Hi, sorry for posting here as a new user, but I'm quite lost with this problem and I've seen threads where you succesfully helped people in similar trouble.
I've been infected by a malicious piece of software. Symptons are:
- I've noticed so far is that it randomly redirects my browser to sites which are blocked by my Noscript add-on
- Searches (using Google/Bing/Yahoo) with the word goingonearth are redirected to some unhelpful MS Help page.
- MS Security Centre is disabled, and can't be re-enabled. I'm pretty sure it was enabled before the infection.
My (up to date) Avira virusscanner started to give detections right away, and cleaned up quite a bit (events attached as Avira_events.txt).
Since then, I've done the following:
- Ran a full system scan with Avira Antivir.
- Ran Malwarebytes' Antimalware bytes with outdated definitions, found some infections (log saved, attached).
- Killed processes cqoroa.exe, cpl.exe and cpn.exe, which seemed unusual to me. They kept returning though.
- Noticed a lot of IE8 pop-ups, while I NEVER use IE8, so I removed IE8 from my machine.
- Noticed a lot of infections were coming from .../Appdata/Local/Temp, so I moved the map to trash.
- Update Malwarebytes' Antimalware, ran again. Found 10+ infections (log saved, attached).
- Removed an obvious malicious startup entry in msconfig
- Rebooted. Antimalware automatically ran at startup.
- Ran Antimalwar again, no detections. No more cqoroa.exe/cpl.exe/cpn.exe.
- Performed another full system scan with Avira Antivir, no detections.
- Updated and ran CCleaner.exe, cleaned my trash (including the previously deleted AppData/Local/Temp folder) and other temp. files.
- Checked if Java was up to date. It was.
- Checked hosts file. Only commented lines.
- Checked proxy settings, TCP/IPv4 and IPv6 protocols. Nothing unusual, no dns modifications or proxies.
- Flushed dns (ipconfig /flushdns).
- Ran tdsskiller.exe from Kaspersky's Lab as administrator (got it directly from there). No threats found.
- Updated Firefox to Firefox 4.0, suspecting a compatibility problem with my (automatically) updated Noscript and the old Firefox.
- Did a check with another PC owned by me on the same (sub-)network. No malware, virusses or redirections there.
- Ran OTL, logs here attached below (this is OTL.Txt, extras.txt also available if useful).
- Ran GMer as administrator, but couldn't set it up as required in the preparation guide. Ran a scan with default settings, it found no system modifications.
- Noticed the entries from OTL:
[2011-03-22 22:29:44 | 000,000,306 | -HS- | C] () -- C:\Windows\tasks\MMLBQOZ.job
[2011-03-22 22:29:43 | 000,108,544 | RHS- | C] () -- C:\Windows\SysWow64\sysprint4.dll
These are of the exact moment I ran the malicious program which triggered the problems in the first place.
I couldn't find these in my windows folder though, they're not there or somehow hidden.
- Posted topic here.
<< LOGS REMOVED >>
The problem still persists and I don't know what to do now. I really hope you can help me.
Edited by Thenno, 23 March 2011 - 06:29 PM.