DEVASTATION!

[essexboy]

Let me know if there are any problems after this run

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\] > -> HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command ->
YN -> \{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.hta]
[Files/Folders - Modified Within 30 Days]
NY ->  Xwhh.job -> C:\Windows\tasks\Xwhh.job
[Files - No Company Name]
NY ->  Xwhh.job -> C:\Windows\tasks\Xwhh.job
NY ->  jbVCOnAtBW3OI.vbs -> C:\Users\yiannis\AppData\Roaming\jbVCOnAtBW3OI.vbs
NY ->  EWdIz4w.vbs -> C:\Users\yiannis\AppData\Roaming\EWdIz4w.vbs
NY ->  9bfPeGEvV9a4oCd.vbs -> C:\Users\yiannis\AppData\Roaming\9bfPeGEvV9a4oCd.vbs
NY ->  3Nx0EFJcDjB5Z.vbs -> C:\Users\yiannis\AppData\Roaming\3Nx0EFJcDjB5Z.vbs
NY ->  m6t5X4g.vbs -> C:\Users\yiannis\AppData\Roaming\m6t5X4g.vbs
[File - Lop Check]
NY ->  Xwhh.job -> C:\Windows\Tasks\Xwhh.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[tanzanos]

Here it is and thanks for you help:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\tasks\Xwhh.job moved successfully.
[Files - No Company Name]
File C:\Windows\tasks\Xwhh.job not found!
C:\Users\yiannis\AppData\Roaming\jbVCOnAtBW3OI.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\EWdIz4w.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\9bfPeGEvV9a4oCd.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\3Nx0EFJcDjB5Z.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\m6t5X4g.vbs moved successfully.
[File - Lop Check]
File C:\Windows\Tasks\Xwhh.job not found!
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\yiannis\Desktop\cmd.bat deleted successfully.
C:\Users\yiannis\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]
 
 
User: All Users

[tanzanos]

OH! OH! Security center still turns off. If I instruct it to turn on it refuses and the only way to turn it on is through services but it reverts back to disable after about a minute.

[essexboy]

OK phase two now -

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[tanzanos]

I disabled Avast but combofix keeps telling me that it is still active??? I disabled avast from the start menu and rebooted and although avast is not running combo insists it is??

[essexboy]

Right click the orange blob, select shield control, disable for one hour and then run Combofix and ignore the warnings.  Do not let Avast sandbox any files during the run

[tanzanos]

Combo completed and made a log file. But the two problems still persist: security center disables and my browsers keep redirecting me to various shoddy sites?

[essexboy]

Could you post the log please as combofix does not recognise all malware

[tanzanos]

This must some nasty bug! I hope you can help me get rid of it :'( I also included the spybot log but in previous logs it found: Babylon toolbar, and 2 registry entries that disable the security center, and Funwebproducts.

[essexboy]

OK now thionking MBR infection, more specifically volsnap - but lets see

Download aswMBR.exe ( 567KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[tanzanos]

Hope a solution can be found. I appreciate immensely your help. Also Avast icon keeps disappearing from the toolbar and both my web brousers keep redirecting me to various sites like UNIBLUE, Casinos etc.

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-18 19:00:40
-----------------------------
19:00:40.428    OS Version: Windows x64 6.1.7601 Service Pack 1
19:00:40.428    Number of processors: 8 586 0x1A04
19:00:40.428    ComputerName: YIANNIS-PC  UserName: yiannis
19:00:41.130    AVAST engine 6.0.1125 defs: 11061800
19:00:41.130    Initialize success
19:00:44.500    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:00:44.500    Disk 0 Vendor: WDC_WD6400AAKS-22A7B2 01.03B01 Size: 610480MB BusType: 3
19:00:44.516    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-7
19:00:44.516    Disk 1 Vendor: WDC_WD6400AAKS-22A7B2 01.03B01 Size: 610480MB BusType: 3
19:00:44.531    Disk 0 MBR read successfully
19:00:44.531    Disk 0 MBR scan
19:00:44.531    Disk 0 Windows 7 default MBR code
19:00:44.531    Service scanning
19:00:45.623    Disk 0 trace - called modules:
19:00:45.623    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80055b12c0]<<
19:00:45.623    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065b5790]
19:00:45.623    3 CLASSPNP.SYS[fffff8800167243f] -> nt!IofCallDriver -> [0xfffffa8006396520]
19:00:45.623    5 ACPI.sys[fffff88000f067a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800637e680]
19:00:45.623    \Driver\atapi[0xfffffa8006343730] -> IRP_MJ_CREATE -> 0xfffffa80055b12c0
19:00:45.639    AVAST engine scan C:\Windows\system32
19:01:47.805    Scan finished successfully
19:01:55.979    Disk 0 MBR has been saved successfully to "C:\Users\yiannis\Desktop\MBR.dat"
19:01:55.979    The log file has been saved successfully to "C:\Users\yiannis\Desktop\aswMBR.txt"

[essexboy]

Yep the unknown is there, this may not run - so could you let me know as I have a reserve tool if needed 

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[tanzanos]

It found nothing? The Security centre is still being disabled and I still have this very annoying redirecting bug in my browsers. See attached report.
Once again thank you for your assistance.

[essexboy]

Are the redirects in Firefox, IE or both ?

Also does anyone else using your router experience the same problem ?

Download Dr Web from here Fill in the small form and download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

[tanzanos]

Both browsers.

DRWeb reported after scanning that viruses were found. I have attached the report.