that we need.
Go ahead and run TDSSKiller but use these instructions and not those posted previously and then post the log created.
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Right-click and Run as Administrator TDSSKiller.exe
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
-
Done.
No malicious found just one threat.i skiped.
thanks.
-
Hi darkmata,
We need to make all files and folders VISIBLE:
- Go to start>control panel>folder options>view
- Choose to "show hidden files and folders,"
- Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
- Close the window with ok
Please delete your copy of ComboFix from your Desktop using right-click >> delete.
Now visit the link here >> http://www.mediafire.com/?3wuubumznr3cs8h and download the file to your Desktop. Once downloaded to your Desktop, run the program. There will be a log produced I will need in your next reply. :)
-
Hi jeffce,
the same issue as before, it scans, looks like it has finished, but i'm not even able to close the window, it disappears and that's all, also on C: there is no report at all...
this is a hard stuff!!
-
Hi jeffce
i have folder on C: named 32788R22FWJFW it's like 12mb and it says that it shows all the harddrives and hardware connected to this pc.... ???
is that normal?
-
Hi darkmata,
Don't worry about the folder. I believe it is fine.
I am going to work up a fix using OTL and will return as quick as I can. :)
-
hi jeffce
ok , here are some roguekiller reports, maybe this could help!
thanks a lot!
P.D.: if you fix it...i'll send you good bottle of catalan wine! ::)
-
oh! :( i'm terribly sorry, i've noticed that those reports are on UTF-8, do you want them on ANSI?
-
Hi,
Please download ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\bb-run.dll -- (snoopfreesvc)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
IE - HKCU\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {FD63BF63-BFFF-4B8F-9D26-4267DF7F17DD}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell - "" = AutoRun
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
NetSvcs:[b]64bit:[/b] snoopfreesvc - C:\Windows\SysNative\bb-run.dll (Iomega)
[2012/03/12 13:33:01 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_log_ad13.cmd
[2012/03/02 12:54:55 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_log_trash.cmd
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
:Files
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi jeffce
i've done it all and post the log...
I don't know if you need anything else.
thanks a lot for your hard work!
-
Hi jeffce
do i have to scan again with MBAM or any other prog.?
or maybe my pc is ok and i can do a party? :P
-
Hi jeffce , sorry my fault didn't do the otl scan... :-X
here is the file...
thnx!
-
here is the OTL.txt file done just after rebooting fromthe fix on OTL...
i attached it because maybe it's different than if i have been using the pc for a while like before...
sry
-
Hi there darkmata,
I see that you are running more than I ask you to do. Please try to refrain from that as it may actually hinder our progress even though you have good intentions. So please only run the tools I ask you to. :)
--------
Seems like our fix hasn't taken yet. Sometimes we need to hit this infection several times before it breaks. I appreciate your patience. :)
--------
Run ERUNT again to make a new backup of your registry.
--------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
MOD - [2010/11/21 04:24:09 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\SiS300i.dll -- (co_mon)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
IE - HKCU\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {FD63BF63-BFFF-4B8F-9D26-4267DF7F17DD}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell - "" = AutoRun
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
NetSvcs:[b]64bit:[/b] snoopfreesvc - C:\Windows\SysNative\bb-run.dll (Iomega)
[2012/03/12 13:33:01 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_log_ad13.cmd
[2012/03/02 12:54:55 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_log_trash.cmd
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
:Files
C:\Windows\SysNative\SiS300i.dll
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi jeffce,
sry for all the incovenience...and absolutely thanks for your support!when i try to do a new backup, an emerging message appears:
error saving file C:/windows/ERDNT/13-03-2012/BCD
continue with next file?
[ RegCreateKeyEX:5 - acces denied ]
I press yes, and same message but instead BCD, it changes it to system, software, default, security, sam, ntuser.dat and UsrClass.dat.
and then it appears "OK your backup is done"
now i'll try to run OTL, first fix , then scan.
thank you.
-
Hi Jeffce
this is the OTL report.
thanks agian.
-
Hi there darkmata,
I see that you are running more than I ask you to do. Please try to refrain from that as it may actually hinder our progress even though you have good intentions. So please only run the tools I ask you to. :)
--------
[/list]
Hi jeffce, i've done that! ;)
-
Hi there jeffce,
just wanted to know if otl file is correct?or maybe i didi something wrong, but I don't know what. I just did what you tell me...and I runed the scan on the fresh reboot, nothing else.
well I'm sure you are still working on it, but maybe you need something else, if I can help you any other way just tell me.
thanks.
-
Hi darkmata,
No everything is fine. I am clarifying something with Essexboy before we continue. Hang tight and I will return as quickly as I can. :)
-
ok thanks to both for your kindful help!
-
Hi darkmata,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
MOD - [2010/11/21 04:24:09 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\SiS300i.dll -- (co_mon)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\ufdsvc.dll -- (swupdtmr)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\USBCamera.dll -- (SlNtHal)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\ati.dll -- (IFP700)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\networkx.dll -- (dmboot)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\U81xmdfl.dll -- (defragfs)
:Files
C:\Windows\SysNative\SiS300i.dll
C:\Windows\SysNative\ufdsvc.dll
C:\Windows\SysNative\USBCamera.dll
C:\Windows\SysNative\ati.dll
C:\Windows\SysNative\networkx.dll
C:\Windows\SysNative\U81xmdfl.dll
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi jeffce,
here is the report.
thanks a lot!
-
Hi,
Download Combofix from any of the links below but rename it to svchost.exe before saving it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix)
==================================
Right-click and Run as Administrator on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
-
Hi jeffce,
no combofix.txt created, so sorry...
I don't know what's wrong...
thanks again
-
Hi jeffce
I supose mbam starts at windows start, the sometimes i get the prompt message of C:\windows\assembly\tmp\U\00000001.@
and sometimes two more with different numbers like 800000c0.@ and 800000cb.@
i don't know if it helps...
-
Hi darkmata,
No need to say sorry. :)
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\mcmscsvc.dll -- (mfesmfk)
:Files
C:\Windows\SysNative\mcmscsvc.dll
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan. Place the following into the Custom Scans section
netsvc
/md5start
consrv.dll
mcmscsvc.dll
/md5stop
createrestorpoint
- Press Run Scan ( don't check the boxes beside LOP Check or Purity this time )
- Post a new OTL log
-
Hi jeffce,
i asume that it has to be a hard work to code/decode all this stuff, and supose how frustrating sometimes this could be, that's wahy i say sorry... ;)
but i know you can! :P
better take this with humor isn't it?
ok here is the OTL file
-
LOL!! I actually have a lot of fun doing this and helping people. :)
- Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it to your desktop.
- Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe
- Next,
- Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
- Save it to your desktop as File name: junc.bat
- Save as type: All Files
Next,
Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.
-
lol! nice to hear that!
ok it gave me an error could not find log.txt file be sure that the file name is correct.
and behind that there is a window cmd.exe ,with "acces denied" written...
thanks.
-
Also i have to say that if i try to extract the flie directly to c: it gives an error:
C:\Users\Cure\Desktop\junction.zip could not create junction.exe acces denied
-
Hi darkmata,
Run a new scan with with TDSSKiller and remove anything that it finds. Then post the logs that are made. :)
-
Hi jeffce
no threats found with TDSSKILLER, here is the log.
thanks
-
Hi darkmata,
This one is fighting LOL!! :D
--------
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
- Extract the contents of the zipped file to desktop.
- Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://"http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg")
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------
-
Hi jeffce,
i cannot check/uncheck the ones that you tell me because they appear unusable (on grey) i can only check/unchek services, registry, files, the partitions, ADS and show all.
do i continue? and just uncheck the show all one and the partition that is not C:?
-
Hi,
Yes just be sure that Show All and C: is not checked. :)
-
Hi jeffce,
yeah this one is fighting! i usually play on-line fps and since i have this i'm always lagging as hell, but my ping to server is just between 15 and 40 ms.. ???
well i don't know if it helps in any way, but...
here is the file.
thanks
-
Ok...
Reboot Your System in Safe Mode
- Restart the computer.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe mode menu item
- Press Enter.
Once in Safe Mode try to run a scan with ComboFix again. If the log is created please post that.
-
Hi jeffce,
no file created... :'( same issue as always not even able to close the combofix window it disappears....and 10 sec. later a blue screen with an error and dumping memory... :(
grrr...
thanks!
-
i have .zip with the suposed virus files, that avast technical support asked me to do so, and send them, do you want it?
thanks for all of your work !
-
Hi darkmata,
Sure go ahead and send that file and let's see what we have. :)
-
Hi jeffce,
i renamed it on.txt i supose that just changing it to .zip will work
thanks.
-
Hi,
Just attach the .zip file :)
-
i try but it says me .zip not valid file to send here
-
Upload it to mediafire.com found >> http://www.mediafire.com/
Post the link created so I can retrieve it.
-
Hi jeffce,
here it is:
http://www.mediafire.com/file/d9pprmzcz7r49sp/Virus.zip
thanks.
-
lol i just putted there 2 files, now they are a lot!
-
Hi darkmata,
Run a new scan with aswMBR and post the new log so I can have a look at that. :)
-
Hi jeffce,
sorry wasn't at pc, here you are.
-
Hi darkmata,
Thank you. :)
Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
- Click the Scan button to start scan.
- When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.
(http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png) (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix.png)
Click the image to enlarge it
-
Here is the log
-
Ok good job...
Delete all copies of ComboFix then....
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
-
Hi jeffce,
sad to say that , but same as always....
-
Hi,
Ok let me do some digging and I will get back as soon as I can. :)
-
ok thanks!
-
Hi,
For x64 bit systems download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select English as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select English as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
- Select Command Prompt
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]
-
here we go!
-
Hi darkmata,
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\system32\consrv.dll
2 pinger; C:\Windows\System32\flashcom.dll [5120 2009-07-14] (Iomega)
C:\Windows\System32\flashcom.dll
3 MEMSWEEP2; \??\C:\Windows\system32\171F.tmp [x]
C:\Windows\system32\171F.tmp
2012-03-13 13:30 - 2012-03-14 20:41 - 0000000 __ASH C:\Windows\System32\dds_log_ad13.cmd
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system[/color]
On Vista or Windows 7: Now please enter System Recovery Options.
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ...
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
-
Hi jeffce,
here is the log :)
-
Hi,
LOL!! Great avatar pic!! hahahaha!! :D
----------
Ok....lets give this another shot and see what we can do.
Delete all copies of ComboFix from your system.
Next
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
-
LOL, uah, dark +dalmata.. ;D
Answering from the phone Combofix working-class for first time..
::) ;D
-
Hi jeffce
Answering from phone again now i cannot execute anything ,wanted to open FireFox to answer you but error
Attempt to ilegal operation on a regitsry key that was checked for its elimination, sale with explorer and everything else.... :-\
-
Just reboot your system. If it still happens after reboot, do it again. That should fix it. :)
-
Oh yeah!
;D ;D ;D
-
Oh yeah!! :D
That knocked it in the head.
Please run a new scan with OTL
In Custom Scans put the following:
netsvc
/md5start
consrv.dll
/md5stop
createrestorpoint
Press Run Scan and post the newly made log.
-
You are a MASTER 8)
here is the log
THAAANK YYOOUU!
-
Hi,
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
[2012/03/10 10:59:52 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{2EEA20C8-39EB-453B-9D2A-8D364CB105A9}
[2012/03/10 10:59:38 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{C0E6E625-AF36-4C80-9AAB-DB2FA7C924E2}
[2012/03/09 17:29:53 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{A9765B12-ABBD-438E-AB7B-9D486293A0EE}
[2012/03/09 17:29:42 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{18CCC289-B64F-4552-8E70-27B97944F5B6}
[2012/03/07 19:20:19 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{E793880A-BF52-4997-A09C-370B37BBE9AE}
[2012/03/07 19:20:09 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{09B93BFB-6E6A-43A4-A66E-5F76AFC729FD}
[2012/03/07 16:13:36 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{7F905CD3-AAB5-4A37-8A24-2AC8D8F817AD}
[2012/03/06 08:04:48 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{74CC19AC-6896-4BA1-9396-A559D12BC32D}
[2012/03/06 08:04:36 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{4C1CBED5-F790-4C25-B6F8-B18B6FCA6C67}
[2012/03/04 10:26:45 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{945A7F46-2F88-4270-B0E6-52D62C7340C4}
[2012/03/04 10:26:35 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{6C7A532A-90F1-42BD-AE1C-70CD1283CC2B}
[2012/03/03 10:18:10 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{30A9416E-2529-4370-A279-D433C35253B6}
[2012/03/03 10:17:59 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{761EF695-D1CC-4711-BB5E-4F01B1A39A9E}
[2012/03/02 07:21:40 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{6CB52A50-8ADD-4B4A-BB7F-91967E6FDDD6}
[2012/03/02 07:21:28 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{91FA6030-8D6C-466F-BE63-DE1318CD1AE6}
[2012/03/01 18:08:30 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{28A3D943-2D3A-4888-AEA8-DD98CB1FE89D}
[2012/03/01 18:08:20 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{71E9D2C3-BE6C-4C9F-A60E-48CC5CEF90AA}
[2012/03/01 17:25:16 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{EB3228DA-9CE5-40C7-84F9-6C6CD44AD946}
[2012/03/02 07:21:40 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{6CB52A50-8ADD-4B4A-BB7F-91967E6FDDD6}
[2012/03/02 07:21:28 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{91FA6030-8D6C-466F-BE63-DE1318CD1AE6}
[2012/03/01 18:08:30 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{28A3D943-2D3A-4888-AEA8-DD98CB1FE89D}
[2012/03/01 18:08:20 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{71E9D2C3-BE6C-4C9F-A60E-48CC5CEF90AA}
[2012/03/01 17:25:16 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{EB3228DA-9CE5-40C7-84F9-6C6CD44AD946}
[2012/02/28 17:34:47 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{829ECCA7-2ADA-4783-BC5C-A5EB5C4D621B}
[2012/02/28 17:34:34 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{E7485E0E-ADF7-4B00-8F30-BA4225D3B326}
[2012/02/27 16:52:51 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{1E47C8D2-815C-40C5-97F9-778BD64C5416}
[2012/02/27 16:52:41 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{9392265D-C1CC-4F8C-B167-F4FBB986EC0B}
[2012/02/25 08:49:17 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{9270C156-3AD2-44AA-A38E-F9098F2B8C6B}
[2012/02/24 17:11:25 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{33611E4E-7732-42A7-9DFC-4686BABBA81C}
[2012/02/24 17:11:12 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{826047E8-2689-4EF4-8F77-C3EBF66F14F4}
[2012/02/23 21:34:17 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{814B6225-B0D6-437B-9605-AE179A0A3CA2}
[2012/02/23 21:34:06 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{406357EC-F76F-4CC8-BB80-C7646B0A6384}
[2012/02/22 15:01:12 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{CE10A3BB-70B5-42C2-8C8C-79637018083D}
[2012/02/21 07:37:14 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{39989B8B-C12F-4D51-8516-96007EF949B1}
[2012/02/21 07:37:02 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{271B9FEA-7BA1-4431-AF38-24C2DE79B8D8}
[2012/02/20 18:02:25 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{D82808C5-BCAC-4AEC-B24C-2D364DB0A15A}
[2012/02/19 19:12:02 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{8F5D34A4-B477-4E7B-9E1F-0D1ABE45A9B1}
[2012/02/19 19:11:51 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{7D66D353-F098-4FFE-9DE3-7F5CFE5D8702}
[2012/02/19 12:05:12 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{2E2FF5A0-18C2-4806-9986-E91812C0F0F1}
[2012/02/19 12:05:02 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{AD7B2EA4-D711-46FA-AF23-8F63654F4DA7}
[2012/02/18 10:44:46 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{4511EB5A-575B-4BB3-8276-3F530276C50D}
[2012/02/18 10:44:31 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{4F7DE1B5-BF02-4FEB-B992-EB7A81C8688E}
[2012/02/17 16:27:43 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{C6DA5B47-493C-4B47-A2B4-4C4C5E78ACCD}
[2012/02/17 16:27:27 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{C55B1E1A-B4D6-4C43-8C37-395853334083}
[2012/02/16 18:46:26 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{CDD4F407-0982-4D64-8D0E-99DA9DA85D0A}
[2012/02/16 18:46:15 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{0D757FCC-B815-49ED-AB8B-374111FD15E5}
[2012/02/15 08:04:40 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{F5239709-1D47-44DC-82C9-3B45F0EABC60}
[2012/02/15 08:04:28 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{0694624D-62A9-4E1C-9439-199A7DB96E19}
:Files
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
- In Custom Scans please put the following:
netsvcs
/md5start
consrv.dll
/md5stop
createrestorepoint
- Press Run Scan and post the new log.
-
Hi jeffce
here is the log
-
forget the one before didn't do the scan
i'll do it now sry.
-
here we go!
-
Hi,
Looking better now. :)
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
- Do not use this instance of your browser for anything besides doing this scan
- When the scan is complete and the results saved, close that instance of your browser
- Open a new one the usual way and post the results in this topic.
- Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
- Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
- Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
- Click the Start button.
- Accept any security warnings from your browser.
- Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
- Make sure that the option "Remove found threats" is Unchecked
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
- Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
- Push the Back button.
- Push Finish
http://www.eset.com/onlinescan/
----------
In your next reply please post the logs created by Malwarebytes and ESET online scanner.
-
LOL! yes it takes a little time...almost an hour :)
here are the logs
thanks
-
LOOL ;D
-
Hi,
Yep ESET can take some time but it is thorough.
Those logs look good. How is your system running now? :)
-
looks great cristal clear!
-
i'm not redirected no webs.
i don't have any alert message when i use anything on java.
Later i'll try connection on gaming if it still have this connections breaks and lags.
So, that's ready to flow?
-
Good to hear....let's get some updates and one more look at your system.
Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder- Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
- Accept any prompts.
- Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
- Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.
----------
Run another scan with OTL and post the new log.
Let me know what malware related problems you have left. :)
-
Hi jeffce
here is the report
How does it look like Doc? :)
-
Hi darkmata,
Providing there are no other malware related problems...
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
(http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg)
----------
Clean up with OTL:
- Right-click and Run as Administrator OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
----------
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:- Open Internet Explorer
- Click on Tools > Internet Options
- Press Security tab
- Select Internet zone then place check next to Enable Protected Mode if not already done
- Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
- Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://"http://www.mvps.org/winhelp2002/hosts.htm")
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
-
Hi jeffce, done it all, but i never use internet explorer always firefox, shall i do it as well?
so i'll try now to install the AV i got from avast!and let's see what happens.
more questions: :)
Can i hide all the files and so..?
Do i have to have Avast! internet security and MBAM as well(i mean pro)?
And where do i have to send the bottle of wine? 8)
thanks and good job!
-
Hi darkmata,
You should always keep Internet Explorer up-to-date because that is the browser the Windows uses to perform all it's updates by default.
----------
I do run both Avast and MBAM Pro at the same myself so I would recommend it. :)
----------
I hope that answered your questions. :)
-
Hi jeffce!
just wanted to let you know that my sytem is now running smooth as silk...lol
thanks so much again!
-
Hi darkmata,
You are more than welcome! I am glad I could help. :)