Resistant Infection

Hello,

I am helping a friend clean up his computer. The computer is running XP home. When using the internet, search results and pages other than the home/email page are redirected to random sites.

I installed Malwarebytes' Anti-Malware on the computer. After installation, Malwarebytes would not run. I reinstalled into a different directory than the default. Malwarebytes still would not run. After renaming mbam.exe, Malwarebytes would run. After multilple scans, both quick and full, Trojan.DNSChanger keeps appearing in the results. I have not had a scan without at least 1 infection being reported.

I decided to uninstall and reinstall Malwarebytes' Anti-Malware into the default directory. After installation, Malwarebytes would not run as mbam. When I renamed mbam, Malwarebytes ran. I was unable to perform the update on the new installation. When I tried, I received an error message. The newly installed version was 4052 and dated 4/29/2010. I ran a quick scan without the update and found Trojan.DNSChanger on the system again. After rebooting, I tried to update again. This time, the update worked. Malwarebytes is now at version 4422, dated 8/12/2010. Currently, the computer is running a full scan.

Also, I receive 2 RUNDLL errors on startup. One is for C:\WINDOWS\ipfxscag.dll. The other is for C:\WINDOWS\abacelotefcao.dll. I am guessing that these are from previously cleared infections, but are still in the registry. I can fix the registry, but would like to get rid of the resistant infection first.

By the way, I am writing this message from my clean computer. The infected computer is currently disconnected from the internet. I only plug the infected computer onto the network when I need to update Malwarebytes.

Any help you can give is appreciated.

Thank you,
Minstral

I have some new information. Well, actually, it is the regular pattern of what I have been seeing. The full scan of Malwarebytes finished. Trojan.Agent in the C:\WINDOWS\System32\ernel32.dll file was found. I cleaned it and rebooted. I am running another Malwarebytes full scan. If the pattern continues, Trojan.DNSChanger will be found in this scan.

Minstral

The latest full scan is finished on the infected computer. As expected, Trojan.DNSChanger is back. Trojan.Agent is also still on the system. The Trojan.Agent infection sometimes skips a turn. Trojan.DNSChanger has been an every other scan listing.

Minstral

Hello,

Please follow the instructions in ==>This Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom

Edited by Orange Blossom, 13 August 2010 - 09:50 PM.
Removed the echo. ~ OB

Hello Orange Blossom,

I ran the requested scans and placed the log files in a new topic in the requested forum.

If you would like to see the continuation of this saga, click here.

Thank you for your help,

Minstral

Hello,

Now for the hard part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom