Posts by PhilliePhan

seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks :)

Happy to help :)

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....

Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the …

wow, you really know a lot 'bout this :D
I Scanned using jotti's malware. And all of the scan found nothing on the file.
Will try using this combofix. And let you know the result.
Thanks.

Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP :)

This seems familiar to me - I think I've seen it before.....

I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.

Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers :)
PP

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

That log looks OK other than the above. Let's look at this one further:

Please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\iaStor.sys and Upload it for analysis.
Let me know what you find.

This seems familiar to me - I think I've seen it before.....

PP :)

Running it now...that was all that was in the log file for ESET...is there a log I need to post, or might this just clear up the redirect?

I think your DNS Cache has been poisoned.

If you click Start > Run > type ipconfig /flushdns ENTER
See if that helps. That is merely a workaround that doesn't address the actual malware (which may or may not remain).

Instructions for running GMER:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
…

"Trojan:win/32/Alureon.ct" was detected.

This is a DNS changer / cache poisoner in the TDSS family. You guys might want to have a look in that direction....

Cheers :)
PP

I also tried to run anti-spyware and nothing came up

I'm curious about this one:

Please navigate to the file in bold below and upload it here for analysis and let us know what you find --->
c:\windows\system32\windrv.sys

I'd also suggest a GMER run, if crunchie concurs...

PP:)

EDIT: You can get deldomains here without registering:
http://www.mvps.org/winhelp2002/restricted.htm

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.
Thanks for your help.

Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP :)

err... i'm not so sure, what the tools did to my system, did it remove something ?

I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
…

i just tried my firefox. it still redirected. I don't know about the common symptom for this spyware, but I will get redirected if i search using the google toolbar, and right click on the result to open on new tab. it will get redirected to another site...

OK - Let's do this before breaking out the big guns:

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

See if you are still being redirected and we'll go from there.

PP :)

ah, sorry, here we go, the DDS.txt
thanks...

Sorry for the late reply - busy weekend.

I do not see much there - A few things I do not recognize, but that doesn't make them baddies...

-- You do need to update your Java and Adobe Reader and remove the old versions.

How are things running now? Are you still being redirected?

PP :)

I really appreciate all the help.

You're welcome! :)

Thanks a lot guys.......

Happy to help :)

-- I need to see the DDS.txt
Run it again and copy and paste that into your reply.
I don't need another attach.txt. Just the DDS.txt.

I will check back as time permits over the weekend.

PP :)

HELP....I need suggestions.

Honestly, I would need to see a scanlog or two from the combofix runs. Too many different possibilities to speculate....

Lots of nasties with rootkit components these days - that makes them hard to kill and easy to spread.

If you could post a few logs from the tools you have run, one of our volunteers can have a look and advise you further.

PP :)

Thanks again.

Happy to help :)

I really haven't had time to look closely at your logs, but at quick glance they look OK - nothing really jumps out at me.

How are things running?

-- You should update your Java and remove all older versions.
-- c:\windows\system32\947A2DE479.dll I do not know what this is - check it out at http://virusscan.jotti.org/en
You'll need to enable the viewing of hidden files to see it.

PP :)

I have the same problem like nmslagle, keep having the address redirected to fake address. can you help to check my log, below is my log.

Please do the following:

Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please …

PhilliePhan. What is the FixCSet:: directive for? I cannot see that in the list at MRU.

Repairs/resets currentcontrolset registry values.

PP :)

Thanks so much, that got it working again!
Do you have any idea how something like that happened or what I can do to protect myself from something like it in the future other than running AV and FW software?

Happy to help :)

More often than not, this is due to malware. I have seen a lot of compys issued by schools and businesses restrict this sort of access as well.
Some solid "real time" protection such as WinPatrol would be a good preventive measure.
There are other tools, but WinPatrol and SpywareBlaster are the ones I would recommend.

I think you have to format your entire computer system & re-install it properly to overcome that problem.

Errr . . . . NO.
What is the point of posting something like that?

i did the install,but for the life of me,i cannot figure out how to shut down norton short of removing it completely

I am not particularly familiar with Norton, but I would imagine that if you RightClick your Norton tray icon you'd have the option to disable it.

I understand that some Norton has "software tamper protection" that needs to be disabled before other changes can be made. You'd probably need to do this before being able to completely shut it down.

To disable Tamper Protection:
1. Start Symantec AntiVirus.
2. On the Configure menu, click Tamper Protection.
3. Uncheck Enable Tamper Protection.
4. Click OK.

It might vary from product to product.....

PP :)

Please download FixIt.reg to your Desktop.
DoubleClick on FixIt.reg and allow it to merge into the registry.

Reboot for good measure and see if that helps.

Cheers :)
PP

Thank you so much for your help.

10/25/2009 6:01:07 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

Happy to help.

-- That is a bit worrisome. Did you run chkdsk?
-- Do you know what this is ---> ByakkoDriver Gaming related, perhaps?

PP:)

Here is the info you needed. TIA for your help.
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)

Happy to help.

Nothing particularly evil jumps out at me from those logs. Just looks like a little minor registry alteration.

I'd like to take a more thorough look before posting the fix:
Please download Peek.bat to your desktop.
DoubleClick on it to run it and post me the contents of the log that pops up.

PP :)

No, I must do my work. It is a home-task)

I do not know what that means.

If you need a sample of that particular malware, I can't help you.

Troj/Cosmu-A is a Trojan for the Windows platform.

Troj/Cosmu-A communicates via HTTP with the following locations:

kaderap . com

When Troj/Cosmu-A is installed the following files are created:

<User>\Local Settings\Application Data\Microsoft\mqtgsvc.exe
<System>\drivers\cisvc.exe
<System>\drivers\cmstp.exe
<Temp>\cisvc.exe

The following registry entries are created to run cisvc.exe and cmstp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
CmSTP
<System>\drivers\cmstp.exe /waitservice

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Cisvc
<Temp>\cisvc.exe /waitservice

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<System>\drivers\cisvc.exe

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
MqtgSVC
<Root>\DOCUME~1\support\LOCALS~1\APPLIC~1\MICROS~1\mqtgsvc.exe /waitservice

Does anybody know smth about it??? Wright me here please!

Google it - see what the AV sites have to say about it.

Are you infected with it? If so, let us know and we can advise you further.

PP :)

Sorry this was where my HJT log was before I added it to first post. PP was stuck between posts!

No worries.

Your combofix log is incomplete - we are missing an important part.
Please edit your post and post the entire log!

Also, run another GMER scan:

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes (GMER GUI). Please Uncheck the following:
- Sections
- IAT/EAT
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for us.

***Disconnect from the internet and do not run any other programs while GMER is scanning. DO NOT take any action for any found items until crunchie or I can have a look.

PP :)

PhilliePhan, is there a good tutorial around for Gmer?

This is an old one from wng_z3r0's Blog A good deal has changed since then - a lot less intimidating.
Also, there is info on GMER site FAQ: http://www.gmer.net/#faq

Of course, you might have a different tool you prefer....

With GMER, rootkits will show in Red and you can RightClick on them and have the option to kill/disable/etc...
I have been told that the best way to remove these is to Disable them and then run ComboFix and have it remove them.

With this baddie, MBAM / Combofix ought to get it, if they can be run. Possibly start combofix with a CFScript addressing the driver and the rootkit file?
Driver::
Wmdmprov
Rootkit::
C:\WINDOWS\system32\qctqykkn.dll
FixCSet::

Something like that?

PP:)

Edit:
Looking at the truncated combofix log, it didn't get it. We'll need full log to see...

I also forgot to mention that I tried to do a system restore to resolve the issue and got an error that it could not be done with multiple restore points.

Update your MBAM via the "Update" Tab and run it again and post me the log.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the MBAM and DDS logs for me.

Cheers :)
PP

my computers internet browser has been hacked by blaze 2008
what is the solution for this malware attack .

It's probably not much of a "malware attack." Most likely a simple script running, but let's have a closer look just to be certain:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt …

I am not clear as to what your problem is.

Let's go ahead and do this:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no …

Is my issue solved?

Not anywhere close to being solved! All that step does is bypass the poisoned DNS cache.

You have a large infestation with rootkit components. Hang in there for crunchie to post back - I don't want to get in his way.

PP :)

While you are waiting for crunchie to check back, please give this a go:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:

- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for us.

***Disconnect from the internet and do not run any other programs while GMER is scanning. DO NOT take any action for any found items until either crunchie or I can have a look.

PP :)

whenever i open the internet a caption at the end of the e icon appears thus;- Hacked by sam 2008-feb-14 . please help me on how to remove it since my anti virus and spyware are not equal to the task.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT after running MBA-M

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting …

please help what sholud i do now....

Please understand that this forum, as with the majority of Security Forums, is "staffed" by volunteers who donate a bit of their free time to helping others. Most of these forums have few regular volunteers and are swamped with requests for help. Please be patient.

You have a good deal of malware showing there.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Please post the MBA-M log - I or another volunteer will check back as time permits.

Cheers :)
PP

Excellent! Thank you very much for all your help!

You're welcome - Happy to help! :)

Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

If you could give me a list of the updates I'll need, I'd be most appreciative.

First and Foremost - Get Your Windows Updates. They are the first line of defense!
Windows Updates

In ADD/REMOVE Programs:

Uninstall Adobe Reader 7.0 and install Adobe Reader 9.2

Uninstall or Update avast! Antivirus
I suggest Removing avast! and installing Comodo Firewall + AntiVirus for Windows - It's FREE!

Uninstall J2SE Runtime Environment 5.0 Update 2
Then Install the latest Java from here ---> http://java.com/en/

Uninstall Microsoft AntiSpyware and replace it with Windows Defender for it's "real time" protection. Alternately, you might try Winpatrol, but it is not free....

Uninstall or Update Spybot - Search & Destroy
Personally, I prefer SpywareBlaster which operates much in …

I don't know if it found anything or not.

That looks OK to me - A couple items I do not know, but doubt they are bad.

Well . . . At this point I believe we have gotten your computer as clean as we possibly can in a Forum setting. :cool:

Long road, huh?

Anyhoo, now you can probably remove any important data safely.

You will also need to decide whether you want to then reinstall Windows or merely proceed with the necessary updates.
Bear in mind that you are going to need the updates in both cases.

Besides the Windows updates, you'll need AV / Java / and others.
I can give suggestions if you need them.

Let me know how you want to go forward.

PP :)

OK - DDS looks OK (not including outdated stuff).

I would like to run one more tool - couple things I want to double-check from Root Repeal log. I'd hate to have you update Windows while a rootkit is operational, so better safe than sorry:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

Along the Right side of the GMER GUI there will be a number of checked boxes (GMER GUI). Uncheck the following ...
- Sections
- IAT/EAT
- Drives or Partitions other than Systemdrive (usually C:\)
- Show All (be sure you don't miss this one)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Do not run any other programs while GMER is scanning and DO NOT take any action for any found items until I can have a look.

PP :)

Okay I will look for the disks tonight, and what ISO's do i need to dl?

These are the easiest to work with + they are good to have handy:

ubcd411.iso
KAV Rescue
AntiVir Rescue

I'll be back in the Evening (EST).
PP :)

Great - another step forward.

We need to make sure this machine is as clean as we can get it before undertaking the patching process. You have a ton of Windows updates to download and install (along with removing and updating other programs). The Microsoft updates will likely take hours.
But, you really shouldn't do that until we are fairly certain nothing more is lurking in the shadows.

To that end, let's do this:

If you do not have it handy, Download RootRepeal.exe and save it on the root of C drive ---> C:\RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe

-- Open RootRepeal and click the Report Tab
-- Click the Scan Button.
-- Check ALL Seven Boxes
-- Click OK.
-- Check the box for your main system drive (Usually C:\) and Click OK.
-- Allow the scan to run for as long as it takes. When it finishes, Click Save Report.
Save the log to your desktop where you can find it easily and post it for me.

--Then, please run a fresh DDS scan and post the DDS.txt. I do not need to see Attach.txt.

If those come out OK, we can have a go at updating the machine or pulling data off and reformatting - however you wish to proceed.

PP :)

I do have stuff on the ill machine I would not like to lose especially some important pictures. If they are lost I would be greatly disappointed but I do understand.

I would have to look for the disks I have not needed them so I do not know where they are.

If you have your Windows CD, we can boot from that and poke around. Possibly repair the startup issue.
Likewise, if you are able to burn some ISOs such as one of the many bootable Rescue disks (TRK / ubcd4win / etc...) we can get in, run some scans and pull your important data off onto external drive.
Downloading and burning the ISOs on a mac shouldn't matter.

PP :)

One nice, new MBAM log.

Well . . . for some reason it is not getting at the malware I think is responsible for poisoning DNS.

Time to get a bit medieval on it....

Please Download The Avenger v2 by Swandog46 if it is not handy on your flash drive.
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Drivers to delete:
sekvhtb
iMSPCLOj
qvycltyk
qqpcv
rzwrcfbg

Files to delete:
c:\windows\Sboqomatumoye.dat
c:\windows\Ohamozu.bin
c:\windows\system32\dbsinit.exe
c:\windows\system32\wwp.htm
c:\windows\system32\01.tmp
c:\windows\system32\02.tmp
c:\docume~1\gregro~1\locals~1\temp\imspcloj.sys
c:\windows\system32\ptdtaqc.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

PP :)

OK - We'll rip the visible baddies out with a different tool. Seeing as it's pretty late, I'll post the steps Monday evening.

PP :)

EDIT: Maybe won't need to manually rip them out after all . . . Be sure to have MBAM remove what it finds and go ahead and reboot.

See if you can update at Windows Updates (patches, etc...) and whether you can now connect to some of the other blocked sites (superantispyware, etc...)

Also - verify whether DNS Client is running (status & startup type) in Services (START > RUN >type services.msc)

Gotta run - way behind on work due to lots of sports viewing today.... :)
PP

I'll patch conficker now. And hey, your plan of attack has cleared out an awful lot of the bugs, so I'm not complaining :P.

Yeah . . . But if we don't get them all, they'll come right back.
The thing is, those scans we already ran should've been more effective.

-- Did you disable DNS Client service (a few posts back)?

-- Let's take a small step back and do this - Probably should have done it a while back, but we got caught up in going a different direction. You should have put this on Flash drive, but I'm just copy&pasting my usual directions to save time:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

PP :)

I'll leave the window open for now and not move on to the next step, if you want the exact info I'll try and find a way of getting it all out of there.

Regarding conficker, I should probably come clean now and admit that my housekeeping has been dreadful.

As long as the baddies were removed, we are good to continue.
-- See if you can now run MBAM and update via the Update tab.
Then, run the full scan. Remove what it finds and post the log. Reboot afterwards.

I imagine you are waaay behind on patches - If MBAM updates and runs, we will probably have come to the point where you need to decide if you want to pull your data off and reformat or try to patch/update everything.

The problem here was with my plan of attack, I think. Not being able to access the machine directly led to a different approach and I didn't get to see a few crucial items regarding patches etc...
That, and a few wrong assumptions.

Anyhoo, let's try MBAM and cross our fingers :)
PP

EDIT: Probably a good idea to run that Onecare scan on Laptop.....

The DNS flush didn't help, unfortunately.

Did you get an error message?
If not, we can try this:
START > Run >type services.msc and Stop / Disable the DNS Client service. Maybe that will help in the short term.

My hosts file contains simply "127.0.0.1 localhost".

That is what it should be.

I don't have that update, I'll pick it up shortly though. The Microsoft scanner does appear to work, though. I had it at 35% before I accidentally rebooted the machine and had to start over. Will post the results when it finishes, though.

Good - Let me know what it finds.
I probably made a mistake in assuming everybody had taken steps to remove and patch conficker . . . Should know better than that.

PP :)

Any advice would be helpful. Also, any files I can delete to allow my computer to run better would also be helpful. This is my HJT report.

You are using an outdated version of HijackThis. You should delete it.
No need for new version at this time.

--- You have some dangerous malware running. Please follow Step #8 in the linky below to scan and remove items with MBAM and post the log for us.

http://www.daniweb.com/forums/thread134865.html

I, or one of the other volunteers, will check back as time permits.

Cheers :)
Pp

Yeah, MBAM still won't update. And I have *exactly* the same problem with superantispyware, FF won't find the server.

This sounds a lot like conficker - of course lots of other malware have done this as well. I'm surprised none of the tools we ran addressed this.

Let's check a few things:
-- Navigate to C:\WINDOWS\SYSTEM32\DRIVERS\ETC and use notepad to open the HOSTS file and post that for me.

-- At command prompt, type ipconfig /flushdns ENTER
See if that helps

-- Do you have this security update?
Security Update for Windows XP (KB958644)
You can find it in Add/Remove Programs (be sure box at top to Show Updates is checked)
Or, use the search function to find KB958644

-- Are you able to access and run this scanner:
http://onecare.live.com/site/en-us/default.htm

PP :)

I attached the CFScript.txt for my previous post.

PP :)

Just out of curiosity - do you have the same trouble Downloading, Updating and Running SuperAnti-Spyware?

Try that if not joy with MBAM.

I'll be back Sunday Evening.

Cheers :)
PP

ok daownloaded it to the infected computer and ran it again,i have ful access to everything but wanna be sure that the virus is gone,here is the second log you asked for

OK - looking more closely, you've got traces of a potentially unrecoverable malware. The need for a reformat is a real possibility here.

You can try this:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Also - I would like to check to see if these are infected:
c:\windows\system32\wininet.dll
c:\windows\system32\ieencode.dll
c:\windows\system32\corpol.dll

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis. Let me know what you find.

PP :)

I ran adaware on here a few days ago, and it cleared a load of stuff out. I don't know if that helps, or not.

MBAM is far superior - Definitely go with that.

Some malware is blocking those sites. Used to be a simple check of the Hosts file could address this, but not so simple these days....

--- Try START > RUN > type or copy&paste:
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0
and click OK

Then, see if MBAM can update using the Update Tab.

PP :)