Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected


  • Please log in to reply
11 replies to this topic

#1 psypher

psypher

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 20 August 2009 - 12:10 PM

Hi,
My computer recently started showing a "Windows Security Alert" icon on the taskbar at the bottom of the screen. If I click on the "X" mark to close the balloon, it launches what looks like a fake virus infection alert message. If I try to click on it and close the message it shows other windows etc. Sometimes, it takes over and changes the wallpaper image with some virus alert image.

Last week, I had to run malwarebytes a couple of times. Each time malwarebytes clears up most of it but it can't remove 2 or 3 of them. When I restart the computer, my wallpaper is back to normal and it works fine for a few days. Then same process repeats.

This week it started showing up in new ways. It opens up what looks like a windows explorer folder, but it is a fake message. Then today it showed up as a mozilla window. I am not clicking anywhere on it these days and using task manager to end task instead, but with today's mozilla version, if I end the task, it also closes all my other valid mozilla windows where I'm connected to the internet.

Please help me identify what this adware/spyware/virus is and how to fix it. I am tired of dealing with it. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 20 August 2009 - 08:15 PM

Run a Malwarebytes scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 psypher

psypher
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 21 August 2009 - 05:37 PM

Hi Budapest,

I normally use my computer with a guest account with no admin privileges so that any virus infection doesn't have full access.

But to run malwarebytes, I logged in as admin and ran it. I updated malwarebytes with the latest version before I ran it. I ran the full scan instead of the quick scan.

Here is the log created by malwarebytes after I clicked on "Remove Selected" after the scan. Thanks.

****************************************************************
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/21/2009 6:20:16 PM
mbam-log-2009-08-21 (18-20-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 344965
Time elapsed: 1 hour(s), 17 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Friend\Local Settings\Temp\~TM13.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Local Settings\Temp\~TM81EC3F.TMP (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Local Settings\Temp\184.tmp (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Local Settings\Temp\2F.tmp (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Local Settings\Temp\5F.tmp (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Local Settings\Temp\75.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Local Settings\Temp\1BA.tmp (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A5EC4C-245E-4782-B356-663B83EAFBBD}\RP64\A0003836.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\protect.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Friend\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Friend\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
****************************************************************

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 21 August 2009 - 06:08 PM

Reboot and run the Malwarebytes scan again. Then run this scan:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Please post the logs from both the Malwarebytes scan and the SUPERAntiSpyware scans.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 psypher

psypher
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 25 August 2009 - 08:38 AM

Hi Budapest,
Thanks for your reply. I ran the malwarebytes scan yesterday, but the Superantispyware ran much longer and I had to leave it running overnight to complete the scan. Here are both the logs:

1) Malwarebytes scan log:

***********************************************************************************************************************
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/24/2009 7:12:16 PM
mbam-log-2009-08-24 (19-12-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 344988
Time elapsed: 1 hour(s), 17 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Friend\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\protect.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Friend\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Friend\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

***********************************************************************************************************************

2) Superantispyware scan log

***********************************************************************************************************************
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/25/2009 at 02:28 AM

Application Version : 4.26.1000

Core Rules Database Version : 4068
Trace Rules Database Version: 2008

Scan type : Complete Scan
Total Scan Time : 06:57:04

Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 7291
Registry threats detected : 0
File items scanned : 215208
File threats detected : 4

Rogue.Agent/Gen
C:\Documents and Settings\All Users\Application Data\14146094
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\14146094\14146094.EXE

Trojan.Agent/Gen-FraudLoad[Backdoor]
C:\DOCUMENTS AND SETTINGS\FRIEND\LOCAL SETTINGS\TEMP\D.EXE

Trojan.Agent/Gen-JSExploit
C:\DOCUMENTS AND SETTINGS\FRIEND\LOCAL SETTINGS\TEMP\E.EXE

***********************************************************************************************************************

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 25 August 2009 - 05:17 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 psypher

psypher
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 27 August 2009 - 10:25 AM

Hi Budapest,

I did all the steps. Here are the contents from DrWeb.csv:

*****************************************
lovuliru.exe;C:\Documents and Settings\All Users\Application Data\lovuliru;Trojan.Virtumod.based.25;Incurable.Moved.;
rebarali.exe;C:\Documents and Settings\All Users\Application Data\rebarali;Trojan.Virtumod.based.25;Incurable.Moved.;
wawunego.dll.tmp;C:\Documents and Settings\All Users\Application Data\wawunego;Trojan.Virtumod.1636;Deleted.;
f.exe;C:\Documents and Settings\Friend\Local Settings\Temp;Trojan.MulDrop.origin;Incurable.Moved.;
g.exe;C:\Documents and Settings\Friend\Local Settings\Temp;Trojan.Inject.5748;Deleted.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Owner\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Owner\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
manuel-php.doc;C:\Software ebooks\PHP;W97M.Ethan;;
A0013363.exe;C:\System Volume Information\_restore{A6A5EC4C-245E-4782-B356-663B83EAFBBD}\RP83;Trojan.Virtumod.based.25;Incurable.Moved.;
A0013364.exe;C:\System Volume Information\_restore{A6A5EC4C-245E-4782-B356-663B83EAFBBD}\RP83;Trojan.Virtumod.based.25;Incurable.Moved.;
A0013365.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{A6A5EC4C-245E-4782-B356-663B83EAFBBD}\RP83\A0013365.exe;Tool.Prockill;;
A0013365.exe;C:\System Volume Information\_restore{A6A5EC4C-245E-4782-B356-663B83EAFBBD}\RP83;Archive contains infected objects;Moved.;
kegezadu.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.based.25;Incurable.Moved.;
lanimaye.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.based.25;Incurable.Moved.;

***********************************************************

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 27 August 2009 - 04:07 PM

Now run another Malwarebytes quick-scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 psypher

psypher
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 04 September 2009 - 09:01 AM

Hi Budapest,
I have run the malwarebytes again (full scan) and I have attached the log below.

I also wanted to ask you a couple of things.

One is that since this is the only laptop I have, I am using it to browse the internet as well while we are doing these fixes. Will that cause the remaining malware to re-install the ones that were removed? I'm using a "guest" account with limited admin privileges to do my regular browsing while using the "admin" account to do all the scans. Does that help in any way? The only time I connect to the internet while as "admin" is to get updates on the anti-virus software or install the anti-virus software specified in your steps. Then I disconnect from wireless and ethernet connections before I run the scans. Hope I'm doing the right thing there.

Second is that the malware behavior has become a bit more aggressive. Earlier, it would only re-direct me to some other site on clicking some hyperlinks on a regular page. Nowadays, every hyperlink is taking me to a random adware page where I have to close browser with task mgr (which closes all my firefox windows, not just one). So it has become very frustrating to browse. Not sure if that behavior will help you when you try to diagnose it further, but just wanted to let you know.

Here is the log from malwarebytes scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2738
Windows 5.1.2600 Service Pack 3

9/4/2009 9:45:35 AM
mbam-log-2009-09-04 (09-45-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 340141
Time elapsed: 1 hour(s), 14 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\18341254 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Friend\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Friend\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Friend\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Friend\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 04 September 2009 - 04:36 PM

It would be best if you didn't use the computer, but if it's the only computer you have and you have to use it... Lately there has been a huge increase in malware that cannot be removed with the regular scanners such as Malwarebytes. Try this - run 3 Malwarebytes quick scans, one straight after the other, rebooting between each stage. If after the final scan you are still showing infections I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. Be sure to include a link to this thread so they can see what has already been tried.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 psypher

psypher
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 09 September 2009 - 08:41 PM

Hi Budapest,
The 3 quickscans with malwarebytes was a great idea! Here's what I did:

1) Connected to net and updated malwarebytes with latest.
2) Disconnected from internet
3) Ran malwarebytes 3 times with restart after each time

The third time there were 0 infections at the end of the scan. But I restarted again and ran full scan just in case. Even the full scan returned no infections.

I have tentatively connected to internet and gotten no re-directs so far. Some sites that are not working before are working now. Thanks a bunch for your help. If it returns, I will directly go to hijack this thread like you suggested with a pointer to this thread. Thanks.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 09 September 2009 - 08:54 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users