Articles

Google redirect virus driving me mad!

January 27, 2011 at 10:07:23
Specs: Windows XP SP2, 3.00ghz, 2.00gb

Hey,

For the last week or so all my google searches have redirecting to other sites (it's often hugosearch.net but it tends to vary), and i've found that many sites aren't accessible anymore.

I've looked around and found that it's a known virus, but as of yet I really can't find anything to get rid of it. I've tried a whole host of anti-virus softwares etc but nothing has worked. I even formatted my OS drive and reinstalled windows!

There's a glimmer of hope though in that I tried ComboFix which did indeed get rid of the problem entirely until I restarted the computer. I'm hoping that that might give some clue as to how to get rid of it entirely but I don't really know these things in enough detail!

Cheers,
David


See More: Google redirect virus driving me mad!

Report •


#1
January 27, 2011 at 12:18:51

What other programs have you tried? ie: MalwareBytes, SuperAntiSpyware? We need to know, so we don't tell you to do the same things you have tried. Whats your Anti virus software?

Report •

#2
January 27, 2011 at 12:58:45

Apologies!

It was AVG Free but it's now Avira AntiVir alongside Spybot.


Report •

#3
January 27, 2011 at 16:45:23

Try downloading Malwarebytes, update it and run a full scan.
http://www.malwarebytes.org/

Report •

Related Solutions

#4
January 28, 2011 at 03:32:22

Malwarebytes' Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5629

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

28/01/2011 11:25:30
mbam-log-2011-01-28 (11-25-30).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|L:\|M:\|)
Objects scanned: 153573
Time elapsed: 27 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The only other thing I should mention is that Avira keeps popping up about a W32.Ramnit.C virus which it quarantines (it seems attached to a lot of stuff) but which never gets rid of the problem.


Report •

#5
January 28, 2011 at 06:21:38

I have just run ComboFix again which fixes it temporarily.

ComboFix Log

ComboFix 11-01-27.05 - Dave 28/01/2011 14:13:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1678 [GMT 0:00]
Running from: l:\documents and settings\Dave\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

l:\program files\Internet Explorer\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot_2011-01-27_19.49.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-28 11:16 . 2011-01-28 11:16 49152 l:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-28 11:16 . 2011-01-28 11:16 32768 l:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012011012820110129\index.dat
+ 2011-01-26 18:26 . 2011-01-28 11:16 32768 l:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-01-26 18:26 . 2011-01-27 17:23 32768 l:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-01-28 11:16 . 2011-01-28 11:16 16384 l:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-01-28 11:16 . 2011-01-28 11:16 32768 l:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="e:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="e:\avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="l:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"srservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\avira\AntiVir Desktop\sched.exe [26/01/2011 18:57 135336]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


l:\documents and settings\Dave\Start Menu\Programs\Startup\wrxxkccq.exe 167785 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
l:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-28 14:19:35
ComboFix-quarantined-files.txt 2011-01-28 14:19
ComboFix2.txt 2011-01-27 22:15
ComboFix3.txt 2011-01-27 19:50
ComboFix4.txt 2011-01-26 20:35

Pre-Run: 47,234,662,400 bytes free
Post-Run: 47,260,114,944 bytes free

- - End Of File - - 1A833C4C8E996BBF8C23E59434AF8B01


Report •

#6
January 28, 2011 at 11:45:05

This requires both manual removal as well as spyware software to remove, I will give you a link with easy to follow instructions. As it a lot of writing.
http://www.brighthub.com/internet/s...
Please read through the two page instructions first, you will need to download some spyware removal tools, so hope after running combofix you can download them.

Report •

#7
January 28, 2011 at 16:42:34

I've tried everything on there but nothing has done it.

I've also tried an anti-rootkit thing called 'UnHackMe' which kept getting stuck when looking at the registry on 'userinit'. I checked out Userinit in the registry and found that it's value data is 'L:\windows\system32\userinit.exe,L:\Program Files\olgmlbqg\wrxxkccq.exe'.

I deleted the second entry from the value and restarted. The problem persists and the entry is back again. Then I went to the folder itself and found that it appears empty both in windows when viewing hidden files and and cmd. I've tried to delete the folder but it says 'Cannot remove folder: directory is not empty' and I also haven't been able to delete it in safe mode or cmd either.

I've also discovered that the ramnit virus which my Avira keeps finding is associated with a data file called 'dmlconf' which I have found in my internet explorer folder. I delete this file but find that it has returned within a couple of minutes.


Report •

#8
January 28, 2011 at 17:20:38

removed this post



Report •

#9
January 28, 2011 at 22:17:18

Hi ScoobyDoo, What have you done with your post? I found it easy to understand and wanted to know what the next stage of removal was? I learnt a lot from that one post. Keep up the great work.:-)

Report •

#10
January 28, 2011 at 23:07:02

Daven7488, run this online scan, 5, 6, 7 or as many times as it takes to get down to the log showing only system restore ( System Volume Information ) is infected.
Each scan may take 2 hours.

Using ESET's Online Scanner
http://forums.majorgeeks.com/showth...
http://www.eset.eu/online-scanner

Now run these 3 programs.

Malwarebytes' Anti-Malware
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
Forum
http://www.malwarebytes.org/forums/
Error codes
http://forums.malwarebytes.org/inde...
Common Issues, Questions, and their Solutions, Frequently Asked Questions.
http://forums.malwarebytes.org/inde...
VIPRE Rescue Program
http://vipre.malwarebytes.org/
http://live.sunbeltsoftware.com/
Try it in Safe mode.
If it won't run, rename the downloaded mbam-setup.exe file to mb.exe to help work around certain malware that will block it from being run.
If it still will not run.
1: Go to Control Panel > Programs and Features and uninstall Malwarebytes.
Next redownload Malwarebytes but rename it before you download it to your desktop. As you are in the process of downloading when you get to the point that the "enter name of file to save to" box appears, in the "filename" slot, rename mbam-setup.exe to something.exe, then click Save.
If it installed but will not run, navigate to this folder:
2: C:\Programs Files\Malwarebytes' AntiMalware
At the top of the page, Tools > Folder Options > View, click > Show hidden files and folders and untick > Hide extensions for known file types.
How to see hidden files in Windows
http://www.bleepingcomputer.com/tut...
Rename all the .exe files in the Malwarebytes' Anti-Malware folder and try to run it again.
When it opens, update 1st.
If it won't update after installing, update manually.
http://www.malwarebytes.org/mbam/da...
Download & install.

SUPERAntiSpyware
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.superantispyware.com/ind...

CCleaner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.ccleaner.com/
http://www.piriform.com/ccleaner/do...

How to Turn On and Turn Off System Restore in Windows XP ( in your case, turn it Off & then On )
http://support.microsoft.com/kb/310...

Once you are clean get SP3 & the latest Java update.


Report •

#11
January 29, 2011 at 15:37:17

I've gone through all of those programs tonight and also turned off system restore but it hasn't made a difference.

The only thing that has done anything is ComboFix which asks me to reboot after observing rootkit activity. Once I reboot the problem is gone completely but is back again the next time I turn on my pc.

I ran all of those programs after a ComboFix reboot. The online scanner found 13 trojans in the system restore folder and got rid of them. Malwarebytes found nothing. After running Malwarebytes and CCleaner I deleted all my system restore points and turned off the service.

I think that the userinit value and the internet explorer file that I've mentioned in my previous has something to do with it all. ComboFix actually has l:\program files\Internet Explorer\dmlconf.dat as one of its deletions and it indeed isn't there after that until I next restart. Deleting it manually once it returns works but the file is there again within a couple of minutes.


Report •

#12
January 29, 2011 at 16:04:57

Hey MrGoodGuy ,..

Not really a whole lot more to it. Once you have located the relative and killed it you have got it made.

The standard removal programs can do their thing then.


Report •

#13
January 29, 2011 at 16:07:59

I dont understand this Daven, why is everything located on the (l) drive? Is this a corporate networked PC?

Report •

#14
Report •

#15
January 29, 2011 at 18:38:02

ScoobyDoo, Thanks for that. :-)

Report •

#16
January 30, 2011 at 03:32:31

I've tried UnHackMe but it keeps freezing at 47% upon reboot (when, I've found, it' scanning the userinit registry file). To be fair I only left it for about 20 minutes before turning it off though, so I might run it again in a bit and leave it on all day.

I can't really remember why windows is on L: to be honest...I have two hard drives which are partitioned massively but I cannot for the life of me think why windows is on there. I think perhaps I swapped the hard drives around inside the pc at one point...? I don't know!

I'm completely out of ideas now anyway :(


Report •

#17
January 30, 2011 at 03:53:22

I've tried editing the userinit file manually by the way to get rid of the bogus extra value, but it returns as soon as I move away from the folder which it is in. I edit, click out of the winlogon folder, and when I return the value I deleted is back again.

As I say, whenever I scan with unhackme it freezes when it's looking at the userinit registry file although I might just have not left it for long enough.


Report •

#18
January 30, 2011 at 08:51:05

Try running: TDSSKILLER

http://support.kaspersky.com/downlo...


Report •

#19
January 30, 2011 at 08:56:25

ESET's Online Scanner & unhackme are both capable of fixing your problem.

ESET's you have to run again & again, even after it shows that it is clean for the first time, do a reboot & scan again.

unhackme. did you try Safe mode?


Report •

#20
January 30, 2011 at 11:02:55

David,

Try turning off Javascript first.

Internet Explorer: Tools > Internet Options > Security, and then select "Custom Level", and look for the "Scripting" option.

Firefox: Tools > Options > Content > and untick the "Enable Javascript" box.

Second, re-download Rkill (if you haven't already got a copy), and run it, I would suggest changing it's name to something like "1234.exe" which should allow to not be disabled by the rookit: http://download.bleepingcomputer.co... after it finishes scanning though, please don't reboot when it finishes, as the malicious process will restart.

Thirdly download TDSSkiller from here and scan with it, then reboot when prompted: http://support.kaspersky.com/downlo...

If that^ doesn't help, let me know and I'll try to suggest some other methods.

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#21
January 31, 2011 at 10:13:42

Muhahaha!

I went onto the link at the bottom of your post xyranx and I think it was a couple of things on there which have sorted it out!

I firstly changed msconfig to 'normal startup' instead of 'selective startup' (which presumably is the default??) and also changed the windows options to show absolutely everything. Upon reboot Avira found the wrxxkccq.exe file and deleted the s--- out of it! For some reason the virus was still influencing my internet but another reboot has sorted that out. I've also suddenly been able to change the userinit value in the registry!

Cheers guys! :D


Report •

#22
January 31, 2011 at 14:28:40

Good news Daven7488

"I went onto the link at the bottom of your post xyranx and I think it was a couple of things on there which have sorted it out!"

Yep, that is a very good link from xyranx, websfty001 the writer of the article has certainly nailed what should be done first.


Report •

#23
January 31, 2011 at 14:33:09

Glad you got it sorted out David!

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#24
January 31, 2011 at 15:10:09

I would run MBAM again, just to make sure.

Then get the latest Java & SP3.


Report •

#25
February 9, 2011 at 09:10:46

I have the same problem as above and have tried everything going. My big problem is I cannot run combofix as it always says it detects AVG but I dont have and have never had AVG on my pc!

Report •

#26
February 9, 2011 at 13:23:30

docvern, make sure you are using as per the instructions, if you still have a problem, try Safe Mode.

How to use ComboFix
http://www.bleepingcomputer.com/com...
http://www.myantispyware.com/2007/1...
http://www.jamiiforums.com/download...
http://forums.majorgeeks.com/showth...
http://www.myantispyware.com/2008/0...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...


Report •

#27
February 10, 2011 at 05:32:01

Hello John. Yes i have been working with Gringo at bleeping computer but we have drawn a blank. I have a blank folder that cannot be deleted and we are sure this is the cause of the virus. We have tried unblockers, various spyware software and have even booted from CD's and deleted things that way. The one thing we have never been able to run though is Combofix as it always says it detects AVG even though i dont have it. Have done the safe mode and stopped my virus protection. For a long time it would not let me enable the windows security. Kept disabling itself but at least that has started working again. My redirect virus is still there though.

Cheers


Report •

#28
February 10, 2011 at 14:30:21

docvern, you are in very good hands with Gringo.

Here are 2 things to try.

AppRemover
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.appremover.com/

Host files are a means of attack, I have mine disabled, you can always re enable, but there are other ways of getting your comp secure.

Go to > C:\WINDOWS\system32\drivers\etc
Right click on hosts & rename to > hosts.txt


Report •

#29
February 10, 2011 at 18:52:42

More, update MBAM & run again.

Report •

#30
February 13, 2011 at 02:47:17

Hello John. I tried the remover but it didnt find any antivirus software. I used to use spyware doctor but it ran out and it wont install again as it says I have AVG and it conflicts with it. I tried free AVG too but it just crashed at the start of installation. I just run MBAM now and hitman pro whilst I am trying to get rid of my virus.

Report •

#31
February 13, 2011 at 02:52:16

ps. I did the hosts thing. There were 2 files in there called hosts. Regular one and one called hosts.msn

Report •

#32
February 13, 2011 at 05:44:50

OK docvern, I presume everything is still the same, even after a reboot.

Rootrepeal shows Hidden or Invisible files.
RootRepeal, download from one of the following locations and save it to your desktop.
Zip Mirrors (Recommended)
* Location 1
http://rootrepeal.googlepages.com/R...
* Location 2
http://ad13.geekstogo.com/RootRepea...
* Location 3
http://rootrepeal.psikotick.com/Roo...

When installed >
* Double click RootRepeal.exe to start the program
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT
* Click the OK button
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* Click OK to start the scan
Note: The scan can take some time to finish. DO NOT run any other programs while the scan is running.
* When the scan is complete, the Save Report button will become available
* Click this and save the report to your Desktop as RootRepeal.txt
* Go to File, then Exit to close the program
Please copy and paste the report.


Report •

#33
February 13, 2011 at 13:35:28

Hello there. I downloaded Avast and it seemed to clear everything up which is bizarre as everything else I have tried didnt work. Hopefully from the things Gringo and yourself have told me we have chipped away at it and it did the rest. Ill let you know if I have any further problems.

Report •

#34
February 13, 2011 at 13:57:55

Good news docvern, I have been following your post with Gringo & felt you were on the verge of cracking it, that is why I suggested running MBAM again ( it would'nt hurt to update & run again ) & in fact run as many programs as you can, just to make sure one small file is'nt lurking.

The badies are always ahead of the goodies & no one program can always be the first to crack it.

Next step for you is to research ( google ) preventive security. To get infected, that is telling you that your defense systems were not good enough.


Report •

#35
February 13, 2011 at 14:34:48

Yes I will run some more stuff. The really annoying thing is that combofix and spyware doctor will not run as they say I have AVG on the machine. As far as I am aware I have never had AVG on there. The Windows security center also says it too. I have tried various AVG removal programs but nothing works so I think I do still have a few bad things kicking about.

Cheers


Report •

#36
February 13, 2011 at 14:43:25

You can try downloading RegSeeker from this link type in AVG and let it search the registry for any AVG entries? Create a restore point and run.
http://download.cnet.com/1770-20_4-...
Or you could try downloading AVG then use the uninstaller tool to remove it?

Report •

#37
February 13, 2011 at 14:50:43

If you are saying that after a reboot, you still have the AVG thing ( yes that is due to an infection ) run > Rootrepeal

Report •

#38
February 13, 2011 at 20:22:57

avast log file location

http://moourl.com/hdrpj


Report •

#39
February 14, 2011 at 00:00:51

Ok I have ran the Rootrepeal and here is the log it gave me. Cheers

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/02/14 07:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7E2F000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2B0F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8404000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF8474000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFA79000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b30728

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b377ea

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b376a2

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37ca8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37bbe

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37276

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b307d8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b3777e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b371b2

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37218

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b30870

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b378c2

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37d76

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37880

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf2b37a04

==EOF==


Report •

#40
February 14, 2011 at 05:47:36

"Ok I have ran the Rootrepeal and here is the log it gave me. Cheers"
It's clean.

"The really annoying thing is that combofix and spyware doctor will not run as they say I have AVG on the machine"
Screenshots of those error messages would be good to see, I'm sure Gringo would like to see them as well.

UnHackMe should run now.


Report •

#41
February 14, 2011 at 15:29:06

"The really annoying thing is that combofix and spyware doctor will not run as they say I have AVG on the machine"

docvern, anything that won't run, use the same techniques as I gave you for MBAM.

Run RKill
RKill - What it does and What it Doesn't - A brief introduction to the program
http://www.bleepingcomputer.com/for...

Rename combofix to > today.com & run from your desktop.


Report •

#42
February 15, 2011 at 12:54:42

I tried the combofix one but it didnt work as it still says I have AVG. I cant get a screenshot cause at that time its freezing up. Basically when it says scans will take 10 minutes or may double, that is as far as it gets. Continues to blink as if it is doing something but eventually freezes the machine. It never gets to scanning stage 1 or anything.

Will try runkill.

thanks


Report •

#43
February 15, 2011 at 13:02:40

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 15/02/2011 at 21:01:50.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

Rkill completed on 15/02/2011 at 21:01:58.


Report •

#44
February 15, 2011 at 17:06:52

RKill was mean't to be run before using ComboFix, that is why I gave you this link, because it explains this & what warnings etc you can get.
http://www.bleepingcomputer.com/for...

Here is an small extract from that link.

Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program.


Report •

#45
February 15, 2011 at 23:20:19

Hiya John. I did read that but after I had just done a combofix thing that gringo suggested. I went to try it this way after reading but as Rkill never found anything It didnt work.

Report •

#46
February 19, 2011 at 12:13:41

Hi docvern, I have been waiting for you to reply to Gringo, as he has asked you to do what I asked in Response #10.

"I can't really remember why windows is on L: to be honest...I have two hard drives which are partitioned massively but I cannot for the life of me think why windows is on there. I think perhaps I swapped the hard drives around inside the pc at one point...? I don't know!"

Windows now appears to be on :C drive again, so lets try the System Restore ( System Volume Information ) removal again, make sure you do all the partitions & when you turn it back on, you only need it Monitoring :C.

http://windowxptutortips.blogspot.c...


Report •

#47
February 19, 2011 at 12:22:31

After doing the above, as per the link.
http://windowxptutortips.blogspot.c...

Do this.
1: Click Start, and then click My Computer.
2: On the Tools menu, click Folder Options.
3: On the View tab, click Show hidden files and folders.
4: Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
5: Clear the Use simple file sharing (Recommended) check box.
6: Click OK.

Now go to :C drive & double click on the System Volume Information folder & tell me if it opens.


Report •


Ask Question