Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: HELP: Google re-direct virus! Cant get rid of!

(In Progress)
(!)

Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
04-Apr-2012, 05:08 AM #1
Solved: HELP: Google re-direct virus! Cant get rid of!
Hi everyone,

I desperately need some help. I have a google re-direct virus which keeps re-directing my google and yahoo to random internet sites. It is also blocking my antiviruses from working. Originally I had avira but the virus switched it off so I downloaded MalwareBytes but that is also now malfunctioning. My windows defender has also been switched off and I have had no luck switching it back on. I have also tried SpyBot, AVG and Ad-Aware but nothing seems to get rid of this thing.

I have attached my hijack log and my gmer results. The DDS program would start running but wouldnt end. I left it for an hour or two before closing. I also tried running it in safe mode with no luck

Any help would be greatly appreciated. I am not a wizz at computers but I will try my best.

Thanks,
Catherine

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:51:57 PM, on 4/04/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Cat\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.monash.edu.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do-Not-Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Cat\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converte r.htm
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: AVG Do-Not-Track - {DA58ACA7-18A6-403A-93DA-6E4172D43709} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Ad-Aware (SBAMSvc) - Sunbelt Software - C:\Program Files\Ad-Aware Antivirus\Engine\SBAMSvc.exe

--
End of file - 6004 bytes

GRM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-04 19:57:33
Windows 6.1.7601 Service Pack 1
Running: 1i8osb95.exe; Driver: C:\Users\Cat\AppData\Local\Temp\uwldqpow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\cbc739cc2eb472246906fff2a2d14976\Usage@Main 1082392882

---- EOF - GMER 1.0.15 ----
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
05-Apr-2012, 08:45 PM #2
Bump.

Please help!
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
08-Apr-2012, 05:25 AM #3
Bump
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
08-Apr-2012, 09:19 AM #4
Hello Cat080889 and welcome to the TSG forum.


My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier:
  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
IMPORTANT:

Please do not install/uninstall any programs unless asked to.
Please do not run any scans other than those requested

Iím looking at your log now and will reply with instructions shortly

Satchfan
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
08-Apr-2012, 09:45 AM #5
Hello again Cat080889

Running multiple antivirus programs

You can not run two real-time antiviruses at the same time. Although many have different methods of searching for and recognising threats, they will all be 'fighting' in memory to kick each other out, rendering them all ineffective.



Uninstall either Ad-Aware or AVG.
  • click on Start, Control Panel
  • under Programs, click Uninstall a Program(it may take time for the list to appear, so be patient)
  • scroll down the list and look for the program you are uninstalling, click on it and then on Remove.
===================================================

Spybot TeaTimer



Please disable this program and leave it disabled until we are done as it can interfere with some of the tools we use.
  • launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • on the left hand side, click on Tools, then click on the Resident Icon in the list.
  • uncheck the Resident TeaTimer (Protection of overall system settings) active box.
  • click on the System Startup icon in the List
  • uncheck the "TeaTimer" box and click OK at any prompts.
  • if Teatimer gives you a warning that changes were made, click Allow Change when prompted.
  • exit Spybot S&D.
(When we are finished, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup).

===================================================

Run DDS

Please download DDS by sUBs from one of the following links and save it to your desktop.
DDS.scr
DDS.pif
  • disable any script blocking protection (How to Disable your Security Programs)
  • double click DDS icon to run the tool (may take up to 3 minutes to run)
  • when done, DDS.txt will open.
  • after a few moments, attach.txt will open in a second window.
  • save both reports to your desktop.
Post the contents of the DDS.txt and Attach.txt reports in your next reply

===================================================



Run aswMBR
  • download aswMBR.exe to your desktop
  • double click the aswMBR.exe to run it
  • click the "Scan" button to start the scan
On completion of the scan click save log, save it to your desktop and post in your next reply

===================================================

Run Farbar Service Scanner



Please download Farbar Service Scanner
  • make sure "Include All Files" option remains checked
  • press Scan
  • it will create a log (FSS.txt) in the same directory the tool is run
  • please copy and paste the log to your reply.
Logs to include in the next post:

DDS.txt
Attach.txt
aswMBR.txt
FSS.txt

Satchfan

Last edited by Satchfan; 08-Apr-2012 at 09:54 AM..
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
08-Apr-2012, 08:01 PM #6
Hi Satchfan,

Thank you for taking my case. I have deleted Ad-Aware and also disabled by spybot tea timer. However, the DDS program still wont work on my computer. I have tried uninstalling and downloading a new one from a different link but I still have the same problem. It will start and get about 3/4 of the way through and then freeze after about 2 hours.

The sawMBR program ALSO wont work. Ive tried clicking on it and also running it as administrator but nothing happens. I am not sure if it is the virus disabling these programs?

The FSS scanner did work:
Farbar Service Scanner Version: 01-03-2012
Ran by Cat (administrator) on 09-04-2012 at 10:20:39
Running from "C:\Users\Cat\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****


Is there anything I can try to make DDS and aswMBR work?

Thanks
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
09-Apr-2012, 03:23 AM #7
Run this and then try running DDS and aswMBR again.

Download/run Rkill:

Please download Rkill from one of the following links and save to your Desktop:
Link One
Link Two
Link Three
Link Four
  • double click on Rkill.
  • a command window will open then disappear upon completion, this is normal.
  • please leave Rkill on the Desktop until otherwise advised.
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.

You'll be able to tell when rkill has done its job when your desktop (explorer.exe) cycles off and then on again.

Do not reboot your computer after running rkill as the malware programs will start again.

===================================================

If it still won't work, try running DDS and aswMBR in safe mode.


To Enter Safemode
  • go to Start> Shut off your Computer> Restart
  • as the computer starts to boot-up, Tap the F8 KEY - this will bring up a menu.
  • use the Up and Down Arrow Keys to scroll up to Safemode
  • then press Enter on your keyboard
Satchfan
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
09-Apr-2012, 07:08 AM #8
Still no luck...

I ran rkill in normal mode and it seemed to work ok until I receieved an error ''this process cannot access the file as it is being used by another process''. This came up around 50 times. I also tried running rkill in safemode but received the same message.

I tried running DDS and aswMBR also in safe mode but again no luck. DDS keeps getting stuck around the 3/4 mark and aswMBR doesnt open at all...
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
09-Apr-2012, 07:23 AM #9
Letís try this, preferably in noemal mode.

Run RogueKiller

Note: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again


Download RogueKiller to your desktop.
  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when prompted, type 1 and press Enter
  • the RKreport.txt will be generated next to the executable, (on the desktop).
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Remember: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again

Satchfan
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
10-Apr-2012, 05:29 AM #10
The program ran but it never asked me to type ''1''. Here is the contents of the log:

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Cat [Admin rights]
Mode: Scan -- Date: 04/10/2012 20:24:41

§§§ Bad processes: 1 §§§
[BLACKLIST] d3d10_1.dll -- C:\Windows\system32\d3d10_1.dll -> UNLOADED

§§§ Registry Entries: 5 §§§
[SUSP PATH] {0D94D661-C06F-4B96-8E14-CF8F0100744B}.job @ : C:\Users\Cat\Desktop\aswMBR.exe -> FOUND
[SUSP PATH] {2EA8D0C5-1C08-4D02-90B8-133B1C2E40D4}.job @ : C:\Users\Cat\Desktop\aswMBR.exe -> FOUND
[SUSP PATH] {36C674E5-C4F7-4A24-859C-DFC533AC522B}.job @ : C:\Users\Cat\Desktop\aswMBR.exe -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

§§§ Particular Files / Folders: §§§

§§§ Driver: [LOADED] §§§
SSDT[172] : NtNotifyChangeKey @ 0x82C4FED5 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC9004)
SSDT[173] : NtNotifyChangeMultipleKeys @ 0x82C4EFF7 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC90D4)
SSDT[190] : NtOpenProcess @ 0x82C67AA0 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC8D76)
SSDT[370] : NtTerminateProcess @ 0x82CB0B8D -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC8E1E)
SSDT[371] : NtTerminateThread @ 0x82CCE504 -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC8EBA)
SSDT[399] : NtWriteVirtualMemory @ 0x82CB58EA -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC8F56)
S_SSDT[402] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC959E)
S_SSDT[434] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC950A)
S_SSDT[436] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC954A)
S_SSDT[585] : Unknown -> HOOKED (\SystemRoot\system32\DRIVERS\avgidsshimx.sys @ 0x95DC949C)

§§§ Infection : Root.MBR §§§

§§§ HOSTS File: §§§
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


§§§ MBR Check: §§§

+++++ PhysicalDrive0: ST3160812A ATA Device +++++
--- User ---
[MBR] 23190ff59b6f1b5ae9ee965441c2a6c4
[BSP] 1b3a2d639452e44147fe79a66d7bd11e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 68cc212a758a2e172b68fb30f0b88e64
[BSP] 1b3a2d639452e44147fe79a66d7bd11e : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 312560640 | Size: 10 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
10-Apr-2012, 07:08 AM #11
At least that ran but it doesnít show good news Iím afraid.

Can you try running aswMBR again.

If that doesnít work, do the following:

Run TDSSKiller


Please download TDSSKiller.zip
  • extract it to your desktop
  • double click TDSSKiller.exe
  • press Start Scan
only if Malicious objects are found then ensure Cure is selected. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.
click Continue > Reboot now
  • copy and paste the log in your next reply
  • a copy of the log will be saved automatically to the root of the drive (typically C:\) called TDSSKiller_*** (*** denotes version & date)
Satchfan
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
10-Apr-2012, 07:24 AM #12
Again no luck

aswMBR still wont open and neither will the TDSSKiller.exe

Did you want me to try run TDSSKiller in safe mode?

Thanks
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
10-Apr-2012, 07:29 AM #13
Yes please
Cat080889's Avatar
Cat080889 Cat080889 is offline
Computer Specs
Member with 41 posts.
THREAD STARTER
 
Join Date: Jun 2006
Experience: Intermediate
10-Apr-2012, 07:46 AM #14
Again no luck. The same thing happens to both tdsskiller and aswMBR. They both ask if I want to run this program and I click yes and then nothing happens!
Satchfan's Avatar
Satchfan Satchfan is offline Satchfan is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 579 posts.
 
Join Date: Jan 2009
Location: Devon, UK
10-Apr-2012, 09:10 AM #15
We're not doing well here - this thing is a real nuisance.

We'll try another but if this doesn't run normally I'll give you instructions to run it differently.

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
**Note: It is important that it is saved directly to your desktop**


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • double click on ComboFix.exe & follow the prompts
  • when finished, it will produce a report for you.
  • please post the C:\ComboFix.txt for further review.
Satchfan
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2