Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Internet Audio/ Search redirects


  • This topic is locked This topic is locked
18 replies to this topic

#16 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:15 AM

Posted 20 January 2011 - 12:00 AM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\drivers\sst1A3.tmp
DDS::
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

I also need to see a new GMER scan. When you do this one, please be sure all the boxes are ticked. You might want to go offline for this scan because I need for McAfee to be disabled for the run. Please don't have anything else running either while it scans.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

BC AdBot (Login to Remove)

 


#17 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 20 January 2011 - 09:48 AM

Tea ----

When I started the problem computer, I had the Internet disconnected. I waited until after the entire boot process had completed. I then disabled McAfee and reconnected the Internet.

When I started ComboFix with the CFScript File, I got a notification that there was an update to ComboFix. I allowed the update. ComboFix then restarted. At that point, I disconnected the Internet.

I have attached the files from both GMER and ComboFix.

I made one try on a search Engine search (for AVG) and got a redirect. I killed IE as soon as possible and disconnected from the Internet as soon as I saw what had happened.

Man, this is one tough bird to kill off!

Frank

Attached Files


Edited by frank1940, 20 January 2011 - 10:38 AM.


#18 frank1940

frank1940
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 26 January 2011 - 02:55 PM

Request close of topic.

REASON: obtained a system restore disk from computer owner (an online school) and restored computer to delivered state.

#19 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:15 AM

Posted 12 February 2011 - 03:09 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users