BleepingComputer.com: Iexplore/firefox redirect.

mbam log:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8178

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

11/16/2011 9:49:32 PM
mbam-log-2011-11-16 (21-49-32).txt

Scan type: Quick scan
Objects scanned: 218556
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Roguekiller log:


RogueKiller V6.1.9 [11/16/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date : 11/16/2011 21:51:24

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt



I have a vista recovery CD.

Redirects are still there, router was reset before all of the above.

Noticed that it wasn't the user account that I was logged onto that was turning all the processes on. Looked in C: under users and almost everyone except main admin had /Roaming/windows in them. within it some had just a file or two some had more but all had a folder /send to and within it a zip file and a mailer I'm guessing. Placed all the "send to"'s in the recycle bin. Inside along with the "send to" there is a folder called "protect". Haven't done anything with those or emptied the recycle bin yet.

This post has been edited by rob71: 17 November 2011 - 06:22 PM

Sorry think I jumped the gun on that one. First search for that brought up miscrosoft.answers where everyone was having the same kinds of disappearing files and locked files and figured I'd be making a large purchase somewhere in the middle east at any moment. Files are still in the bin and can be restored. More in depth search of it and it seems legit.

Haven't restored those files yet. Reading up on the get-answers-fast.com and the searchlight sites said they were used to steal info. Been trying to read up on them but there is tons of stuff to read. Found something almost alike. http://www.bleepingcomputer.com/forums/topic412458.html/page__st__30 With them resetting the router worked and almost same exact symptoms. Maybe just didn't get it off here before we reset the router going to read up on what they did before hand.
In that topic above they cleaned the virus but the person that started helping and the one I think that got the virus is now in the banned groups. So not sure to follow along those lines or not...

This post has been edited by rob71: 18 November 2011 - 07:53 PM

Posted 03 August 2011 - 01:02 AM
ok.time to take a deeper look:

*Download escan removal tool.it will download two files.
http://update1.mwti.net/akdlm/download/tools/mwav.exe

* To remove escan setup properly from your system just run esremove.exe .

*After unistallation complete you will get pop "eScan removed Sucessfully."

*After download completion,double click on saved file.

*The scan window will open,update if asked otherwise perform a full scan.

*IT will remove anything found automaticlly.

*Come back with results.

This post has been edited by shreyas1995: 03 August 2011 - 02:35 AM



That's what got it. Haven't done it yet. Antivir desktop is still on the computer and uninstallable as far as I can tell. Presently have no active anti-virus running. Downloaded SAS and it found 300 tracking cookies then rebooted. Running in depth SAS again now. He then suggested CCleaner and to use it on the registry. I'm not that computer literate but before this knew not to tread there if you didn't have too. Gonna read up on eScan while SuperAntiSpyware runs a thorough scan. Security says i can turn anti-vir desktop back on. after SAS finishes i'm going to do that and see if it returns to the program list. Can't find that much on eScan other than thier own blogs i may download Kaspersky virus removal tool and let it run. If anyone knows that eScan is really useful and not just a scanner. plus combofix is still on the desktop, not sure if either should be run with it still there. Still reading and SAS still running. SAS has found 39 more tracking cookies (I am still browsing) 2 game uninstall files it see's as trojans and 1 syswow64\drivers\ute40dq4.sys as a trojan. I will probably skip these unless I can find something about them as to not lock the system down.

This post has been edited by rob71: 18 November 2011 - 09:30 PM

Security center says that AntiVir desktop reports that it's turned off but there is an error when trying to turn it on from there. Not sure on which is best way on this. Going to re-download it then uninstall with revo-uninstaller and hope it finds anything orphaned from whats on there now. Still recieved the error as it restarted the computer, when it came back up it's still missing in action but easily found in C:. Was able to uninstall from a different antivir download site. That download had a control console that let me uninstall. HitmanPro caught a boot sector trojan and another host of tracking cookies. That seems to have got the redirects and pop ups. going to see what processes have a mind of their own still.

Lots, many svchosts chewing up some memory, startup only has SAS but services is full

This post has been edited by rob71: 18 November 2011 - 11:13 PM

Hello,

At this point we will no longer be able to assist you as you are receiving help from others along with making many changes on your own.

I understand. Although it was all on my own just got info from other posts. eScan found 7 more registry trojan/backdoor viruses and 2 program trojan. I think the two programs were the same found earlier but I let it get rid of them. All redirects are gone and I never knew this machine was this fast. Need to clean what tools I have still on here and settle on which anti-virus to use. Allot seem to like Avast.

Kept posting all I did except running the eScan. Then ran Eset online scanner which came back clean. Ran TFC for temp folders. Had tons of games and programs that got removed so I ran CCleaner to help clean that up. Today I'm going to Update Windows, adobe and java. Although I had wondered Having removed so much and it being poorly maintained for so long if I should have just reformatted.

My wife sells on ebay and we keep our banking info on here so considering what virus we had I was determined to get it off ASAP. Learned allot off these forums. I'm going to read up on how remove the tools before I just throw them in the recyclebin. I thank you for the time you spent on it and hope you have a great weekend.


I will not be running AntiVir desktop again. The virus hid it and hacked it so that it wouldn't run. Could not re-install to get it to work and couldn't uninstall. Several download sites had downloads that didn't help, found one that had a control console that had options for install, repair and uninstall. It couldn't fix what the virus had done to get it to run but it was able to uninstall and remove it from the system. I wil try and find that site again and post that link but dummy me ran TFC so my history of where I got it is gone and I had tried several before getting that one.

This post has been edited by rob71: 20 November 2011 - 08:47 AM

rob71, on 18 November 2011 - 09:46 PM, said: