12 replies to this topic

[radev]

I clicked on the wrong link and now I get random audio ads on my Windows XP comupter.

I installed Malwarebytes and did a full scan. Three files were removed but the ads still happen and I get a notification that Malwarebytes blocked access to 206.161.121.3.

I have done another full scan but nothing was found.

Attached are the DDS and Attach files.

Thanks  dds.txt   17.49K   10 downloads  attach.txt   26.34K   6 downloads

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[radev]

 debug.log   417.72K   2 downloads

I started the computer this morning without it being connected to the internet. Then I found your post using another computer. I attached the infected computer to the internet and downloaded roguekiller. I was still getting the popup about blocking access to 216.... and I noticed that Google was not searching properly. I downloaded roguekiller and started it but before it finishes the scan the computer reboots. I tried this three times and did not think I was able to finish the scan but I did find the attached debug.txt file. (I transferred this file to my unifected computer with a USB thumb drive. Hope this doesn't infect my other computer.)

I have rebooted the computer unattached to the internet and it reboots seemingly at random.

[MrCharlie]

Try running it like this....

Uncheck the three boxes on the right hand side.
MBR, Fake, and Anti-rootkit

See if it runs now, MrC

[radev]

 RKreport1.txt   895bytes   5 downloads

OK. That worked. Attached is the report. I can use Word or Excel and print but if I try to make a PDF of a word file the computer reboots.

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.
XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.



-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.



------------------------

Click the Start Scan button.



-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue




----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.





--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[radev]

 TDSSKiller.2.7.46.0_19.07.2012_22.28.15_log.txt   167.72K   2 downloads

OK. Here is the log file.

Everything was set to skip except rootkit.boot.pihar.c which was set to cure.

Thanks

[MrCharlie]

Great, TDSSKiller took care of the infection, next.........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[radev]

 log.txt   17.12K   1 downloads  ComboFix.txt   17.12K   1 downloads

OK

That worked too. I did not get the illegal operation message.

Attached are the log file and the ComboFix file.

I've noticed that Windows Explorer is not the default and it was before all this happened. Should I reset it to be the default?

Thanks

[MrCharlie]

Looks Good.
You can change IE to anything you want.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[radev]

 mbam-log-2012-07-20 (10-53-59).txt   1.9K   0 downloads

Ran MBAM and it did not find anything. The log is attached.

So far I have had the computer connected to the internet for about an hour and have not heard any ads or have the malware popup about blocking access.

I will let you know if something happens later today.

Do you think it is now OK for me to go to banking sites using this computer? Should I use a different computer to change my passwords first?

Thanks

[MrCharlie]

Quote

Do you think it is now OK for me to go to banking sites using this computer? Should I use a different computer to change my passwords first?

I think you should be OK, there's no way anyone can tell if you're 100% clean.
There's no sense using another computer to change the PWs if you're going to use this computer for banking, you're going to enter them anyway.
So just change them from this computer.

-----------------------------------------

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!