Antivirus says clean but...

dizzywizlw

Hey Guys, I've recently had a nice long enjoyable session of homicidal rage at trying to remove some malware from my computer.
I am unable to access Microsoft.com and other sites such as symatec (all other site are fine). Also I am constently redirected to Ask.com and to make matters slighty worse I've been a fair few bluescreens and when I tried to install Mcafee it encounter a unspecified error and tried to close over 50 times! it instlaled but now is unable to run virus scans, heres my hijackthis and rooter analysis (Spybot AND Window malicous software removal tool have stopped finding anything.)

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2900.5512
Mozilla Firefox 3.5.2 (en-GB)
.
C:\ [Fixed-NTFS] .. ( Total:372 Go - Free:198 Go )
\ [CD_Rom]
.
Scan : 09:39.37
Path : c:\documents and settings\administrator\my documents\downloads\rooter.exe
User : Administrator ( Administrator -> YES )
.

---

\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (944)
______ \??\C:\WINDOWS\system32\csrss.exe (1008)
______ \??\C:\WINDOWS\system32\winlogon.exe (1032)
______ C:\WINDOWS\system32\services.exe (1076)
______ C:\WINDOWS\system32\lsass.exe (1092)
______ C:\WINDOWS\system32\nvsvc32.exe (1272)
______ C:\WINDOWS\system32\svchost.exe (1360)
______ C:\WINDOWS\system32\svchost.exe (1424)
______ C:\WINDOWS\System32\svchost.exe (1544)
______ C:\Program Files\Ahead\InCD\InCDsrv.exe (1564)
______ C:\WINDOWS\system32\svchost.exe (1764)
______ C:\WINDOWS\system32\svchost.exe (1884)
______ C:\WINDOWS\system32\spoolsv.exe (2028)
______ C:\WINDOWS\Explorer.EXE (284)
______ c:\program files\intel\amt\atchk.exe (560)
______ c:\program files\cyberlink dvd solution\powerdvd\pdvdserv.exe (568)
______ c:\program files\ahead\incd\incd.exe (596)
______ c:\program files\java\jre6\bin\jusched.exe (680)
______ c:\windows\system32\rundll32.exe (812)
______ c:\windows\rthdcpl.exe (820)
______ c:\program files\mcafee.com\agent\mcagent.exe (884)
______ c:\program files\siteadvisor\6172\siteadv.exe (896)
______ C:\WINDOWS\system32\svchost.exe (1612)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1784)
______ C:\Program Files\Intel\AMT\atchksrv.exe (1792)
______ c:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe (1808)
______ C:\Program Files\Java\jre6\bin\jqs.exe (156)
______ C:\WINDOWS\System32\svchost.exe (264)
______ C:\Program Files\Intel\AMT\LMS.exe (688)
______ C:\WINDOWS\System32\svchost.exe (672)
______ C:\WINDOWS\System32\svchost.exe (1492)
______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (876)
______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (2280)
______ C:\WINDOWS\System32\svchost.exe (2576)
______ C:\WINDOWS\System32\svchost.exe (2620)
______ C:\Program Files\McAfee\MPF\MPFSrv.exe (2712)
______ C:\Program Files\McAfee\MSK\MskSrver.exe (2764)
______ C:\Program Files\SiteAdvisor\6172\SAService.exe (2864)
______ C:\WINDOWS\system32\svchost.exe (2968)
______ C:\Program Files\Intel\AMT\UNS.exe (3032)
______ C:\WINDOWS\system32\svchost.exe (3636)
______ C:\WINDOWS\System32\alg.exe (3132)
______ C:\WINDOWS\System32\svchost.exe (2940)
______ C:\WINDOWS\system32\23.tmp (4740)
______ c:\program files\mozilla firefox\firefox.exe (5408)
______ C:\WINDOWS\system32\wuauclt.exe (4372)
______ c:\PROGRA~1\mcafee\msc\mcuimgr.exe (5292)
______ c:\windows\system32\cmd.exe (5660)
______ c:\program files\java\jre6\bin\jucheck.exe (5816)
______ C:\WINDOWS\system32\lodupgd.jpg (340)
______ c:\PROGRA~1\mcafee\msc\mcupdmgr.exe (5232)
______ c:\documents and settings\administrator\my documents\downloads\rooter.exe (4220)
.

---

\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:400077586944)
.

---

\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\McDefragTask.job
C:\WINDOWS\Tasks\McQcTask.job
C:\WINDOWS\Tasks\SA.DAT
.

---

\\ Registry
.
.

---

\\ Files & Folders
.

---

\\ Scan completed at 09:39.47
.
C:\Rooter$\Rooter_1.txt - (09/08/2009 | 09:39.47)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:44:52, on 09/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\intel\amt\atchk.exe
c:\program files\cyberlink dvd solution\powerdvd\pdvdserv.exe
c:\program files\ahead\incd\incd.exe
c:\program files\java\jre6\bin\jusched.exe
c:\windows\system32\rundll32.exe
c:\windows\rthdcpl.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\program files\siteadvisor\6172\siteadv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
c:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\23.tmp
c:\program files\mozilla firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\program files\java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\lodupgd.jpg
c:\program files\trend micro\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13170&l=dis
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {B42BF63C-5354-4c5c-A789-66EFEEC5E1B0} - C:\WINDOWS\system32\AcroIEHelpe.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215439667390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215439659031
O17 - HKLM\System\CCS\Services\Tcpip\..\{294C4EE8-FD03-436B-A7B3-31540784C933}: NameServer = 62.231.32.10,62.231.32.11
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 8117 bytes

ActorSeeksJob

hi

Download RootRepeal.zip or from here and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  
  
• Drivers
• Files
• Processes
• SSDT
• Stealth Objects
• Hidden Services

[*]Click the OK button
[*]In the next dialog, select all drives showing
[*]Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

dizzywizlw

Hi,
I tried to run it and got this error
attempted to read from adress 0x00bd9000

dizzywizlw

Here we go

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 10:40
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers

---

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB40F5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85FE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xB8671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB334F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xB85AE000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files

---

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\WER0c5a.dir00
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{DFE1522A-21D2-4725-8A1E-7F8E590177C9}.log-journal
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\B995N3BY\video.google.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\B995N3BY\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Stealth Objects

---

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1092) Address: 0x01000000 Size: 40960

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1228) Address: 0x01000000 Size: 40960

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1780) Address: 0x01000000 Size: 40960

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2344) Address: 0x01000000 Size: 40960

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2356) Address: 0x01000000 Size: 40960

==EOF==

dizzywizlw

Also, the virus keeps turning off my computer and has dsiabled mcafee virus scan etc.

ActorSeeksJob

hi

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txts will open.
• Save both reports to your desktop.

---

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Matt22

What you should do is download Malwarebytes and Superantispyware. Update both definitions and do full scans with both. If they don't solve your problem I'll be very surprised.

http://www.malwarebytes.org/

http://www.superantispyware.com/

dizzywizlw

Unable to access DDS website, Malwarebytes 19 things

can't access http://www.superantispyware.com/

heres my malwarbytes
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

10/08/2009 13:23:14
mbam-log-2009-08-10 (13-23-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 212048
Time elapsed: 29 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\lodupgd.jpg (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lodupgd.jpg (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AcroIEHelpe.dll (Spyware.Banker) -> Quarantined and deleted successfully.

Matt22

OK. If Malwarebytes didn't solve your problem completely, try downloading superantispyware from here

http://filehippo.com/download_superantispyware/

dizzywizlw

Right, Superantispyware AND Sbybot and Malwarebyte found nothing yet i still can't access Microsoft.com etc.?

Matt22

Try running ccleaner now

http://www.ccleaner.com/

And failing that, try rebooting (restarting Windows for the non tech savvy)

ActorSeeksJob

thats not going to help


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

   ---

   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

     ---

   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

   ---

7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.
9. Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Matt22

It might help as it cleans out the internet cache, so whatever was stopping them from going to those sites should be gone after a clear out from ccleaner.

dizzywizlw

It say that Combofix has been compromised

henryporter

Try downloading http://www.simplysup.com/tremover/download.html Trojan Remover - its has a thirty day free use. Worked on mine last week - had a backdoor.bot that every other malware remover couldn't shift. May need to have two or three goes to fix it. Also need to download the updates separately for some reason.

Also download ATF Cleaner at http://download.cnet.com/ATF-Cleaner/3000-18512_4-89432.html to clear caches, temporary files etc.

dizzywizlw

I've tried AVG malwarbytes Spybot and Superantispyware and It's starting to get frustrating.

I may just have to format and reinstall

Matt22

Did you try ccleaner?

Also, try Prevx and see if that works.

Don't give up just yet.

dizzywizlw

just tried CCcleaner and nothing. do you have a non direct link for a free version of prevx?

Matt22

When you say you tried ccleaner and you say nothing, do you mean you still can't get onto certain websites?

also heres the link for prevx

http://info.prevx.com/downloadcsi.asp

Unfortunately theres no free version though, but it does have superb detection.

dizzywizlw

I already payed for mcafee yesterday I'm certainly not shelling out anymore money.

Yes i am unable to connect to certain websites incluuding the link you just gave me.

Matt22

Its only 25 euro for a license so its worth getting imo. And if it doesn't find anything then you can always uninstall it.

Anyway, Mcafee is useless so you'll need to use something else for proper virus protection.

Also, before you reinstall Windows, try uninstalling mcafee, use ccleaner once more and then reboot the computer. If that doesn't work then just backup your files and reinstall Windows if you want to give up.

ActorSeeksJob

don't waste your money on products that wont help


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

dizzywizlw

I Can't run that program, it bring up the 'error must close' message should i try and save the error report?

ActorSeeksJob

got a nasty new rootkit here

Please download this tool by sUBs, and save it to your desktop.

• Close any applications that you have open, as your computer will be rebooted
• Double click +++.exe to run the tool
• When it has run it will reboot your computer, you may then delete the tool

dizzywizlw

that crashes my Firefox.

On a better note, the genius that 'helped' my family by building us a new PC didn't give me any driver disc or the copy of XP or install the i386 folder so no formatting

ActorSeeksJob

can you try transfer it over via a usb key or try a different browser