Posts by PhilliePhan

PP
sorry it took so long but i forgot to save log and had to do over.
it appears to have fixed the problem
is that odd it was there after replacing the hard drive and clean install?

Yeah - that's a bit odd after a fresh install, but not unheard of. People have backed up infected files and reinstalled them. Plus, a few minutes of iffy surfing can do the trick if your security is not up to par...

I find it interesting that combofix removed a few seemingly legit items:
c:\documents and settings\Gateway User\My Documents\backup.reg
c:\documents and settings\Gateway User\My Documents\backupfile.reg
c:\windows\system32\clrviddc.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Web\default.htt

I'm not so sure those are evil. Did you create the registry backups?
I think clrviddc.dll is a video component - maybe it was infected? Do you know if it was part of a legit app that you use?

PP:)

So, should I go ahead and order the "OS disks" from Sony? couldn't hurt to have them just in case.

Definitely get your OS disks (I'm assuming Windows disc and sony drivers)! They are good to have on hand and, given all that has been tried thus far, they may be necessary.
I'd still like to scrutinize this thread a bit more when I have the time - awfully busy right now - to see if we missed something.

PP :)

This is the only thing that appeared
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

OK - Let's try this:

Please run S!R!'s SmitfraudFix Search - Option 1 as per the linky below and post the log for me.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

I have to run, but will be back Tuesday evening EST.

PP :)

jottis said it was empty 0 bytes

viruatotal = 0 bytes size received / Se ha recibido un archivo vacio

Go ahead and follow my post and let's see what happens.

Gotta run - Will check back Tuesday.

PP:)

Am getting too old to learn new tricks :).

Ain't it the truth?? ;)

I, for one, do not give up so easily . . . . .

Hey KH - Do you have the VAIO Recovery Wizard option available to you on your compy?

Click START > Help & Support > Recovery Wizard.

If so, what options do you have (I have no specific VAIO knowledge...)

-- The assistance you mentioned before, was that in a forum, or private. I'd like to see it, if possible.

I will be back Tuesday Evening EST.

Cheers :)
PP

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\gnbpbgl.dll

That's the baddie - I'm going to go ahead and pull it out of there....:)

NW:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log. Let us know if that helps.
I'll be gone until Tuesday Evening EST - Perhaps crunchie will check back sooner.

Cheers :)
PP

Don't know about a recovery partition, should be able to network in safe mode, thanks for the help, I appreciate it very much. I will continue trying to resolve the issue as long as someone is willing to help me try :)

OK - See if you are able to run programs in Safe Mode.
Also, see if you can download in Safe Mode.

Need to rule some more stuff out.

-- What Brand compy is this?

Be back on Tues :)

any other ideas anyone?

Let's try this:

Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the Logit.txt

I'll be back on Tuesday if crunchie doesn't reply earlier.
PP :)

Thanks so much for trying to help! :)

Happy to try.

I am going to be away from compy for a bit - I'm sure crunchie will weigh in again.
I'd like to go back over this thread more closely to see if we are missing anything - this might not be a malware issue, though some was removed during the scans.

-- Are you able to boot to Safe Mode with Networking on the ill compy? (tap F8 at boot - don't use msconfig for safe mode)

-- Do you have a "recovery partition" on ill compy?

I'll be gone for a bit - definitely be back Tuesday (EST)

PP :)

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Well . . . Shoot.

After all that hassle, that log looks OK. . . . At least we can rule some more things out...

-- What happens when you try to run programs and they fail? Any error message(s)?

-- What kind of "Restore" did you do and how did it make things worse? (your first post)

PP :)

You may have to run a deep full anti-virus, anti-malware, anti-rootkit scan from safe mode.
what should I run for this?

I am not sure if the poster read the first 60 posts in the thread . . . .

Could you please place Junction.exe on your Desktop
Then, download RunThis.bat to your Desktop and DoubleClick it (or RightClick & Run as Admin) to run it.
A command box will pop up - no worries. After a few moments a log should pop up - please post that for us.

PP :)

ok, did it again and the same the logit.txt notepad is empty

Ok - My fault (I think).
After you extract from the zip, you need to take Junction.exe out of the Junction folder (contains Junction.exe and eula.txt) and put only junction.exe in the Windows Folder.

Or did you do that?

Sorry :)
PP

i replaced the hard drive and loaded the original OS, drivers, etc from the original disc's. then installed windows XP upgrade. . . .
i ran microsoft security essentials program and it removed worm conficker so it said......(problem still occurs).

Hi NW,

So this is a clean install? I would think you would've installed the necessary patches to avoid conficker.

Do you have any important data stored on this machine, or can we run tools without worrying about losing data if another re-format is necessary?
It may be a bad install.... What we can do here is try to rule out malware as the culprit.

Let's go ahead and do this:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Cheers :)
PP

ok, I'm sorry but I guess I need directions for "place the file in the C:/Windows directory"

RightClick on Junction.zip and extract Junction.exe to your Windows Folder (C:\Windows).
Or, if easier, extract Junction.exe to the Desktop and then Cut&Paste it into the C:\Windows Folder.

Then, open a command prompt (START > RUN > type cmd and hit ENTER).
At the command prompt, type: junction -s > C:\Logit.txt ENTER
Let it run - should run quickly and a log will be created at C:\Logit.txt

Please post the Logit.txt.

-- Are you unable to download from any site with the ill computer?
The thing is, there is a spate of malware going around that blocks access to security sites and security tools (malwarebytes / norton / etc...) are you able to access www.malwarebytes.org? What about www.symantec.com?
We need to rule that out.

-- Also, I'd like to check if your atapi.sys is infected, though combofix should've detected and replaced it.

PP :)

hi hi, after i did the ATF on the firefox, seems something wrong with my firefox, when i open daniweb, all the font will be on the middle, and the appearance looks weird...
although not all web will be like this. only some web, already tried to reinstal firefox, do you know why ? is it blocked some of the plug-in ?

I do not know - This is the first time I've heard of that. I use ATFCleaner a lot and have never had an issue with Firefox.
Have a look at this thread: ATFCleaner and Firefox
Does that help?

Since the redirect is gone. let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

-- Let me know if you are still having problems with Firefox and we'll see what we can do.

PP :)

seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks :)

Happy to help :)

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....

Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the …

wow, you really know a lot 'bout this :D
I Scanned using jotti's malware. And all of the scan found nothing on the file.
Will try using this combofix. And let you know the result.
Thanks.

Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP :)

This seems familiar to me - I think I've seen it before.....

I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.

Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers :)
PP

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

That log looks OK other than the above. Let's look at this one further:

Please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\iaStor.sys and Upload it for analysis.
Let me know what you find.

This seems familiar to me - I think I've seen it before.....

PP :)

Running it now...that was all that was in the log file for ESET...is there a log I need to post, or might this just clear up the redirect?

I think your DNS Cache has been poisoned.

If you click Start > Run > type ipconfig /flushdns ENTER
See if that helps. That is merely a workaround that doesn't address the actual malware (which may or may not remain).

Instructions for running GMER:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
…

"Trojan:win/32/Alureon.ct" was detected.

This is a DNS changer / cache poisoner in the TDSS family. You guys might want to have a look in that direction....

Cheers :)
PP

I also tried to run anti-spyware and nothing came up

I'm curious about this one:

Please navigate to the file in bold below and upload it here for analysis and let us know what you find --->
c:\windows\system32\windrv.sys

I'd also suggest a GMER run, if crunchie concurs...

PP:)

EDIT: You can get deldomains here without registering:
http://www.mvps.org/winhelp2002/restricted.htm

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.
Thanks for your help.

Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP :)

err... i'm not so sure, what the tools did to my system, did it remove something ?

I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
…

i just tried my firefox. it still redirected. I don't know about the common symptom for this spyware, but I will get redirected if i search using the google toolbar, and right click on the result to open on new tab. it will get redirected to another site...

OK - Let's do this before breaking out the big guns:

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

See if you are still being redirected and we'll go from there.

PP :)

ah, sorry, here we go, the DDS.txt
thanks...

Sorry for the late reply - busy weekend.

I do not see much there - A few things I do not recognize, but that doesn't make them baddies...

-- You do need to update your Java and Adobe Reader and remove the old versions.

How are things running now? Are you still being redirected?

PP :)

Thanks a lot guys.......

Happy to help :)

-- I need to see the DDS.txt
Run it again and copy and paste that into your reply.
I don't need another attach.txt. Just the DDS.txt.

I will check back as time permits over the weekend.

PP :)

Thanks again.

Happy to help :)

I really haven't had time to look closely at your logs, but at quick glance they look OK - nothing really jumps out at me.

How are things running?

-- You should update your Java and remove all older versions.
-- c:\windows\system32\947A2DE479.dll I do not know what this is - check it out at http://virusscan.jotti.org/en
You'll need to enable the viewing of hidden files to see it.

PP :)

I have the same problem like nmslagle, keep having the address redirected to fake address. can you help to check my log, below is my log.

Please do the following:

Download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please …

Thanks so much, that got it working again!
Do you have any idea how something like that happened or what I can do to protect myself from something like it in the future other than running AV and FW software?

Happy to help :)

More often than not, this is due to malware. I have seen a lot of compys issued by schools and businesses restrict this sort of access as well.
Some solid "real time" protection such as WinPatrol would be a good preventive measure.
There are other tools, but WinPatrol and SpywareBlaster are the ones I would recommend.

I think you have to format your entire computer system & re-install it properly to overcome that problem.

Errr . . . . NO.
What is the point of posting something like that?

Please download FixIt.reg to your Desktop.
DoubleClick on FixIt.reg and allow it to merge into the registry.

Reboot for good measure and see if that helps.

Cheers :)
PP

Thank you so much for your help.

10/25/2009 6:01:07 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

Happy to help.

-- That is a bit worrisome. Did you run chkdsk?
-- Do you know what this is ---> ByakkoDriver Gaming related, perhaps?

PP:)

Here is the info you needed. TIA for your help.
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)

Happy to help.

Nothing particularly evil jumps out at me from those logs. Just looks like a little minor registry alteration.

I'd like to take a more thorough look before posting the fix:
Please download Peek.bat to your desktop.
DoubleClick on it to run it and post me the contents of the log that pops up.

PP :)

I also forgot to mention that I tried to do a system restore to resolve the issue and got an error that it could not be done with multiple restore points.

Update your MBAM via the "Update" Tab and run it again and post me the log.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the MBAM and DDS logs for me.

Cheers :)
PP

I am not clear as to what your problem is.

Let's go ahead and do this:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

REBOOT and then:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no …

Excellent! Thank you very much for all your help!

You're welcome - Happy to help! :)

Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

If you could give me a list of the updates I'll need, I'd be most appreciative.

First and Foremost - Get Your Windows Updates. They are the first line of defense!
Windows Updates

In ADD/REMOVE Programs:

Uninstall Adobe Reader 7.0 and install Adobe Reader 9.2

Uninstall or Update avast! Antivirus
I suggest Removing avast! and installing Comodo Firewall + AntiVirus for Windows - It's FREE!

Uninstall J2SE Runtime Environment 5.0 Update 2
Then Install the latest Java from here ---> http://java.com/en/

Uninstall Microsoft AntiSpyware and replace it with Windows Defender for it's "real time" protection. Alternately, you might try Winpatrol, but it is not free....

Uninstall or Update Spybot - Search & Destroy
Personally, I prefer SpywareBlaster which operates much in …

I don't know if it found anything or not.

That looks OK to me - A couple items I do not know, but doubt they are bad.

Well . . . At this point I believe we have gotten your computer as clean as we possibly can in a Forum setting. :cool:

Long road, huh?

Anyhoo, now you can probably remove any important data safely.

You will also need to decide whether you want to then reinstall Windows or merely proceed with the necessary updates.
Bear in mind that you are going to need the updates in both cases.

Besides the Windows updates, you'll need AV / Java / and others.
I can give suggestions if you need them.

Let me know how you want to go forward.

PP :)

OK - DDS looks OK (not including outdated stuff).

I would like to run one more tool - couple things I want to double-check from Root Repeal log. I'd hate to have you update Windows while a rootkit is operational, so better safe than sorry:

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

Along the Right side of the GMER GUI there will be a number of checked boxes (GMER GUI). Uncheck the following ...
- Sections
- IAT/EAT
- Drives or Partitions other than Systemdrive (usually C:\)
- Show All (be sure you don't miss this one)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Do not run any other programs while GMER is scanning and DO NOT take any action for any found items until I can have a look.

PP :)

Great - another step forward.

We need to make sure this machine is as clean as we can get it before undertaking the patching process. You have a ton of Windows updates to download and install (along with removing and updating other programs). The Microsoft updates will likely take hours.
But, you really shouldn't do that until we are fairly certain nothing more is lurking in the shadows.

To that end, let's do this:

If you do not have it handy, Download RootRepeal.exe and save it on the root of C drive ---> C:\RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe

-- Open RootRepeal and click the Report Tab
-- Click the Scan Button.
-- Check ALL Seven Boxes
-- Click OK.
-- Check the box for your main system drive (Usually C:\) and Click OK.
-- Allow the scan to run for as long as it takes. When it finishes, Click Save Report.
Save the log to your desktop where you can find it easily and post it for me.

--Then, please run a fresh DDS scan and post the DDS.txt. I do not need to see Attach.txt.

If those come out OK, we can have a go at updating the machine or pulling data off and reformatting - however you wish to proceed.

PP :)

One nice, new MBAM log.

Well . . . for some reason it is not getting at the malware I think is responsible for poisoning DNS.

Time to get a bit medieval on it....

Please Download The Avenger v2 by Swandog46 if it is not handy on your flash drive.
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Drivers to delete:
sekvhtb
iMSPCLOj
qvycltyk
qqpcv
rzwrcfbg

Files to delete:
c:\windows\Sboqomatumoye.dat
c:\windows\Ohamozu.bin
c:\windows\system32\dbsinit.exe
c:\windows\system32\wwp.htm
c:\windows\system32\01.tmp
c:\windows\system32\02.tmp
c:\docume~1\gregro~1\locals~1\temp\imspcloj.sys
c:\windows\system32\ptdtaqc.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

PP :)

OK - We'll rip the visible baddies out with a different tool. Seeing as it's pretty late, I'll post the steps Monday evening.

PP :)

EDIT: Maybe won't need to manually rip them out after all . . . Be sure to have MBAM remove what it finds and go ahead and reboot.

See if you can update at Windows Updates (patches, etc...) and whether you can now connect to some of the other blocked sites (superantispyware, etc...)

Also - verify whether DNS Client is running (status & startup type) in Services (START > RUN >type services.msc)

Gotta run - way behind on work due to lots of sports viewing today.... :)
PP

I'll patch conficker now. And hey, your plan of attack has cleared out an awful lot of the bugs, so I'm not complaining :P.

Yeah . . . But if we don't get them all, they'll come right back.
The thing is, those scans we already ran should've been more effective.

-- Did you disable DNS Client service (a few posts back)?

-- Let's take a small step back and do this - Probably should have done it a while back, but we got caught up in going a different direction. You should have put this on Flash drive, but I'm just copy&pasting my usual directions to save time:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

PP :)

I'll leave the window open for now and not move on to the next step, if you want the exact info I'll try and find a way of getting it all out of there.

Regarding conficker, I should probably come clean now and admit that my housekeeping has been dreadful.

As long as the baddies were removed, we are good to continue.
-- See if you can now run MBAM and update via the Update tab.
Then, run the full scan. Remove what it finds and post the log. Reboot afterwards.

I imagine you are waaay behind on patches - If MBAM updates and runs, we will probably have come to the point where you need to decide if you want to pull your data off and reformat or try to patch/update everything.

The problem here was with my plan of attack, I think. Not being able to access the machine directly led to a different approach and I didn't get to see a few crucial items regarding patches etc...
That, and a few wrong assumptions.

Anyhoo, let's try MBAM and cross our fingers :)
PP

EDIT: Probably a good idea to run that Onecare scan on Laptop.....

The DNS flush didn't help, unfortunately.

Did you get an error message?
If not, we can try this:
START > Run >type services.msc and Stop / Disable the DNS Client service. Maybe that will help in the short term.

My hosts file contains simply "127.0.0.1 localhost".

That is what it should be.

I don't have that update, I'll pick it up shortly though. The Microsoft scanner does appear to work, though. I had it at 35% before I accidentally rebooted the machine and had to start over. Will post the results when it finishes, though.

Good - Let me know what it finds.
I probably made a mistake in assuming everybody had taken steps to remove and patch conficker . . . Should know better than that.

PP :)

Yeah, MBAM still won't update. And I have *exactly* the same problem with superantispyware, FF won't find the server.

This sounds a lot like conficker - of course lots of other malware have done this as well. I'm surprised none of the tools we ran addressed this.

Let's check a few things:
-- Navigate to C:\WINDOWS\SYSTEM32\DRIVERS\ETC and use notepad to open the HOSTS file and post that for me.

-- At command prompt, type ipconfig /flushdns ENTER
See if that helps

-- Do you have this security update?
Security Update for Windows XP (KB958644)
You can find it in Add/Remove Programs (be sure box at top to Show Updates is checked)
Or, use the search function to find KB958644

-- Are you able to access and run this scanner:
http://onecare.live.com/site/en-us/default.htm

PP :)

Just out of curiosity - do you have the same trouble Downloading, Updating and Running SuperAnti-Spyware?

Try that if not joy with MBAM.

I'll be back Sunday Evening.

Cheers :)
PP

I ran adaware on here a few days ago, and it cleared a load of stuff out. I don't know if that helps, or not.

MBAM is far superior - Definitely go with that.

Some malware is blocking those sites. Used to be a simple check of the Hosts file could address this, but not so simple these days....

--- Try START > RUN > type or copy&paste:
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0
and click OK

Then, see if MBAM can update using the Update Tab.

PP :)

Apparently "Firefox can't find the server at www.malwarebytes.org." Same result with IE, and opera.

I get the same error on my laptop.

That's a bit worrisome - you may have some malware on the lappy, too.....

See if you can access it via Majorgeeks:
http://majorgeeks.com/Malwarebytes_Anti-Malware_Database_d6025.html

PP :)

EDIT:
Maybe a run of MBAM on laptop is warranted?

I did figure it was sport-related, though I didn't know know it was baseball :icon_razz:.

I can't update MBAM, it just gives me an error (code 732 (0,0)). I tried to download a new db from the link provided, but it gives me a 404 error. I'm stuck with version 2775. Should I run it anyway?

Download http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Run mbam-rules.exe - I'm not sure what database it will be, but definitely more recent than 2775.
Then try MBAM and let's see what it removes.

PP :)

Hey again. Apologies it took me so long to get back to you, been busy as hell yesterday evening and this morning :.

No worries - we all have "real lives" to contend with. :)
I am going to be pretty busy with typical fall chores this weekend + watching sports (don't know if PhilliePhan would give that away across the pond....)

Let's try MBAM
-- Run your MBAM and click the Update tab.
You should at least have Database Version 3027
--Then, run the Full Scan and post me the log. Be sure to have it fix what it finds and go ahead and Reboot when it finishes.

Let's see where that leaves us. Hang in there - I think we are almost to the finish line....

Cheers :)
PP