[JSntgRvr]

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

[Advertisements]

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[serpntene]

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[JSntgRvr]

Test the computer. Let me know if the redirection ceased.

[serpntene]

I am still unable to connect to malwarebytes.org from the affected pc using either ie or firefox. There are still popups coming up and google redirects.

[JSntgRvr]

Click here:

http://forums.malwar...php?showforum=7

What is the error message?

Lets take a deeper look:

Download OTS.exe by OldTimer to your Desktop.

• Close any open browsers.
• Double-click on OTS.exe to start the program.
• Leave all settings as they appear as default, except for the following:
  
  • Under Drivers, select "All".
  • Under Registry, select "All".
  • Under Additional Scans, click on the "Extras" button.
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

[serpntene]

The first time I clicked your link, it took me to www.google.com. The second and third times I clicked it, it just took me to the "Internet Explorer Cannot Display The Webpage" page.

If I try directly typing in the address www.malwarebytes.org, it takes me to a bing search page with malwarebytes results including malwarebytes.org. However if I click the link to malwarebytes I get the "Internet Explorer Cannot Display The Webpage" page again.

If I google search for anything other than malwarebytes, I do get links to legit sites but if I click any, I am redirected randomly to a page I did not request. I have managed to add several addresses to my block sites list but these still come up as blank pages. When I rebooted earlier I didn't shut anything down manually, I just let the pc close it out. when I chose to reopen ie and restore session four windows popped up. One with my tabs in it, one google and two gossip blogs.

Nothing shows running in task manager that does not belong. Nothing in process explorer.

Attached Files

•  OTS.Txt   242.93KB   156 downloads

Edited by serpntene, 30 January 2010 - 10:51 PM.

[JSntgRvr]

No help there. Do you connect throughout a Router? If you do, reset it to factory settings.

Please run the F-Secure Online Scanner

• For information click Here.
• Allow the installation of the Add-ons and Accept the License Agreement.
• Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Alternatively, click here to download Dr.Web CureIt and save it to your desktop.

• Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, chose the Complete Scan.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply [/B].

[serpntene]

Sunday, January 31, 2010 01:48:12 - 02:54:22
Computer name: RCOOPER
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

5 malware found
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Tradedoubler (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 35247
System: 2807
Not scanned: 6
Actions:
Disinfected: 5
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

[JSntgRvr]

Your computer seems clean. Didn't answer the question about the Router.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

[serpntene]

I do connect through a hard wire to a wireless capable router. I can't restore it to factory default settings, though. Last time I did that, someone jacked our signal and my ISP suspended my service claiming 100k emails were sent out in a 15 minute window.

Yes, everything is scanning clean but I've had to close three popups while I've been typing this one reply and I still can't update mbam, visit their website or - and this was better than average - even recieve a hot link in IM to malwarebytes.org.

ALLLLL of this started because I couldn't update mbam. I found an unauthorized .exe (this one)running in process manager, killed it and deleted it along with two scheduled tasks that were put in place. I checked before cleaning/deletion and found each of these three things was created on that day. I believe it was 28th January but might have been 29th (I've been at this for three days now).

Off I go to scan with goored.

Edited by serpntene, 31 January 2010 - 11:26 AM.

[serpntene]

GooredFix by jpshortstuff (08.01.10.1)
Log created at 12:21 on 31/01/2010 (Rebecca Cooper)
Firefox version 3.5.7 (en-US)

========== GooredScan ==========

Removing Orphan:
"{CE436162-C178-4635-BFA4-F00E8FBFEF6C}"="C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\{CE436162-C178-4635-BFA4-F00E8FBFEF6C}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:32 29/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [01:19 13/09/2009]

C:\Documents and Settings\Rebecca Cooper\Application Data\Mozilla\Firefox\Profiles\im81q534.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [05:27 29/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:27 31/03/2009]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [12:46 13/05/2009]

-=E.O.F=-

[JSntgRvr]

Did you reset the Router?

[serpntene]

I can bypass the router if you think it will help. I can power cycle the router and the modem. I cannot restore ther router's factory defaults as it would leave my network unlocked.

Shall I bypass for testing purposes?

[JSntgRvr]

I can bypass the router if you think it will help. I can power cycle the router and the modem. I cannot restore ther router's factory defaults as it would leave my network unlocked.

Shall I bypass for testing purposes?

You mean connected directly to the modem? Sure!

[serpntene]

Alright I have bypassed the router and hooked directly up to the modem.

After just a few minutes, still recieving popups, redirects, etc. I'm not seeing false antivirus guis popping up like with some of the ransomeware programs. However I am redirected to the generic WARNING Your computer is without virus protection!! box/page about every fifteen minutes.

How to proceed?