search engine redirect

August 4, 2009 at 13:49:02
Specs: Windows XP
See many post with the same issue, being redirected from search engines. I have followed some of the advice with no luck so far. I have downloaded the malware and hijack this ...... should I continue by downloading combofix or send you my results from the above programs first? Please help!
THANKS !!

See More: search engine redirect

Report •


#1
August 4, 2009 at 17:14:23
Follow. If you have log post it.
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
August 5, 2009 at 21:35:43
Here are results from three different scans of mbam .... don't really understand why it kept finding things each time.... looks like they would have all been removed the first time .... anyway..here are three logs.

Malwarebytes' Anti-Malware 1.40
Database version: 2559
Windows 5.1.2600 Service Pack 2

8/4/2009 11:02:00 AM
mbam-log-2009-08-04 (11-02-00).txt

Scan type: Quick Scan
Objects scanned: 91840
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13331564 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\13331564 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\13331564\13331564 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13331564\13331564.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
==========================================================
Malwarebytes' Anti-Malware 1.40
Database version: 2561
Windows 5.1.2600 Service Pack 2

8/4/2009 9:11:30 PM
mbam-log-2009-08-04 (21-11-30).txt

Scan type: Quick Scan
Objects scanned: 91887
Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
=========================================================
Malwarebytes' Anti-Malware 1.40
Database version: 2561
Windows 5.1.2600 Service Pack 2

8/5/2009 11:55:19 AM
mbam-log-2009-08-05 (11-55-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 283673
Time elapsed: 51 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 54

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Pictures\images\MyFunCardsSetup2.3.50.45.ZUfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3HIGHIN.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3HTML.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3IDLE.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3MEDINT.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3MSG.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3SLSRCH.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\M3SRCHMN.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\MWSSVC.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\My Backup -- 27-03-09 1036\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019370.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019378.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019383.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019384.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019386.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019391.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019392.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019393.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019394.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019395.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019396.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019398.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019399.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019400.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019401.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019402.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019403.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019404.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019407.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019408.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019410.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019411.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019412.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019413.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019414.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP93\A0019415.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP94\A0019446.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
888888888888888888888888888888888888888888888888888888888
I did not realize spyware did not keep a log and I cannot figure out how to copy the list of quarantined items. The first time it ran it removed over 60 threats. It detects no threats at the moment.



Report •

#3
August 5, 2009 at 21:57:36
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
August 5, 2009 at 22:09:05
The virus that causes search enine search result redirect is a browser hijacker that hijacks the browser and redirects the search results to other sites (possible spam), anyways, to fix this problem, this post will guide you
http://techvts.com/security/search-...

Report •

#5
August 7, 2009 at 06:08:24
I ran the kaspersky in safe mode, as it was scanning it found 1 threat. It took 14 hours to complete and finished in the middle of the night. When I got up this morning, I could not find where to view a log or summary but this is what popped up when I clicked on reports.

not found: Trojan program Trojan.Win32.Agent.crez File: globalroot\systemroot\system32\geyekrmpiuwyam.dll

I did not upload anything as I did not have a log or summary to upload.

The more I try to fix this, it seems the worse it gets. My computer is now randomly shutting down. Like in the middle of typing this for instance. I am going to run the malaware and spyware again.
Please advise further .... THANK YOU !!


Report •

#6
August 7, 2009 at 06:42:18
Results from malaware ........ seems to show the same trojan virus that kaspersky supposedly removed ....

Malwarebytes' Anti-Malware 1.40
Database version: 2561
Windows 5.1.2600 Service Pack 2

8/7/2009 8:37:46 AM
mbam-log-2009-08-07 (08-37-46).txt

Scan type: Quick Scan
Objects scanned: 91974
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


Report •

#7
August 7, 2009 at 07:41:27
I shut the computer down and restarted it then run the malaware again and it shows the same virus ...... all programs say they are treating it, quarantining it, deleting it ... but it is obviously still there....... frustrating!

Second malaware report

Malwarebytes' Anti-Malware 1.40
Database version: 2561
Windows 5.1.2600 Service Pack 2

8/7/2009 9:36:43 AM
mbam-log-2009-08-07 (09-36-43).txt

Scan type: Quick Scan
Objects scanned: 91810
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrmpiuwyam.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


Report •

#8
August 7, 2009 at 08:50:03
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
August 7, 2009 at 09:07:40
I did that, it took 14 hours, found one threat, said it treated it, did not leave a log or summary, here is a copy of the above posted reply

I ran the kaspersky in safe mode, as it was scanning it found 1 threat. It took 14 hours to complete and finished in the middle of the night. When I got up this morning, I could not find where to view a log or summary but this is what popped up when I clicked on reports.

not found: Trojan program Trojan.Win32.Agent.crez File: globalroot\systemroot\system32\geyekrmpiuwyam.dll

I did not upload anything as I did not have a log or summary to upload.

The more I try to fix this, it seems the worse it gets. My computer is now randomly shutting down. Like in the middle of typing this for instance. I am going to run the malaware and spyware again.
Please advise further .... THANK YOU !!


Report •

#10
August 7, 2009 at 09:55:38
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
Report •

#12
August 7, 2009 at 11:59:59
So sorry, but could you please send details on how to zip up the quarantine file. I do not currently have winzip or any other program like that.

Report •

#13
Report •

#14
August 7, 2009 at 15:57:41
I zipped the file and sent it to you

THANKS for all your help!


Report •

#15
August 7, 2009 at 17:15:44
Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

Run a full scan with your antivirus.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
August 8, 2009 at 06:03:22
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/8/2009 8:01:28 AM
mbam-log-2009-08-08 (08-01-28).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 270895
Time elapsed: 9 hour(s), 0 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#17
August 8, 2009 at 06:04:08
THANK YOU !!!!

Report •

#18
September 1, 2009 at 17:27:49
I'm having the exact same problem, what program did you use to fix this?

Report •


Ask Question