botnet/sinkhole warning letter

Viruses and worms
1

i got a letter from my isp saying i might have a downadupworm on my home network i have malwarebytes ,crap cleaner and avast and can find nothing on desktop/laptop etc.
i even ran programs they suggested to try but found nothing,they also stated to check with my anti-virus provider for more info,desktop and laptop both run xp,other desktop runs w7.
could they mistake filezilla an ftp as such?
thanks .

2

what is it they see that make them think you have this?

for computer check, follow instructions https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes / Farbar recovery scan / aswMBR logs

3

Whenever your ISP is right you could have been infested by the quickly ever mutating Conficker contacting approx. 250 domains and the detection algorithm is known. Whenever you were into P2P-ing there is a chance you could be part of this malbot network.
Provide our qualified removers with the necessary logs like Pondus told you in this thread and they might establish you are likely infested,

polonus

4

ok so now need to do on all pcs and laptops,what about nas drive storing movies?
hopefully here is what you want thanks.

5

Essexboy is notified … check back later today

6

laptop xp.

7

This is for the PC

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {0425ca6c-9f77-11e0-b36b-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {3961571c-f29b-11df-b255-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {39615720-f29b-11df-b255-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {3ee19364-bb73-11e0-b39e-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {3ee19366-bb73-11e0-b39e-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {5492bcfc-9c44-11e1-b511-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {56f210d8-cb1b-11e0-b3bf-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {6d340416-3ccd-11de-b2ec-e3353cfbacbc} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL a.net HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {ac0c8864-8400-11de-b056-003018ae6425} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL a.net HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {affe7aa2-0570-11e0-b27a-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {db581bd8-f443-11df-b259-003018ae6425} - G:\AutoRun.exe HKU\S-1-5-21-507921405-1417001333-839522115-1003\...\MountPoints2: {db581bdc-f443-11df-b259-003018ae6425} - G:\AutoRun.exe Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\MyPC Backup.lnk ShortcutTarget: MyPC Backup.lnk -> C:\Program Files\MyPC Backup\MyPC Backup.exe (MyPCBackup.com) SearchScopes: HKCU - {F50B5A07-5A00-40D4-822F-D5DF3F5A4CC5} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1561552&CUI=UN37995917333227557&UM=1 Toolbar: HKLM - No Name - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File Toolbar: HKLM - No Name - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No File Toolbar: HKCU - No Name - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File Toolbar: HKCU - No Name - {C95A4E8E-816D-4655-8C79-D736DA1ADB6D} - No File CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION S3 MFE_RR; \??\C:\DOCUME~1\User\LOCALS~1\Temp\mfe_rr.sys [X] 2014-08-12 11:00 - 2014-04-23 22:39 - 00000286 _____ () C:\WINDOWS\Tasks\PCHelpers_period.job Task: C:\WINDOWS\Tasks\GoforFilesUpdate.job => C:\Program Files\GoforFiles\GFFUpdater.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\PCHelpers1st.job => C:\Program Files\Optimizer Elite Max\Optimizer Elite Max.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\PCHelpers_period.job => C:\Program Files\Optimizer Elite Max\Optimizer Elite Max.exe <==== ATTENTION C:\Program Files\MyPC Backup C:\Program Files\Optimizer Elite Max C:\Program Files\GoforFiles HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

8

Laptop

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1757981266-343818398-839522115-1003\...\MountPoints2: {0b8165a6-f360-11df-8c7d-001de02879df} - E:\AutoRun.exe HKU\S-1-5-21-1757981266-343818398-839522115-1003\...\MountPoints2: {0ee9a446-e204-11df-8c5e-001e4cddd29b} - E:\AutoRun.exe HKU\S-1-5-21-1757981266-343818398-839522115-1003\...\MountPoints2: {0ee9a44a-e204-11df-8c5e-001e4cddd29b} - E:\AutoRun.exe HKU\S-1-5-21-1757981266-343818398-839522115-1003\...\MountPoints2: {3ecad07c-449d-11df-8b71-001e4cddd29b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL a.net HKU\S-1-5-21-1757981266-343818398-839522115-1003\...\MountPoints2: {98f15c44-f2ec-11df-8c7b-001de02879df} - E:\AutoRun.exe HKU\S-1-5-21-1757981266-343818398-839522115-1003\...\MountPoints2: {98f15c48-f2ec-11df-8c7b-001de02879df} - E:\AutoRun.exe BHO: No Name -> {5CA3D70E-1895-11CF-8E15-001234567890} -> No File Toolbar: HKLM - No Name - {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - No File 2014-08-13 10:10 - 2011-10-28 22:31 - 00000466 _____ () C:\WINDOWS\Tasks\At1.job 2014-08-12 22:31 - 2011-10-28 22:31 - 00000466 _____ () C:\WINDOWS\Tasks\At3.job 2014-08-12 20:40 - 2011-10-28 22:31 - 00000466 _____ () C:\WINDOWS\Tasks\At2.job 2014-08-11 14:00 - 2011-10-28 22:31 - 00000466 _____ () C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At*.job EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

9

on desktop tried to do this but failing
“Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix”
on all desktop and notepad file renamed fixlist.txt and FRST also on desktop,tried moving the exe file to new folder named FRST.exe with fixlist.txt in same folder and comes up cant find fixlist.txt? missed something obvoius

10

Try the attached fixlist for the PC

11

started to run but crashed after about 8 secs saying sorry had to close and send report to microsoft.
also getting posts vanishing somewhere when i reply?

12

Is this still on the PC ? If so

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

13

laptop also cannot do the “Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix”
on all desktop and notepad file renamed fixlist.txt and FRST also on desktop,tried moving the exe file to new folder named FRST.exe with fixlist.txt in same folder and comes up cant find fixlist.txt? missed something obvious again,ran the combo on laptop results as follows

added running laptop at moment seems faster but got spyhunter running and cant evict it as it cant find it in add or remove and when starting up goes straight into spyhunter which fails and restart laptop again,i used to be able to do safe mode but it froze on downloading drivers.

14

pc desktop now ran the program weird logs to follow

15

LAPTOP

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

Folder:: c:\program files\Enigma Software Group

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SpyHunter Security Suite”=-

Driver::
esgiguard

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

16

The PC looks OK it is now a matter of asking your ISP if the problem is persisting

17

not knowing the source is a pain,so just a matter of going through them all.
dam spyhunter still there when it rebooted it went straight to that file and had to power down to exit and reboot to load xp normally. log for laptop .

pc and laptop running better now thank you.

do i need to save these files or delete them after i posted them?

18

Is spyhunter still trying to start after the combofix script ?

I will clear all the tools for you when we have determined the problem is cleared

19

yes its still there as i cant get into safe mode to see those folders and maybe delete it,its like a boot scan it tries to run but it is broken and have to power down/then power up and choose windows xp quickly.

20

Could you run a fresh FRST scan on that system for me please, include the additions text