[rdbadger]

My symantec corporate has detected Ultradefragger and Trojan.Gen.2. I have downloaded and run Malwarebytes, which has also detected a number of files - my issue is - i have been told that if you remove the files with the "remove selected" you may stuff up everything, as you may then not be able to find any deeper roots? The scan took 10 hours to complete. Advise on this would be incredibly helpful
issue no 2 at present
All my internet explorer sites are being re-directed - the site that it keeps directing me to is click.get-answers-fast.com - which means I have to operate on a different computer
the other sites in my internet history that have accessed my computer remotely is clients.bluecave.com is listed - which I haven't accessed and s-static.ak.facebook.com has also appeared in the history
thank you muchly in advance

[Render]

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:

• Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
• Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
• Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
• Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
• Please reply within 3 days to be fair to other people asking for help.
• Please tell me if you have your original Windows CD/DVD available
• When in doubt, please stop and ask first. There's no harm in asking questions!

Please do the folowing:

• Please download aswMBR.exe to your desktop.
• Double click the aswMBR.exe to run it.
  
  
• When asked if you want to download Avast's virus definitions please select Yes.
  Note: If avast! antivirus is already installed, just do the next step.
• Click the Scan button to start scan.
  
  
• On completion of the scan click Save log, save it to your desktop and post in your next reply.
• Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply

[rdbadger]

Yes please - before I do anything - which is what I have asked...please tell me what to do re: the maleware that has already be scanned??? do I just let it exit without "removing infected files" Once i know what to do with that i can move on to what you have requested - as i have said I have read through your removal instructions and some say remove and others say if you remove the files with the "remove selected" you may stuff up everything, as you may then not be able to find any deeper roots? Advise on this please - so i can start on the instructed steps!

[Render]

Just exit MBAM without removing detected items please and proceed with aswMBR scan as instructed above.

[rdbadger]

Excellent! Thank you for getting back to me! I didn't know if i was going to ruin something by removing them or by exiting waste the 10 hours of scanning! I will try and keep a log, but not remove and close it down and do exactly as you have requested!
thanks!

[rdbadger]

oh...and as i have no access at the moment to the internet - should I download to a usb and trasfer over?
Ta

[Render]

10 hours of scanning with MBAM is way too long. Scan should take a couple of minutes. It was quick or standard scan?

Yes, you can use some kind of portable USB memory media to transfer files between two PCs.

Before you proceed please install USB Vaccine on your healthy computer:

• Please download Panda USB Vaccine here (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

[rdbadger]

...thanks render, unfortunately I've been unsuccessful so far, as the computer won't seem to let me run the aswMBR.exe ...very frustrating!!Yet when i go to take the usb out it says that something is still running argh!!! I'll keep trying!

[rdbadger]

I did download the vaccine - would that have affected it?
ta

[Render]

Have you copied aswMBR.exe to desktop of infected PC and ran it from there?

Quote

I did download the vaccine - would that have affected it?

No.

[rdbadger]

1. I downloaded aswMBR.exe to usb, as I could not access the website because the internet kept re-directing
2. I copied aswMBR.exe to the desktop of infected computer
3. each time I double clicked the mouse arrow would go to timer for about 2 seconds then stop - I could not get the program to launch successfully
Should I try launching the program in "safe mode"
thanks

[rdbadger]

the program wouldn't even launch in safe mode...but i took a screen shot of the task manager and there is something eating up a whole lot of usage called services.exe
241,809 k

[Render]

Hi,

Please try with this (use your USB pen drive to transfer files between PCs):

• Please download on the desktop RogueKiller (by tigzy).
  
• Quit all programs.
  
• Run RogueKiller.exe.
  
• Wait until Prescan has finished ...
  
• Click on Scan.
  
  
• Wait for the end of the scan.
  
• The report has been created on the desktop. We can also open it with the Report button.
  
• Please copy content of report and post it in your next reply.

[rdbadger]

Sorry I was away on a camp in charge of 70 students so could not get back to it until now!
I was able to run rouge in safe mode Report below
thanks again!
RogueKiller V7.5.0 [05/24/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User: Roanna [Admin rights]
Mode: Scan -- Date: 05/27/2012 10:10:43

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿþ


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380215A +++++
--- User ---
[MBR] a98db5155a9b72de4ff79074f785e7a3
[BSP] 96b55e2d1e6635603f4f865d4558d87d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] e1d1fccdc0f7f1905a71fa2d92df567a
[BSP] 96b55e2d1e6635603f4f865d4558d87d : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156280320 | Size: 10 Mo

+++++ PhysicalDrive1: Imation ImationFlashDriv USB Device +++++
--- User ---
[MBR] 72cad65ae2ceb44a23591ce0f19acf0e
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7377 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[Render]

Are you able to boot into normal mode?

Please do the following scan in normal mode if possible:

OTL Custom Scan

• Download OTL to your desktop.
  
• Double click on the icon to run it.
  
• Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top, make sure Stadard output is selected.
  
• Select Scan all users
  
• Under the Extra Registry section, check Use SafeList
  
• Check the boxes beside LOP Check and Purity Check.
  
• Under the Custom Scans/Fixes box copy and paste this in:
  
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  userinit.exe
  svchost.exe
  consrv.dll
  /md5stop
  %systemroot%\*. /mp /s
  %Temp%\smtmp\*.* /s
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  CREATERESTOREPOINT

  
  
  
• Click the button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic