Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access Google anything


  • This topic is locked This topic is locked
33 replies to this topic

#1 AuntieSuz

AuntieSuz

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 07 August 2009 - 08:39 PM

I was out of town for 10 days and someone else was using my computer. Upon return, there was a Windows Security Suite virus that pretty much had hijacked the entire computer. I ran MalwareBytes.... and pretty much got rid of it best I can tell.

However, I cannot run a Google Search - my results are redirected.

Worse - I cannot access my Gmail, Google calendar, home page, or anything else google-related. I AM able to access them on any other computer, just not on mine.

Any suggestions would be greatly appreciated.

Thank you,
Suz

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 08 August 2009 - 11:19 AM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Could you please Update Malwarebytes by going to the "Update Tab" and then run a full scan and post back the log?
Computer Pro

#3 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 08 August 2009 - 05:07 PM

I updated, and ran the full scan. The scan said that 3 items were detected. I'm noticing the log just says two.....

I also received a message stating:
Certain items could not be removed! The first few are listed below. All items that could not be removed have been added to the delete on reboot list. Please restart your computer now. A logfile was saved to the Logs folder.
C:\Program Files\Windows Live\Messenger\msimg32.dll
Your computer needs to be restarted to complete the removal process. Would you like to continue?

Here's my log file:
Malwarebytes' Anti-Malware 1.40
Database version: 2581
Windows 5.1.2600 Service Pack 3

8/8/2009 3:04:15 PM
mbam-log-2009-08-08 (15-04-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 247393
Time elapsed: 1 hour(s), 30 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Thank you!

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 08 August 2009 - 05:23 PM

Ok make sure that you have rebooted after the scan then:

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#5 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 09 August 2009 - 01:08 PM

Both scans finished. Here's my log from SUPERAntiSpyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/09/2009 at 10:29 AM

Application Version : 4.27.1002

Core Rules Database Version : 4046
Trace Rules Database Version: 1986

Scan type : Complete Scan
Total Scan Time : 01:03:10

Memory items scanned : 245
Memory threats detected : 0
Registry items scanned : 6158
Registry threats detected : 2
File items scanned : 116521
File threats detected : 11

Trojan.Vundo-Variant/NextGen
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\catwsock
C:\WINDOWS\SYSTEM32\CATWSOCK.DLL

Rogue.Component/Trace
HKU\S-1-5-21-1466988827-3886591253-2063323200-1008\Software\Microsoft\FIAS4057

Adware.Tracking Cookie
C:\Documents and Settings\TeamVinzanne\Desktop\Suz\Desktop Chron\Removable Disk (E)\USB Transfer\vince\Cookies\vince@specificclick[1].txt

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Thanks!

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 09 August 2009 - 02:03 PM

How are things running now?
Computer Pro

#7 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 09 August 2009 - 05:27 PM

My Google searches are still being redirected. I just ran a search and when I click a related link, it actually says "redirect" in the status bar.... and takes me somewhere completely unrelated. In addition, I'm not able to get away from the redirected page without closing IE down completely and starting over.

Also with Google search, when I click Preferences, the very first option says:
Global Preferences (changes apply to all Google services)
Your cookies seem to be disabled. Setting preferences will not work until you enable cookies in your browser.
How do I enable cookies? (this is a link)

When I click the click, I get a Page cannot be found error.

When I double-check my Preferences in IE > Tools > Internet Options > My Privacy settings are set at Medium. Obviously should be enough leniency to allow changes (and has in the past). I always have this setting set at Medium, and have never had any problems changing my Google preferences.

In addition, when I try to access my Gmail account, one of two things happens.
When I type www.gmail.com in the address bar, I get this page:
[url=http://www.google.com/hws/dell-usuk/afe?hl=en&channel=us&s=http://www.gmail.com/]http://www.google.com/hws/dell-usuk/afe?hl.../www.gmail.com/[/url]
where it states "Sorry, we couldn't find
[url=http://www.gmail.com/]http://www.gmail.com/[/url]
. Here are some related websites...."

If I go to google.com first, then click the Gmail link, I just get a blank page. Nothing happens, no errors, just a completely blank page.

Both of these have been repeatable this entire time I've been having problems with Google.

The bottom status bar says it is connecting to site 89.248.168.188, but again, nothing happens.

When I try to open www.google.com/ig, it takes a couple of minutes for anything to happen (the green status bar at the bottom of the page slowly , very slowly moves), then I get nothing. It never moves off my current home page (MSN).

When I try to access my Google calendar:
If I go to www.google.com, then click Calendar from the more drop-down list, I get this:
[url=http://www.google.com/calendar/render?hl=en&tab=wc]http://www.google.com/calendar/render?hl=en&tab=wc[/url]
but the page is completely blank.
If I type calendar.google.com, the green status thinks and thinks (VERY slow), then I get "The page cannot be displayed" error.

maps.google.com works just fine.

One last thing... I'm sure it is not related, but something I'm investigating: My internet speed is horrifically slow. I have AT&T Uverse Elite, which says it can provide a download speed up to 6Mbps. I just ran two different speed tests, and am showing that... 5.75 Mb/s with one and 5757 kbps with a different test.

However, my speed this last week is NOT what it has been in the past. Sometimes the pages come up quickly (just tried www.msn.com, and www.lestats.com/calendar/calendar.htm, a popular site I look at. Both came up relatively quickly just now. But overall this past week, the connection has been terrible. Literally sitting for 30-45 seconds waiting for a page to load. Pages I've looked at previously with not this much "trouble."

Thanks so much for your help.

Edited by Orange Blossom, 21 August 2009 - 12:48 AM.
Deactivate links. ~ OB


#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 09 August 2009 - 05:32 PM

Ok, lets try SmitFraudFix.

Please download SmitFraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Computer Pro

#9 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 09 August 2009 - 05:48 PM

FYI. I've got McAfee installed. I've run the full scan a couple of times, and of course came up with nothing.

Here's my log from SmitFraudFix:

SmitFraudFix v2.423

Scan done at 15:46:08.03, Sun 08/09/2009
Run from C:\Documents and Settings\TeamVinzanne\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TeamVinzanne\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\TeamVinzanne


C:\DOCUME~1\TEAMVI~1\LOCALS~1\Temp


C:\Documents and Settings\TeamVinzanne\Application Data


Start Menu


C:\DOCUME~1\TEAMVI~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® 82562V 10/100 Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F7BA790-2253-4406-B61F-278784E94906}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F7BA790-2253-4406-B61F-278784E94906}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F7BA790-2253-4406-B61F-278784E94906}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 09 August 2009 - 06:52 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Computer Pro

#11 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 09 August 2009 - 09:11 PM

A couple of things.... when I ran Option 2, along with the instructions and messages you provided, I also got a screen that stated: Disk Cleanup
Disk Cleanup is calculating how much space you will be able to free on (C:). This may take a few minutes to complete.

But the status bar never changed. I let the computer sit for awhile after I ran the SmitFraudFix scan and eventually the screen just "closed."

Secondly, upon restart, my home page was changed. No biggie - I just changed it back.

However, my time clock is set for military time and I've not been able to figure out how to change that. I tried by double-clicking the clock and it all looks fine as far as GMT Pacific time. There doesn't seem to be an option to change from military. I also looked in Control Panel and found the same info, of course.

Lastly, nothing is working yet. Still no "clean" Google search, no Google calendar, no Gmail..... etc.

Here's my rapport.txt log:
SmitFraudFix v2.423

Scan done at 18:00:35.85, Sun 08/09/2009
Run from C:\Documents and Settings\TeamVinzanne\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

# Copyright © 1993-1999 Microsoft Corp.?
#?
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.?
#?
# This file contains the mappings of IP addresses to host names. Each?
# entry should be kept on an individual line. The IP address should?
# be placed in the first column followed by the corresponding host name.?
# The IP address and the host name should be separated by at least one?
# space.?
#?
# Additionally, comments (such as these) may be inserted on individual????
VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F7BA790-2253-4406-B61F-278784E94906}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F7BA790-2253-4406-B61F-278784E94906}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F7BA790-2253-4406-B61F-278784E94906}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


THank you!

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 09 August 2009 - 09:18 PM

Heres for the military time:

http://www.online-tech-tips.com/cool-websi...-military-time/

And make sure where it says to change to a capital H, make sure you do lower case h instead..

next, lets RootRepeal.

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#13 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 10 August 2009 - 08:17 AM

Here's the text log from RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/10 06:15
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\wfv1.tmp
Status: Allocation size mismatch (API: 54198272, Raw: 45875200)

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 PM

Posted 10 August 2009 - 10:25 AM

Ok, i'm not seeing it. Be prepared, this is going to be a long scan, but it gives us a detailed look.

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post
Computer Pro

#15 AuntieSuz

AuntieSuz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 10 August 2009 - 02:35 PM

Thank you! And thanks so much for the warning that it is a long scan. I'll have to scan later today as I need my computer the rest of today.

Also - the military time change instructions worked beautifully. Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users