Can't access certain websites

eVeNtInE

This post has been deleted.

R3al

You havent cleaned the virus entirely or the virus has made a change to your system files.

biko

Run online scans and use AVG.
Ping the sites you cannot access.
Try another browser (download it)

eVeNtInE

This post has been deleted.

biko

To ping click Start / Run.
Type CMD
A window opens
Type ping www.boards.ie

You should see this:
C:\>ping www.boards.ie
Pinging www.boards.ie [89.234.66.107] with 32 bytes of data:
Reply from 89.234.66.107: bytes=32 time=32ms TTL=52
Reply from 89.234.66.107: bytes=32 time=33ms TTL=52
Reply from 89.234.66.107: bytes=32 time=33ms TTL=52
Reply from 89.234.66.107: bytes=32 time=31ms TTL=52
Ping statistics for 89.234.66.107:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 33ms, Average = 32ms
C:\>
Now you know www.boards.ie answers to a ping (a hello request)

Now try pinging the other website. What response do you get?

eVeNtInE

This post has been deleted.

ressem

The simple versions of these viruses add incorrect entries to the file
C:\WINDOWS\system32\drivers\etc\hosts
The only necessary entry is 127.0.0.1 localhost.

Or they might hijack the DNS setting on your network card, changing it to a value of their choosing. Run ipconfig /all and check the DNS servers setting.

-

However the one I saw the other day was a lot nastier. TDSSserv.sys
It appeared to place it's own driver to check some simple address checks on DNS and web requests.

So googling/ yahooing/ MSLive would send you to some dodgy site that impersonated itself as go.google.com or go.yahoo.com.

So trying to ping www.eset.ie, www.trendmicro.com and a pile of others would ping 127.0.0.1. This would occur even when the network card was disconnected and the ipconfig /flushdns had cleared the local DNS cache.
The bug was still causing problems in safe mode with networking.

Using nslookup to get the IP address and plugging that into the browser would succeed.

By going into Control Panel\System\Hardware\device manager\Non-plug and Play Drivers, choosing View\Show Hidden Devices I found this TDSSserv.sys driver file.
Click disable, not uninstall.

Nod32 and AVG scans failed to notice or fix the problem. I didn't see anything suspicious in hijackthis (but I'm no expert.) Google searches for a fix were unusually unhelpful.

I ended up nuking the laptop from orbit just in case.

eVeNtInE

This post has been deleted.

ActorSeeksJob

That wont go easy

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

eVeNtInE

This post has been deleted.

ActorSeeksJob

You have two anti-virus programs, AVG and Avast, you need to remove one of these

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\sphwnmcj.exe
  C:\lurjlnps.exe
  C:\-2077934513
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Please download ATF Cleaner by Atribune.

Double-click

ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

Click

Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser

Click

Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases

[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

eVeNtInE

This post has been deleted.

ActorSeeksJob

Post a new HJT log

eVeNtInE

This post has been deleted.

ActorSeeksJob

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

• Make sure you have an Internet Connection.
• Download OTCleanIt to your desktop and run it
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

*ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

*Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

*ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

* Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

Thank you for your patience, and performing all of the procedures requested.

eVeNtInE

This post has been deleted.