[Need help removing Malware[INACTIVE]]

Hello, Raz1el

Welcome to the BestTechie Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  
• Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.
  

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Under the Custom Scan box paste this in

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTL.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[Slow system, CPU 100%, Malware releated issues]

Hello, Hellogb

Welcome to the BestTechie Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  
• Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.
  

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Under the Custom Scan box paste this in

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTL.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[Computer bogged down, internet connection issues...]

Hello, deocder

Welcome to the BestTechie Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  
• Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.
  

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Under the Custom Scan box paste this in

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTL.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[Mozilla Hijacked Frequently]

Hi,

Did you try uninstall and reinstall Firefox?

[Mozilla Hijacked Frequently]

You're welcome

Please doubleclick OTL one more time and hit Cleanup. This will remove OTL and all helper tools.

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean

Hiding Hidden Files

Please set your system to hide all hidden files.

Click Start, open My Computer, select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.

Check: Hide file extensions for known file types

Check the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Purging System Restore Points

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
• Then go to Start > Run and type: Cleanmgr
  
• Click "OK".
  
• Click the "More Options" Tab.
  
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
   
2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
   
3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
   
4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software.
   There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
   
5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
   
6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
   
7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
   
8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
   
9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
   
10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
    

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make Internet Explorer 7 more secure

1. From within Internet Explorer click on the Tools menu and then click on Options.
   
2. Click once on the Security tab
   
3. Click once on the Internet icon so it becomes highlighted.
   
4. Click once on the Custom Level button.
   
   1. 
      
   2. Change the Download signed ActiveX controls to Prompt
      
   3. Change the Download unsigned ActiveX controls to Disable
      
   4. Change the Initialize and script ActiveX controls not marked as safe to Disable
      
   5. Change the Installation of desktop items to Prompt
      
   6. Change the Launching programs and files in an IFRAME to Prompt
      
   7. Change the Navigate sub-frames across different domains to Prompt
      
   8. When all these settings have been made, click on the OK button.
      
   9. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      
      
   10. Next press the Apply button and then the OK to exit the Internet Properties page.
       
       

[Mozilla Hijacked Frequently]

Do you still get redirected?

[Mozilla Hijacked Frequently]

Hi,

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  :OTL
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101852&l=dis
  FF - prefs.js..browser.search.defaultenginename: "Ask"
  FF - prefs.js..browser.search.order.1: "Ask"
  FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=101849&gct=&gc=1&q="
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  

• Then click the Run Fix button at the top
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

================================Follow up scan=================================

• Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Standard Registry box change it to All.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

[Mozilla Hijacked Frequently]

Hi,

Please uninstall everything from Java through Add/Remove Programs. Also please uninstall the dyyno extension in Firefox.

Please reboot, post back with a fresh OTL logfile and tell me if you still have any problems.

[Mozilla Hijacked Frequently]

Hi,

How is it running?

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Under the Custom Scan box paste this in

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTL.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[Mozilla Hijacked Frequently]

Hi,

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

[Mozilla Hijacked Frequently]

Hi,

Is your problem only related to firefox or is it with Internet Explorer too?

[Mozilla Hijacked Frequently]

Hi,

Try this one, it will run on 64Bit systems:

Please download Sophos Anti-rootkit & save it to your desktop.

alternate download link

Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  
• Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  
• If the scan did not start automatically, make sure the following are checked:
  • 
    
• Running processes
  
• Windows Registry
  
• Local Hard Drives
  

[*]Click Start scan.

[*]Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.

[*]When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.

[*]Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.

• Files tagged as Removable: No are not marked for removal and cannot be removed.
  
• Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  
• Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.

[*]Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.

[*]A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.

[*]After reboot, a dialog box displays the files you selected for removal and the action taken.

[*]Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.

[*]When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log

[*]This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.

[Mozilla Hijacked Frequently]

Hi,

When you click on save there is no chance to save the logfile?

If not, please try this one:

RootRepeal - Rootkit Detector

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Clickthe Scan button
  
• In the Select Scan dialog, check:
  
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  The scan can take some time. DO NOT run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

Also please do this:

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

[Mozilla Hijacked Frequently]

Hello, Sup3rior

Welcome to the BestTechie Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  
• Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.
  

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

[Hi there :)]

Hi

Thanks to everybody for the welcome

[Hi there :)]

Hi everybody,

Just wanna say hello to everybody who didn't know me, a few names here should know me from other places .

Just joined this wonderful community to spend some time with you. For everybody who didn't know me:

My name is Thomas ( Tom is also fine ), I am 28 years old and coming from the good ©old Germany .

If anybody has some questions, I am ready .

cheers,

Thomas