Deep rooted browser hijack? [Solved]
Posted 24 February 2014 - 01:39 PM
Posted 24 February 2014 - 02:34 PM
Posted 24 February 2014 - 02:36 PM
Posted 25 February 2014 - 08:08 AM
Download and Install Combofix
Download ComboFix from one of the following locations:
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
[img width=426 height=293]http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png[/img]
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Posted 25 February 2014 - 09:24 AM
Whe I told you of my recent infection, I had just run Combofix and it came up with a number of errors in downloading/updating, in fact I couldnt get it to run properly so ran Malwarebytes in safe mode which found 28 PUP infections. I ran Combofix again after this which didnt seem to find anything......to my limited interpretation anyway.
I will now run Combofix and report back with the log.
Posted 25 February 2014 - 09:52 AM
This was during updating in Safe Mode.
Error saving file.
[regcreatekeyEx:5. Acess denied.
There are 4 more error reports following with the above format but after \Hiv-backup\ the error code changes...
Last error report...
Error opening file for writing
Posted 25 February 2014 - 09:55 AM
Run the programme you have just downloaded to your desktop ( it will be randomly named )
First we will run a virus scan
Select the cog to access scan areas
On the first tab select all elements down to OS C and then select start scan
[img width=640 height=481]https://dl.dropboxusercontent.com/u/73555776/Kas%20Scan%20area.JPG[/img]
Once it has finished select reports and post the detected threats
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once it has completed then click Step 2 Report sending
And you will be taken to the zip file that needs to be attached
Posted 25 February 2014 - 10:47 AM
Posted 25 February 2014 - 03:00 PM
Posted 25 February 2014 - 04:07 PM
Posted 25 February 2014 - 05:39 PM
Posted 25 February 2014 - 05:49 PM
Posted 26 February 2014 - 08:11 AM
Two tasks ..
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
begin SearchRootkit(true, true); SetAVZGuardStatus(True); DeleteFile('C:\Users\Ady\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE'); BC_DeleteFile('C:\Users\Ady\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE'); BC_ImportDeletedList; BC_ImportAll; ExecuteSysClean; BC_Activate; end.
- Your system will reboot on completion, if it does not please do so yourself
- On completion please run another analysis scan and attach the zip file
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [CREATERESTOREPOINT] :Files ipconfig /flushdns /c ipconfig /release /c ipconfig /renew /c netsh winsock reset /c netsh advfirewall reset /c :Commands [resethosts] [emptytemp] [Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users