Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! Another Search Engine Redirect Problem


  • Please log in to reply
38 replies to this topic

#1 sheada74

sheada74

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 04 September 2010 - 10:09 PM

Hello-

I'm having a HECK of a time getting rid of what appears to be some malware that is causing my search results in ANY search engine (Yahoo is default, google, msn and others) to change as I click on them. Sometimes the result allows me to arrow back to the list and then it works the second time, and sometimes it goes crazy and redirects multiple times. I get a different redirect every time.

I have actually experienced all kinds of issues since I got IE8 and I have uninstalled, re-installed to fix some issues, but this issue occurred from some sort of a virus software that started scanning my computer and the pop up box said to cancel to stay on the page or hit ok to close it and I was tired (late at night) and wasn't really paying attention and just inadvertently hit the wrong key obviously!!! I think either that or a Java update screwed me up. I can't really put a finger on it.

After I type in my search on yahoo, I get the typical results from what appears to be legitimate sites that I have visited before.

Typically I am getting this first: http://results.yahoo.com/ then it churns for a little bit, then I get something like this: http://www22.verizon.com/Residential/bundl...Z_FT_Z_Z_R_Z026

or this...

http://and2.1979.asklots.com/jump2/?affili...&terms=sl65

****It changes each time. I have tried to block these sites, but there are too many of them. My pop up blocker is on and I am running up-to-date paid version of McAfee Internet Security Suite. Some security McAfee!!! :flowers:

Here is what else is going on:
  • My icon tray deleted my volume icon-after system restore and a bunch of my own attempted fixes this came back
  • The BLUE SCREEN OF DEATH has happened three times in the past two days
  • Pop up blocker doesn't work
  • Downloading ANYTHING did not work until I did a series of things I read on here (I did not use combo fix though)...neither did right clicking
  • I could not uninstall IE8 any more and install IE7-haven't tried again, but I believe I could now
  • I could not open McAfee-but now that's fixed
  • Computer running very slow-mainly all internet applications
  • When I plug in any iPod, iTunes comes up but I get an error message saying it couldn't find H: Drive, yet everything works fine after you hit cancel four times!
  • I get this Security page from some third party security company that wants to scan my hard drive like what happened when this originally occurred-and I quickly shut everything down to stop it.
Java stuff runs really slow-or sometimes the pages don't load at all
Sometimes jpegs/bitmaps show X's instead of pictures

***Oh forgot to mention that I couldn't run ANY .exe files for a few days but one of the things I tried below fixed that***

I have a Dell Dimension 9200 a few years old now. I'm running XP that was originally installed on it. I have Verizon FIOS (the Ironically was thinking about getting a new computer really soon because Dells usually crap out it seems or get very slow after about 3 years.

Here is what I've tried to do so far:

Uninstall IE8 (wouldn't completely uninstall, then after about 20 attempts it did, but then I couldn't install IE7 again), Reinstalled IE8
Ran IE8 with no add ons
Reset Router
ipconfig/all
regit.exe
system restore---defaulted to before the major problems started but no dice
Tried to fix via McAfee-no help...didn't pick up a thing!!! Actually one time fixed a registry error I think!!!
Malwarebytes seemed to help a little-found 14 items and fixed them, but now is not showing anything
a2 hijack free-did not pick up anything
ERUNT
OTM
TDS Killer-didn't run completely yet
TFC
GMER
GooredFix-fixed some things
Microsoft Windows Malicious Software Removal Tool-found some things on the quick scan manually and fixed them...is running right now

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name D799CXB1
System Manufacturer Dell Inc.
System Model Dell DXP061
System Type X86-based PC
Processor x86 Family 6 Model 15 Stepping 6 GenuineIntel ~1862 Mhz
BIOS Version/Date Dell Inc. 1.0.3, 8/14/2006
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name D799CXB1\Derek
Time Zone Central Daylight Time
Total Physical Memory 1,024.00 MB
Available Physical Memory 564.70 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 2.40 GB
Page File C:\pagefile.sys

Internet Settings

Version 8.0.6001.18702
Build 86001
Application Path C:\Program Files\Internet Explorer
Language English (United States)
Active Printer HP Officejet 6300 series,winspool,Ne02:

Cipher Strength 128-bit
Content Advisor Disabled
IEAK Install No

I saw how other people posted information on their computer...I hope that I gave you enough information to start. A friend of mine said that you all are the true "geniuses" not the so-called Apple Store folks!!! :thumbsup: Please help! This is very very frustrating! Thank you!!!

Edited by sheada74, 04 September 2010 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 04 September 2010 - 11:12 PM

Hello and welcome. I moved this to the Am I Infected forum.. Lets' do this.. Also please post the infected MBAM log so I can see what was found.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.



Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 12:22 AM

Thank you so much for your quick response. I was about to go to bed and saw that you moved my post. Thank you!!!!

I forgot to mention some other symptoms too...

My wife's hotmail account was hacked into about a week ago or so and her friends were telling her that she was sending advertising messages to them. She hardly uses that account but does check it from time to time on her laptop which runs on my router that is tied to this computer.

She has had this laptop for two years had never has had any issue on it at all. Just today she came to me and showed me a pop up that said the computer has detected a virus (it was some generic virus scanner thing) and to click on OK or terminate and I told her to shut down her computer. I'm hoping hers is not infected now too. She was on it all day and didn't mention anything else.

Our router is encrypted...I think. Anyone who tries to join has to type in the WEP key. That's encrypted right??? The router name and password we use is on the sticker Verizon gave us when they installed FIOS.

Also, I get another tab opened up every time (when I opened this just a minute ago) I open the main tab in IE8. This one was some generic yellow pages that I've never heard of.

IE8 home page (yahoo) is extremely slow to open as well. I'm not sure if these symptoms help differentiate my problem or not.

I just ran MBAM again and here is the log and this time it found a Trojan!!! Earlier today and yesterday nothing. Crazy!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/5/2010 12:20:59 AM
mbam-log-2010-09-05 (00-20-59).txt

Scan type: Quick scan
Objects scanned: 126549
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Derek\Local Settings\Temp\0.9774048537847484.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


alwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/5/2010 12:20:59 AM
mbam-log-2010-09-05 (00-20-59).txt

Scan type: Quick scan
Objects scanned: 126549
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Derek\Local Settings\Temp\0.9774048537847484.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#4 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 12:38 AM

I'm in safe mode now, I downloaded the first thing now before I do the root kill I am trying to disable the two malware items I have...Microsoft Malicious Software? I can only get into it but no option to turn off. and the malwarebytes version I have is the free one and it will not let me turn it off either.

I also have a squared hijacker and spybot but I cannot remove or disable those either...do I need to?

#5 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 12:44 AM

rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Derek on 09/05/2010 at 0:43:34.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Derek\My Documents\Computer\rkill.scr


Rkill completed on 09/05/2010 at 0:43:36.

#6 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 01:30 AM

I'm about 40 minutes into the superantispyware scan and only at 62,000 items! I believe from other scans my c drive alone has 110k items.

It's 130am here I think I'll pick up where we left off as soon as I wake up.

It already detected 10 items.... 5 registry items called Trojan-media-codec (perhaps this is that java thing??) and adware tracking cookie in files.

Thanks for all your help and suggestions so far- at least we are finding things. Good night

#7 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 09:03 AM

Super Anti-Spareware Log (took almost all night to run! Wow)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/05/2010 at 03:10 AM

Application Version : 4.42.1000

Core Rules Database Version : 5457
Trace Rules Database Version: 3269

Scan type : Complete Scan
Total Scan Time : 02:20:47

Memory items scanned : 328
Memory threats detected : 0
Registry items scanned : 7048
Registry threats detected : 5
File items scanned : 147122
File threats detected : 5

Trojan.Media-Codec
HKU\S-1-5-21-3864436117-2090782822-2737080201-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}
HKCR\CLSID\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}
HKU\S-1-5-21-3864436117-2090782822-2737080201-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#eitheror [ {2016a466-91a2-43c6-97d8-2fd380f065ef} ]

Adware.Tracking Cookie
C:\Documents and Settings\Derek\Cookies\derek@forums.theautomedia[1].txt
C:\Documents and Settings\Derek\Cookies\derek@theautomedia[1].txt
C:\Documents and Settings\Derek\Cookies\derek@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt

#8 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 09:14 AM

Hello-I finished the final step...so here is what I've done again:

Sent original MBAM log
Reboot in safe mode with networking
Turned off McAfee and MBAM
Ran FixEXE and added to registry
Downloaded and Ran Rootkill and posted log
Ran SuperAntiSpyware, adjusted the settings and fixed the malicious programs
Restarted again, deactivated McAfee, posted SAS log per your instructions
Ran MBAM again...here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/5/2010 9:10:20 AM
mbam-log-2010-09-05 (09-10-20).txt

Scan type: Quick scan
Objects scanned: 126756
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What's next? Thank you!!! I will check to see if I still get the issues.

#9 m1garand

m1garand

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 05 September 2010 - 09:27 AM

I know i'm no expert but your malwarebytes database version is outdated. Open up malwarebytes, go to the update tab and check for updates. I think you should re-scan once it's updated because it'll have better virus definitions and may detect more things.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 05 September 2010 - 09:33 AM

Ok, you did great! We need to update MBAm. These tools I gave play well with most. Good you got McAffe to go off. The only other item Is if you have Teatimer in SpyBot on.. SO.

We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


You should change the Password on that Hotmail account. If you still have issues there we will deal with it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 09:45 AM

I have been having problems with Spybot ever since I had the original issues not being able to run .exe files when this nasty bug started.

I believe I have installed some of the .exe files needed to run OR uninstall it, if that makes any sense? I still have the icon in my Program files, the options are to run, update, uninstall. I cannot do anything with it at all.

Also, this is what's listed in my program files for it: SPYBOT~1.SH!

In that, I have advcheck.dll and SDhelper.dll files.

When I try to run from the icon, it says cannot find file and asks me to browse. Any helpful hints to get rid of Spybot for good? I've never been personally happy with this and never ran it, but I guess I should have deleted it correctly a long time ago.

Given that it appears that spybot is NOT running do you want me to update MBAM now?

#12 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 09:50 AM

OH NO!

I have NOT really "checked" to see if all our work has fixed the problem, however I just clicked on "Fast Reply" to this post and I got this pop up in another tab on IE8:

https://www.insight.com/pages/landingpage.w...2F25-10%2F31%29

it did the typical "google search" redirect and then some other sites and landed on this one.

It appears we may still have something on here.

I also found these other fragments of spybot in my C:\Documents and Settings\All Users\Application Data file, but no apparent .exe file to launch. Here are my options in that: Backups, Logs, Excludes, Snapshots, Snapshots2, Configuration Settings Immunization Procache.sbc and statistics.

Thanks again for all your help. My browser appears to be faster, but I am concerned about the pop up blocker not getting that search redirect.

***Just did it again when I had to edit this post for a grammatical error*** This is the redirect that opened up in another tab:

http://wordslife.com/index.php

This wordslife.com has been a common one that comes up a lot. What's more crazy is that I went to cut/paste this into restricted sites on the popup blocker and it's already on there, yet it didn't block it!!! Crazy, huh?

Edited by sheada74, 05 September 2010 - 09:54 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 PM

Posted 05 September 2010 - 10:05 AM

Hi, yep still got uglies on here.
Let's do these things. Leave Spybot alone for now,other then turning off Teatimer.

We will try it this way. .. Please do only these steps,do not run other scanners. We should see improvement.

Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 10:21 AM

rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Derek on 09/05/2010 at 10:21:20.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\56LQU7AG\rkill[1].exe


Rkill completed on 09/05/2010 at 10:21:22.

#15 sheada74

sheada74
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 September 2010 - 10:40 AM

I am on my iPhone typing this- the sas is running and did not detect anything in the registry like last time. I am at 19k of probably 110k items to scan in the third section 'files' where it found five items last time.

I have a ton of music.... Sorry.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users