Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Deep rooted browser hijack? [Solved]


  • This topic is locked This topic is locked

#61
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
It did say operation failed access denied but am about to re boot
  • 0

Advertisements


#62
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
After following your instructions, reboot etc, tried deleting IE...because it doesnt appear anywhere except prog files...not even in any of the uninstall lists...and still demands from Trusted Installer stop me.
  • 0

#63
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK could you run windows updates please and I will check this one out
  • 0

#64
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
windows updates didnt work again.
  • 0

#65
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK time for the big boy

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    [img width=426 height=293]http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png[/img]

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#66
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Hi EB. Have been using Combofix for a number of years when I think I have a serious infection and always in safe mode (advice from my last Geekstogo request for help several years ago)
Whe I told you of my recent infection, I had just run Combofix and it came up with a number of errors in downloading/updating, in fact I couldnt get it to run properly so ran Malwarebytes in safe mode which found 28 PUP infections. I ran Combofix again after this which didnt seem to find anything......to my limited interpretation anyway.
I will now run Combofix and report back with the log.
  • 0

#67
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Further to my last. I have Combofix already on desktop so went into safe mode, used that desktop icon and again a load of errors kicked up so I dont know if something is stopping the resident Combofix icon/application from running currectly. Here are the error reports, then I will download a fresh app o Combofix and report back again with the text log.
This was during updating in Safe Mode.

Error saving file.
C:Windows\erdnt\Hiv-backup\BCD
[regcreatekeyEx:5. Acess denied.

There are 4 more error reports following with the above format but after \Hiv-backup\ the error code changes...

\Hiv-backup\system
\software
\default
\security
\sam


\Hiv-backup\users\00000001\ntuser.dat
\00000002\ditto
\ 3\ditto
4\ditto

Last error report...

Error opening file for writing
C\32788R22FWJFW\NirCmd.3Xe
  • 0

#68
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
Select the cog to access scan areas
Posted Image

On the first tab select all elements down to OS C and then select start scan
[img width=640 height=481]https://dl.dropboxusercontent.com/u/73555776/Kas%20Scan%20area.JPG[/img]

Once it has finished select reports and post the detected threats
.

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button

Posted Image

Once it has completed then click Step 2 Report sending
Posted Image

Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached
  • 0

#69
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Scan running, it says 10 hours, will report back tomorrow. The last help I had here a while back said always scan in safe mode, does that still hold?....as at the moment I am running Kaspersky in normal mode.
  • 0

#70
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No, normal mode is good
  • 0

Advertisements


#71
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
OK, but its now been going 4.5 hours and end point is saying 2 days!!! :whistling:
  • 0

#72
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Has it found anything yet ? If not then stop it and run the analysis portion
  • 0

#73
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Had a few pop ups saying access denied to a few files but nothing else.

Attached Files


  • 0

#74
Zanshin

Zanshin

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Just as an addenda....just went to view a slideshow in Outlook....up pops a window saying need to download Silverlight...ok..thought I had it....go to download and....sorry, you already have a newer version of Silverlight installed!!!!! What the... is going on? Also I still have two MS/Windows updates stuck in perpetual cycle, everytime I power down it keeps wanting to install these two updates, one ordinary, one security. When I reboot it still says windows updates ready to install.
  • 0

#75
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
This beginning to look like a windows system corruption

Two tasks ..

  • Re-run AVPTool
  • Select the Manual Disinfection tab and press Script execution
    Posted Image
  • Where it states Insert text script in the following box copy the below script and press Run script
    Copy from Begin until End
    Posted Image
      begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteFile('C:\Users\Ady\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE');
     BC_DeleteFile('C:\Users\Ady\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE');
    BC_ImportDeletedList;
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    end.
    

  • Your system will reboot on completion, if it does not please do so yourself
  • On completion please run another analysis scan and attach the zip file

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image
:Commands
[CREATERESTOREPOINT]

:Files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh winsock reset /c
netsh advfirewall reset /c

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP