[Active] Browser hijacked amungst other things.

  1. 03-07-2009  #1
    BrownEyedBlonde
    BrownEyedBlonde is offline Newbie

    Unhappy [Active] Browser hijacked amungst other things.

    It all started when I was browsing and must of clicked on some wrong link and my avast went crazy telling me of viruses and malware and so forth and froze the computer. I was forced to reboot the computer and I was infected with RootKit Trojan. Avast seemed to do nothing to the Win32:RootKit Trojan. I did a ton of Boot Scans that didn't seem to do anything. I still got warning from avast of this Trojan. I came on here and signed up and followed all the instructions in the intro post.

    I ran Spybot S & D and got rid of a ton of files before rebooting and after rebooting. It seemed to get rid of everything, nothing was left behind that it found. I then ran Avast Boot scanner and it finally seemed to have gotten rid of 4 RootKit files. It seemed all better except when I restarted the computer it gives me this message. Something like "There was an error and seekapp132.exe has to terminate." I have no idea what that program is.

    The CD drives and my secondary G:hard drive all seem to be working fine again, as they didn't work before I ran Spybot. Then when I go on the internet in both Explorer and Firefox, I search for something in google and it redirects me to an ad page instead of the intended link. SeekZilla seemed to pop up the most amongst other ads.

    Then I went and downloaded Hijack this to follow that step and I get this exact message.:

    "The application has failed to start because MSVBVM60.DLL was not found. Re-installing the application may fix this."

    It didn't even seem to install at all because it's not in the add or remove list. But it is in the program list and under the Program Files folder all there is is Hijackthis.exe file at 387.kb .I'm not sure what to do at this point. I would much appreciate some help in this matter. It's been a rough few days.
  2. 03-07-2009  #2
    broni
    broni is online now Senior Member
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.
  3. 04-07-2009  #3
    BrownEyedBlonde
    BrownEyedBlonde is offline Newbie
    I ran combofix and here is my report. Below I also tried installing and running and got the same message as before.


    ComboFix 09-07-03.03 - Roxanne 07/03/2009 19:23.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.549 [GMT -7:00]
    Running from: c:\documents and settings\Roxanne\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1335 [VPS 090703-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\All Users\Application Data\Seekapp\seekapp132.exe
    c:\documents and settings\All Users\Application Data\SeekappSrch\seekapp143.exe
    c:\documents and settings\Roxanne\Local Settings\Temporary Internet Files\otanebynyn.exe
    C:\p2hhr.bat
    c:\program files\Seekapp\readme.html
    c:\program files\Seekapp\seekapp.dll
    c:\program files\Seekapp\seekapp.exe
    c:\program files\Seekapp\uninstall.exe
    c:\program files\SeekappSrch\seekapp.dll
    c:\program files\SeekappSrch\seekappsrch.exe
    c:\program files\SeekappSrch\uninstall.exe
    c:\windows\010112010146118114.dat
    c:\windows\0101120101465749.dat
    c:\windows\Installer\101510c.msi
    c:\windows\strt_1246429335.exe
    c:\windows\system32\gsf83iujid.dll
    c:\windows\system32\wbem\proquota.exe
    G:\Autorun.inf

    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV.SYS
    -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
    -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
    -------\Service_TDSSserv.sys


    ((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
    .

    2009-07-03 23:01 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
    2009-07-03 23:01 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-07-03 00:53 . 2009-07-03 00:53 -------- d-----w- c:\documents and settings\Roxanne\Application Data\Safer Networking
    2009-07-03 00:52 . 2009-07-03 00:52 -------- d-----w- c:\program files\Safer Networking
    2009-07-01 12:03 . 2009-07-01 12:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-07-01 12:03 . 2009-07-01 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-07-01 01:42 . 2009-07-01 01:42 1 ---h--w- c:\windows\jmmark2.dat
    2009-07-01 01:42 . 2009-07-01 01:42 1 ---h--w- c:\windows\bf23567.dat
    2009-06-30 16:01 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-06-30 16:01 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-06-30 16:01 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2009-06-30 16:01 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2009-06-30 16:01 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2009-06-30 16:01 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2009-06-30 16:01 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2009-06-30 16:01 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2009-06-30 16:01 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
    2009-06-27 19:53 . 2009-06-27 19:53 -------- d-----w- c:\program files\Common Files\Skype
    2009-06-27 19:53 . 2009-06-27 19:53 -------- d-----r- c:\program files\Skype
    2009-06-16 02:56 . 2009-06-16 02:56 -------- d-----w- c:\documents and settings\Roxanne\Local Settings\Application Data\Creative
    2009-06-13 05:50 . 2009-06-13 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2009-07-04 02:27 . 2008-05-25 19:01 -------- d-----w- c:\documents and settings\Roxanne\Application Data\Skype
    2009-07-03 23:01 . 2008-05-25 19:02 -------- d-----w- c:\documents and settings\Roxanne\Application Data\skypePM
    2009-07-03 20:46 . 2008-08-05 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2009-07-03 06:08 . 2008-07-21 02:17 -------- d-----w- c:\documents and settings\Roxanne\Application Data\ArcSoft
    2009-06-29 23:13 . 2008-12-14 17:36 -------- d-----w- c:\documents and settings\Roxanne\Application Data\Azureus
    2009-06-27 19:53 . 2008-05-18 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2009-06-20 00:29 . 2008-08-05 00:03 -------- d-----w- c:\program files\Google
    2009-06-13 06:12 . 2008-10-09 03:41 -------- d-----w- c:\documents and settings\Roxanne\Application Data\Move Networks
    2009-06-13 05:50 . 2008-05-16 18:16 -------- d-----w- c:\program files\Common Files\InstallShield
    2009-06-13 05:50 . 2008-05-16 18:16 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-05-16 17:19 . 2009-05-16 17:19 -------- d-----w- c:\program files\iTunes
    2009-05-16 17:19 . 2009-05-16 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-05-16 17:19 . 2009-05-16 17:19 -------- d-----w- c:\program files\iPod
    2009-05-16 17:19 . 2008-07-07 04:37 -------- d-----w- c:\program files\Common Files\Apple
    2009-05-16 17:15 . 2009-05-16 17:15 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
    2009-05-09 01:42 . 2008-12-14 17:36 -------- d-----w- c:\program files\Vuze
    2009-05-07 15:32 . 2004-08-12 13:59 345600 ----a-w- c:\windows\system32\localspl.dll
    2009-05-04 16:52 . 2008-05-17 06:54 203880 -c--a-w- c:\documents and settings\Roxanne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-04-29 04:56 . 2004-08-12 14:09 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-04-29 04:55 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-04-23 05:17 . 2008-09-21 06:30 410984 ----a-w- c:\windows\system32\deploytk.dll
    2009-04-23 05:16 . 2009-04-23 05:16 152576 -c--a-w- c:\documents and settings\Roxanne\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
    2009-04-17 12:26 . 2004-08-12 14:09 1847168 ----a-w- c:\windows\system32\win32k.sys
    2009-04-15 14:51 . 2004-08-12 14:04 585216 ----a-w- c:\windows\system32\rpcrt4.dll
    2008-11-11 01:12 . 2008-11-11 01:12 19727 -c--a-w- c:\program files\Common Files\uqap.lib
    2008-11-11 01:12 . 2008-11-11 01:12 18901 -c--a-w- c:\program files\Common Files\arace._sy
    2008-11-11 01:12 . 2008-11-11 01:12 17781 -c--a-w- c:\program files\Common Files\xynum.bat
    2008-11-11 01:12 . 2008-11-11 01:12 17493 -c--a-w- c:\program files\Common Files\cykyzyb._sy
    2008-11-11 01:12 . 2008-11-11 01:12 16071 -c--a-w- c:\program files\Common Files\moby.bin
    2008-11-11 01:12 . 2008-11-11 01:12 13229 -c--a-w- c:\program files\Common Files\ofimire.com
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
    "Google Update"="c:\documents and settings\Roxanne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
    "Rainlendar2"="g:\rainlendar2\Rainlendar2.exe" [2009-02-21 4333568]
    "SKYLINK 2-in-1 Phone Utility"="G:\SKYLINK 2-in-1 Phone Utility.exe" [2009-06-27 258048]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-05-27 24264488]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
    "CTDVDDET"="c:\program files\Creative\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-23 148888]
    "QuickTime Task"="g:\my downloads\QTTask.exe" [2009-01-05 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-13 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-13 81920]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
    "CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Roxanne^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
    path=c:\documents and settings\Roxanne\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
    backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "c:\\Documents and Settings\\Roxanne\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "g:\\Program Files\\Etch A Sketch\\EtchASketch.exe"=
    "g:\\EXTRA STUFF\\My Games\\PopDrop\\PopNDrop.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/30/2009 9:01 AM 114768]
    R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODis k.sys [11/10/2008 3:41 PM 9600]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [6/30/2009 9:01 AM 20560]
    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\driv ers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\driver s\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\driver s\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
    S2 gupdate1c9ddc93f1a9ff5;Google Update Service (gupdate1c9ddc93f1a9ff5);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2009 11:14 PM 133104]
    S2 Seekapp Service;Seekapp Service;"c:\documents and settings\All Users\Application Data\Seekapp\seekapp132.exe" "c:\program files\Seekapp\seekapp.dll" Service --> c:\documents and settings\All Users\Application Data\Seekapp\seekapp132.exe [?]
    S2 SeekappSrch Service;SeekappSrch Service;"c:\documents and settings\All Users\Application Data\SeekappSrch\seekapp143.exe" "c:\program files\SeekappSrch\seekapp.dll" Service --> c:\documents and settings\All Users\Application Data\SeekappSrch\seekapp143.exe [?]
    S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\driv ers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMM ONFX.sys [6/27/2008 8:21 PM 99352]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDF X.sys [6/27/2008 8:21 PM 555032]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\driv ers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTER FXFX.sys [6/27/2008 8:21 PM 100888]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLF X.sys [6/27/2008 8:21 PM 566296]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2009-07-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-05 13:24]

    2009-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 06:14]

    2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 06:14]

    2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-362288127-839522115-1004Core.job
    - c:\documents and settings\Roxanne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 17:16]

    2009-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-362288127-839522115-1004UA.job
    - c:\documents and settings\Roxanne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 17:16]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Roxanne\Application Data\Mozilla\Firefox\Profiles\u5i5ixnv.default\
    FF - prefs.js: browser.startup.homepage -
    FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
    FF - plugin: c:\documents and settings\Roxanne\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
    FF - plugin: g:\my downloads\Plugins\npqtplugin.dll
    FF - plugin: g:\my downloads\Plugins\npqtplugin2.dll
    FF - plugin: g:\my downloads\Plugins\npqtplugin3.dll
    FF - plugin: g:\my downloads\Plugins\npqtplugin4.dll
    FF - plugin: g:\my downloads\Plugins\npqtplugin5.dll
    FF - plugin: g:\my downloads\Plugins\npqtplugin6.dll
    FF - plugin: g:\my downloads\Plugins\npqtplugin7.dll
    .

    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-07-03 19:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTHelper = CTHELPER.EXE?

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1828)
    c:\windows\system32\mshtml.dll
    c:\program files\IncrediMail\bin\B4ImApp.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2009-07-04 19:29
    ComboFix-quarantined-files.txt 2009-07-04 02:28

    Pre-Run: 131,013,275,648 bytes free
    Post-Run: 130,988,941,312 bytes free

    220 --- E O F --- 2009-06-11 01:05
  4. 04-07-2009  #4
    broni
    broni is online now Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Uninstall Combofix:

    Go Start > Run
    Type in:
    combofix /u
    Note the space between the "combofix" and the "/u"
    Restart computer.

    ================================================== =============

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!


    STEP 3. Download HijackThis:
    TrendSecure | Download TrendMicro HijackThis
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
+ Reply to Thread
« [Not curable - Virut] HELP with removing Malware.trace | [Active] Malwarebytes and Hijackthis. »