Hello, thank you for reading.
I am having mainly wireless connectivity issues, intermittent internet connection. The connection is ‘ok’ as far as Vista’s concerned. Two other wireless computers work fine even when the problem desktop is having issues.
I used many tools to completely get rid of anything that is left and all come up basically with nothing. I did in the past manually remove some suspicious items that later were named Alueron, Siref, etc. One time only did windefender pick up Alueron, Siref. I have used the most updated versions of Malwarebytes, OTL,RogueKiller,aswMBR,Avast,Avira,windows defender,mse,fprot,a bunch of others. I originally had Syamtec Antivirus Corporate Edition which I had suspected for a while as having issues, but eventually found out I had that malware that specifically disabled Syamantec products. When I manually removed suspicious items before scans detected malware, I used sysinternals tools like process explorer, etc. At one time I remember manually removing the effects of the malware that hides and makes inaccessible %USER% folders.
Originally, windows update would not work, but working with a microsoft person I got that working again. and had removed what I thought was everything. Scanners come up clean.
That could be because I manually removed a detected signature in the past.
I know a certain rootkil tool that looks for a certain registry key to have a positive detection. I know I deleted that key manually in the past so that tool didnt “find” anything.
Malware bytes found nothing.
Other logs:
hey and welcome to the forum. could you attach the the malwarebytes log to please.
http://forum.avast.com/index.php?topic=53253.0
a malware expert will guide you from there.
and you should never run more the one antivirus program at the time. otherwise they will conflict.
update i have send a message to one of the malware expert here on the forum on your topic. name magna86 how will help you when he get online here.
I’m on it.
jz64, hello and welcome to avast. 8)
[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.
Ok, computer (operating system) is in very bad condition. There could be a lot of work here, but we’ll bring your system in top form at the end.
Step#1
First, to ensure that all leftovers of the previous antivirus are indeed removed.
Download AppRemover (~ 6MB) on Desktop .
Run it by double-clicking…
Click Next, choose the second option (Clean Up a Failed Uninstall), confirm with Continue, go to Next, wait to be finished, choose whatever it finds, scan and remove it by clicking on the Next .
note: Do not remove avira, it’s your current antivirus.
Step#2
[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[]When the scan ends, notepad with the report will appears.
[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt
Step#3
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Step#4
Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Thank you mikaelrask, much appreciated!
Hey thanks magna86, I also appreciate your help and time.
I am away from the problem desktop right now, though I am using my ubuntu laptop to download your instructions and the programs you requested me to run. I feel safer this way as I will burn them all to a cd and finalize it, then I will copy over to desktop to run, especially combofix. Thanks again, and I will post back ASAP the requested logs…
Magna86, I am stuck on Step#1… What I mean is that I downloaded and ran the appremover program from the desktop. (Not too keen on software that wants to install ‘additional’ software like toolbars). I double-clicked on it and was met with options for choosing install. I chose just to run the appremover program (option3). Upon clicking next, the program flashes fast and disappears, without warning. I tried multiple times to run it, even selectin other install options. Since this was Step1, I figured I should stop and report back to you instead of plowing forward.
I also tried renaming the file in case it was being caught by malware and being shutdown. Still the same, no go on appremover.
Should i continue to step2 anyway, or do you have other suggestions?
Always much thanks!
Don’t know from here what could be … Skip Step1 and go to step 2.
Please note if you fail to run Combofix, then delete old Combofix ( drog and drop to recucle bin ) and download fresh Combofix and run it from safe mode.
Okay, I ran adwCleaner and combofix. Attaching reports…
Oddly, when I went to run adwCleaner from the desktop I noticed a shortcut to AppRemover;however, the shortcut had the icon for a generic program and the shortcut when clicked was lost(it couldn’t find the exe) so I deleted the shortcut.
One of my main concerns was looking at the log of aswMBR from right before I asked for help here.
The unknown code could that be because it is a Gateway desktop with their recovery partition on D:\ ???
Also, if it helps, one of the programs I ran before coming here was UnHackMe. I sent the report to the location it tells you to for help and got a reply and a file with items marked for deleteion. I never ran that deletion because it seemed like it was deleting neccesary items from the D:\ recovery partition. The autorun was marked and the desktop.ini was marked for deletion there. These seemed part of some kind of protection on the recovery partition called something like Angel prtoection or something like that. It would run if you tried to access the partition from windows. I still have the email exchange regarding unhackme if it would prove interesting.
Combofix or adwCleaner removed the items from D:\ recovery partition.
Also, when I ran RogueKiller right before you started helping me, it came up with a bunch of items and the directions were to go through and click delete, fix, etc. I didn’t do that. I only scanned and clicked report. Should I allow that program to make the changes before we go ahead? (I asked because another thread had missing files, and was told to go through with it first… I understand it was their thread and you didnt tell me to, so I am just asking in advance )
Hi,
Please attach MCShield’s AllScans.txt log?
Can you please explain to me little better? Becouse i see that internet explorer home page is set by www.gateway.com.
Anyway I’ll will do additional check of MBR becouse aswMBR and RogueKiller too do not recognize MBR.
It could well be legitimate one, but just to be sure.
C:\cc_20121216_175935.regDo you know for this regfile in your C: system drive? Do you know what is it? [i] (do not double click on it ) [/i]
Step#1
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Step#2
Delete old Combofix. Download fresh Combofix.exe.
Combofix download link
Open notepad and copy/paste the text present inside the code box below:
Folder::
c:\programdata\McAfee
KillAll::
ClearJavaCache::
Firefox::
FF - ProfilePath - c:\users\johnson-ziegler\AppData\Roaming\Mozilla\Firefox\Profiles\p727ktos.jay\
FF - prefs.js: browser.startup.homepage - hxxps://ixquick.com
FF - prefs.js: keyword.URL - hxxps://ixquick.com/do/search?language=english&cat=web&query=
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Quote from: jz64 on Today at 03:46:59 PMThe unknown code could that be because it is a Gateway desktop with their recovery partition on D:\ ???
Can you please explain to me little better? Becouse i see that internet explorer home page is set by www.gateway.com.
Sure, I’ll try to explain my question better. The logs of those two programs show a listing of unknown code in the mbr. I was asking if this would have been done at Gateway before they shipped it to me. The computer was bought from Gateway. Instead of discs, I know right, they created a recovery partition. From what I was able to find out it basically is the os and applications that were put on the computer at the factory. Though through explorer it’s all locked down, by PC Angel. However, I was able to look inside and it does appear to be the os and original applications, though in Gateway’s format (ie., folders like APP001, APP002,etc. instead of folders like Adobe). Could that “unknown code” in the mbr be related to their recovery partition? Maybe a protection mechansim to keep ppl out?
Gateway set the IE homepage before I bought the computer.
I have MBR.dat if needed.
I set the ixquick homepage so I am a little bummed about having that removed, but oh well if this all works.
QuoteC:\cc_20121216_175935.reg
Do you know for this regfile in your C: system drive? Do you know what is it?
(do not double click on it )
The reg file C:\cc_20121216_175935.reg is from CCleaner program I ran. I uploaded the file for you to look at if you were interested. Pretty sure it’s a backup of what CCleaner did.
*I apologize if this is pertinent and not told to you earlier: I have been having problems for more than a year… I say this now because I know some of the tools you asked me to run looked for new files only in the last 30days. *
I also noticed that the software for the graphics card Catylist Control Center pops up a prompt to update the software. I did this and every now and then reappears with a message saying to download the new version which was just installed, but the software shows that the just installed version is the version I already had. Meaning it didn’t update. I have a feeling that there might be malware taking advantage of this.
I forgot to transfer the MCShield log will do that ASAP.
Sorry a couple more older TDSSKiller logs if it helps…
Sure, I'll try to explain my question better. The logs of those two programs show a listing of unknown code in the mbr. I was asking if this would have been done at Gateway before they shipped it to me. The computer was bought from Gateway. Instead of discs, I know right, they created a recovery partition. From what I was able to find out it basically is the os and applications that were put on the computer at the factory. Though through explorer it's all locked down, by PC Angel. However, I was able to look inside and it does appear to be the os and original applications, though in Gateway's format (ie., folders like APP001, APP002,etc. instead of folders like Adobe). Could that "unknown code" in the mbr be related to their recovery partition? Maybe a protection mechansim to keep ppl out? Gateway set the IE homepage before I bought the computer. I have MBR.dat if needed.
Aha, now I understand. As i wrote above that MBR could be leght, and TDSSKiller has confirm. Your MBR is checked with a number of different tools + you are personally confirmed these changesand as leght.
aswMBR create bump of MBR as MBR.dat. It’s for hex reading, we using that bump when we are not sure if MBR code has malicious or legitimate changes.
Your MBR hase leght changes, so no need for MBR.dat.
As step1 please read again instructions for running RogueKiller and using Scan, Delete and ShortcutsFix button. Attach here logs.
http://forum.avast.com/index.php?topic=53253.0
As step 2 re-run OTL. Just click on RunScan button and attach here fresh OTL.txt logreport.
Hello again, and thank you for the continuing help…
I ran RogueKiller and followed the instructions, logs are attached.
I then re-ran OTL and I am attaching the log.
I didn’t forget the MCSHield log this time, will attach immediatly after this post.
That MCShield log you requested…
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Otl
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\YGUHJEN.exe -- (YGUHJEN)
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\SPGSTFLZ.exe -- (SPGSTFLZ)
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\JMURG.exe -- (JMURG)
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\HN.exe -- (HN)
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\HBCVQFF.exe -- (HBCVQFF)
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\GBQYAZ.exe -- (GBQYAZ)
SRV - File not found [Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\AKCDWAASWEB.exe -- (AKCDWAASWEB)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Users\JOHNSO~1\AppData\Local\Temp\mfe_rr.sys -- (MFE_RR)
IE - HKU\S-1-5-21-2314929129-2979127341-398551399-1000\..\SearchScopes\{DBFE57E6-8D18-4993-8109-7A5C8F07507A}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=292AF8E5-A814-4C76-A321-E6B6C1B61220&apn_sauid=4A5DC8E8-35D6-45CF-BEC2-8DC6C907FC3F
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:Commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
How’s your computer running now? 8)
Hello, I attached the log. The problem is that there is no internet connection anymore. The lan ip is static. After the OTL fix, I only got autoconfig bc of that. So, I gave it the correct ip address. Still there is no internet connectivity, when before these fixes there was at least intermittent connectivity. … The other computers accessing the internet have no problems at the same time the problem machine does.
Could a LSP (layered service provider) have been installed and improperly removed causing the internet headache? I ask because I seen some winsock entries with catalog5,catalog9, etc…
Again, thank you for your continued help…
…upon a reinspection of ipconfig, I did set the correct ip for the machine, but overlooked re-setting the gateway to the router address… That is a funny oops! Anyway, I am goin to use that machine for a while to see if it is still doing the intermittent no internet thing…
…Crossing fingers…