I was a McAfee user until I got a virus " Vists Antispyware 2012". Their fixes did not work so I resorted to downloading Webroot to fix the problem ( A HUGE mistake ) It ended up deleting all my Win32 files. I went to microsoft forum and they recommended I do a system restore. I did a system restore from about 10 days ago with no problem. Instead of reloading McAfee I talked to one of my good friends who recommended Avast. I downloaded and installed Avast, it ran its first indepth scan and found nothing. I then started to get pop up warnings of malicious URL’s when I wasn’t even online and then I started getting pop-up warnings that one of the malicious processes was Avast.
I then went to safe mode and downloaded and installed Adaware and ran it, it found nothing so I ran it 3 times just to be safe all returned with nothing found.
I am stuck with a PC Windows Vista 32 Home Premium that whenever I go online, I have to type a VERY specific address on the url or I can’t get there. If I use a yahoo/google/bing search and say look for used cars, I click on the link and it redirects me to something completely different topic or even website that wasn’t even close to the topic I was looking for.
I could REALLY REALLY use some help, I can’t do a system wipe due to some programs I no longer have the disks for as well as files ( Music & Work/background files etc…) I absolutely can’t lose or replace.
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
On completion of this run can you let me know if the alerts continue
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "MFARestart" -> ["C:\ProgramData\MFAData\pack\avgrunasx.exe" /usereg]
[Files/Folders - Created Within 30 Days]
NY -> gegl-0.0 -> C:\Users\andrew\Documents\gegl-0.0
[Files/Folders - Modified Within 30 Days]
NY -> 8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t
NY -> 8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t
[Files - No Company Name]
NY -> 8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t
NY -> 8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t
NY -> 19236.bat -> C:\Users\andrew\AppData\Roaming\19236.bat
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
All Processes Killed
[Registry - Safe List]
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MFARestart deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Users\andrew\Documents\gegl-0.0\plug-ins folder moved successfully.
C:\Users\andrew\Documents\gegl-0.0 folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t moved successfully.
C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t moved successfully.
[Files - No Company Name]
File C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t not found!
File C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t not found!
C:\Users\andrew\AppData\Roaming\19236.bat moved successfully.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\andrew\Desktop\cmd.bat deleted successfully.
C:\Users\andrew\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07272011_105501
Files\Folders moved on Reboot…
File\Folder C:\Users\andrew\AppData\Local\Temp\fla5CB9.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF41F4.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF4202.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF43B0.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF43B8.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF4407.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF441D.tmp not found!
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZY4MMU4K\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUWWQ6HQ\ac3[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUWWQ6HQ\get[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T5CEVUUH\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\52415542734534736b45674142756649[3].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\B5636109;sz=300x250;ord=953523898[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[3].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[4].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[5].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[6].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\mm212-google-nexus-4g-aa-s-1st[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\xd_receiver[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\xd_receiver[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\52415542734534736b45674142756649[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\login_statusCAYS46F9.htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\login_status[10].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\matt-and-kim-cameras-music-video[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9NM84038\emily[1].html moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\Windows\temp\fb_2596.lck not found!
File\Folder C:\Windows\temp\TMP00000041E627879296B2B4A0 not found!
Does this ISP ring any bells (?) as this is who the IP address belongs:
ISP of this IP [?]: Network Operations Center
Organization: Roman Semenchuk c/o Network Operations Center
I have also found in the past that the MBAM IP blocker is more of a hindrance than a help, it is too damn sensitive; has many FPs and worse, considering these are meant to be malicious websites it has sites blocked that aren’t malicious.
I too have disabled this feature as the network shield and web shield are good enough for me.
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.