Did you flush the dns cache as PP suggested?
Did you run deletedomains?
Are you being re-directed in more than one browser?
When you say there were no results, did it say "nothing found," or what?
I did the dns cache yesterday. It said "nothing found" on the two scans that were suggested. Deldomains said that installation failed and i followed the instructions. i am also being redirected when using IE.
any other ideas anyone?
any other ideas anyone?
Let's try this:
Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the Logit.txt
I'll be back on Tuesday if crunchie doesn't reply earlier.
PP :)
Let's try this:
Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the Logit.txtI'll be back on Tuesday if crunchie doesn't reply earlier.
PP :)
It says access denied when I hit enter
This is the only thing that appeared
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x868F9E07]<<
kernel: MBR read successfully
user & kernel MBR OK
This is the only thing that appeared
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
OK - Let's try this:
Please run S!R!'s SmitfraudFix Search - Option 1 as per the linky below and post the log for me.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
I have to run, but will be back Tuesday evening EST.
PP :)
SmitFraudFix v2.424
Scan done at 1:20:08.08, Tue 11/10/2009
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\hkcmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NYKO\GAMEPA~1\ngpmap.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Symantec AntiVirus\vpdn_lu.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows
»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Joe
»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Joe\AppData\Local\Temp
»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Joe\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Joe\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!
o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"
»»»»»»»»»»»»»»»»»»»»»»»» RK
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4AECF770-1C91-4129-B483-2C7C0C188F7F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4E25E62E-EEA1-495B-90EF-0B4A309A27E0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B334001-151C-40A8-A2E5-872B1ED2C834}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F92BB272-EFE7-438F-AA67-B8CDCD87B5A2}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4AECF770-1C91-4129-B483-2C7C0C188F7F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4E25E62E-EEA1-495B-90EF-0B4A309A27E0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B334001-151C-40A8-A2E5-872B1ED2C834}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F92BB272-EFE7-438F-AA67-B8CDCD87B5A2}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4AECF770-1C91-4129-B483-2C7C0C188F7F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4E25E62E-EEA1-495B-90EF-0B4A309A27E0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5B334001-151C-40A8-A2E5-872B1ED2C834}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F92BB272-EFE7-438F-AA67-B8CDCD87B5A2}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
SmitFraudFix v2.424. . . . . . . .
Well, that didn't help....
It looks like crunchie and I missed something - I thought I mentioned it earlier, but apparently not.
Please do the following:
Click START > RUN > type cmd and hit OK
At the prompt Copy&Paste the complete text in Red below and hit ENTER:
Copy C:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys C:\
You should get a message confirming successful copy.
THEN:
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip
-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:
Files to move:
C:\atapi.sys | C:\windows\System32\drivers\atapi.sys
-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me and let me know if that had any affect on the problem.
Cheers :)
PP
Well, that didn't help....
It looks like crunchie and I missed something - I thought I mentioned it earlier, but apparently not.
Now that you have pointed it out, I can see the entry in the combofix log showing it missing:icon_redface:
there is a rmoval tool here Remove Shopica
Have you tried this?
Do you know what it is?
The "removal tool" this site is pimping is a borderline rogue called SpyNoMore.
It is trialware that may or may not detect a bunch of things, but then wants you to buy their product before it will "remove" them..... LOL.
There are better free tools - If MBAM doesn't get this, I doubt SpyNoMore will. Especially a modified or infected atapi.sys....
Cheers :)
PP
Have you tried this?
Do you know what it is?The "removal tool" this site is pimping is a borderline rogue called SpyNoMore.
It is trialware that may or may not detect a bunch of things, but then wants you to buy their product before it will "remove" them..... LOL.There are better free tools - If MBAM doesn't get this, I doubt SpyNoMore will. Especially a modified or infected atapi.sys....
Cheers :)
PP
Really!!! Dang it!!! your right! sorry bout that.. then disregard that tool. :icon_redface:
it also had steps on what to manually look for, so it looked legit. The web site is http://www.removeonline.com/
norton reports it as safe http://safeweb.norton.com/report/show?url=removeonline.com..
Thanks for the info philliephan sorry again for bad link.
good luck poster
it also had steps on what to manually look for, so it looked legit. The web site is http://www.removeonline.com/
norton reports it as safe http://safeweb.norton.com/report/show?url=removeonline.com..
Hey - sorry if my previous post sounded a bit harsh - didn't mean to come across that way.... :)
Look at that site carefully - it is set up solely to sell a product. Very little actual or useful information - just tons of links to download their product. Currently SpyNoMore, but easily changed when the affiliate/owner switches product (heck, upon further review I found another borderline rogue -XSoftSpy).
Nowhere does it say the name of the tool until you go to install it -it just says "removal tool." Nowhere does it say you will need to pay to have the tool remove what it detects. You just find that out after installing and scanning - borderline extortion in my book.
This is classic affiliate behavior to rope in unsuspecting users who are desperate to remove their malware.
They are just trying to capitalize on desperate users who are not aware of the better free options available to them.
Cheers :)
PP
Well, that didn't help....
It looks like crunchie and I missed something - I thought I mentioned it earlier, but apparently not.
Please do the following:Click START > RUN > type cmd and hit OK
At the prompt Copy&Paste the complete text in Red below and hit ENTER:
Copy C:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys C:\You should get a message confirming successful copy.
THEN:
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:
Files to move:
C:\atapi.sys | C:\windows\System32\drivers\atapi.sys
-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me and let me know if that had any affect on the problem.Cheers :)
PP
There was an error when I hit execute...something about invalid script.... has to start with a command directive....i copied what you typed in red.
There was an error when I hit execute...something about invalid script.... has to start with a command directive....i copied what you typed in red.
We seem to get this a lot.... You need to copy everything in red including the command directive Files to move:
Please have another go at it :)
PP
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:01:56 2009
15:01:56: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:02:24 2009
15:02:24: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:02:46 2009
15:02:46: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:03:02 2009
15:03:02: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:03:29 2009
15:03:29: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:03:39 2009
15:03:39: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:06:09 2009
15:06:09: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Nov 11 15:19:46 2009
15:19:46: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\atapi.sys" not found!
File move operation "C:\atapi.sys|C:\windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
alright, what did I do wrong? and it's still redirecting
alright, what did I do wrong? and it's still redirecting
Looks like there was an error copying atapi.sys to C:\
Can you navigate to C:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
Copy and paste it to your C:\ drive --> C:\atapi.sys
Then, try the Avenger step again.
PP :)
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\atapi.sys|C:\windows\System32\drivers\atapi.sys" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
it doesnt appear to be redirecting anymore...i have clicked on about 30 links and they seem to all work...thanks to you and crunchie times a million!
although my clock is in military time...haha
it doesnt appear to be redirecting anymore...i have clicked on about 30 links and they seem to all work...thanks to you and crunchie times a million!
You're welcome - happy to hear it!
Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK
This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.
-- Doing the above step ought to get your clock back to normal.
Let us know if there are any further issues - otherwise I think you can mark this thread "solved."
Cheers :)
PP
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.