Step 6
Problems Encountered: Says it can't find the file when I type that in.
Code:
Windows cannot find 'ComboFix'. Make sure you typed the name correctly, and then try again.
Yeah my bro being a retard as he is, shift-deleted it to ''clean the clutter'' on the desktop. Almost positive that's what caused it.
And yes, I reinstalled AVG.
|Z3R0|
Step 6
Problems Encountered: N/A
I ended up using Comodo based purely on its score from the site you gave me and it would be awesome if you could help me set it up properly. I would say I am an avid gamer and play games such as World of Warcraft, League Of Legends and many of the Steam games such as TF2 and Half Life and Left 4 Dead. My DxDiag can be found at
HERE but a summary of my computer is Windows 7 professional, no service pack, and I use the internet avidly. So your professional input on how to set it up would be greatly appreciated.
Also, I am almost 95% sure I am still infected. Today, while this site was down, I was surfing the internet and my web page went from a full page to a maximized page and went to this IP address, 208.109.186.145. Then was forwarded to some other random web page completely irrelevant to what I was searching for. Also, I went into my hosts file and noticed that it had all been erased, and was instead replaced with 127.0.0.1. That's what really got me going, but AVG didn't detect anything under a rootkit, shell, and full computer scan.
Thanks for the great help so far!
|Z3R0|
P.S. I have a program (CurrPort) and have 4 logs that I created with the internet off, turning it on, opening the internet, and another of when I went to a login page such as hotmail or battle.net. I was trying to trigger the process to start and maybe try to make a connection or something, if you would like the logs let me know and I'll PM them to you. Not sure I would want to share that over an open thread >.> Again thanks for all the great help so far.
Quote:I ended up using Comodo based purely on its score from the site you gave me and it would be awesome if you could help me set it up properly.
It was the correct choice, IMHO.
Quote:I would say I am an avid gamer and play games such as World of Warcraft, League Of Legends and many of the Steam games such as TF2 and Half Life and Left 4 Dead.
I see. On the Comodo icon found at the system tray, please right-click on it and set the following accordingly.
- Firewall Security Level
- Defense + Security Level
- Clean PC Mode (if you consider yourself a process-erudite)
- Training Mode (if not)
- Sandbox Security Level
Note that you can set your firewall to Game Mode whenever necessary. Just do not forget to switch it back after.
Quote:Also, I am almost 95% sure I am still infected. Today, while this site was down, I was surfing the internet and my web page went from a full page to a maximized page and went to this IP address, 208.109.186.145.
Download
SUPERAntiSpyware.
- Install it and let it check for updates.
- Perform a complete scan and let it remove everything it finds.
- Once done, post the log here and provide the link to this thread.
Quote:Then was forwarded to some other random web page completely irrelevant to what I was searching for. Also, I went into my hosts file and noticed that it had all been erased, and was instead replaced with 127.0.0.1.
- Step 7
Open Notepad.
Copy (Ctrl +C) and paste everything on the quote box below:
Quote:@echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
del %0
In the Notepad interface, go to File > Save As.
Specify the file name as reset.bat or anything you wish however using the same file extension.
Change Save As Type to All Files and save the file to your Desktop.
Now double-click on reset.bat located at your Desktop to run the batch file. It will self-delete when completed.
Quote:That's what really got me going, but AVG didn't detect anything under a rootkit, shell, and full computer scan.
I would recommend a change of Anti-Virus. Preferably Avira.
Quote:P.S. I have a program (CurrPort) and have 4 logs that I created with the internet off, turning it on, opening the internet, and another of when I went to a login page such as hotmail or battle.net. I was trying to trigger the process to start and maybe try to make a connection or something, if you would like the logs let me know and I'll PM them to you. Not sure I would want to share that over an open thread >.> Again thanks for all the great help so far.
Yes, please do so.
- Step 8
Please download the OLT Log Analysis from 'here'. Please click the Go (Arrow Button) or press Enter in the URL address bar to start the download.- Save it to your Desktop.
- Please double-click OTL.exe to run it.
- Make sure all other windows are closed to let it run uninterrupted.
- When the window appears, underneath Output, change it to Minimal Output.
- Under the Standard Registry box change it to All.
- Check the boxes beside LOP Check and Purity Check.
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two Notepad windows.
- These are saved in the same location as OTL.
- Please copy (Right-click > Select All > Copy) the contents of these files, one at a time, and post it with your next reply.
- In your next post, please provide the following:
- A Fresh HijackThis (HJT) Log
- Deckard's System Scanner (DDS) Logs
- OTL Scan Log
- Format of Response
Code:
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Link To Requested Logs:[/b][/color]
I now see the problem. You had a Rouge Anti-Virus attack.
- Step 9
Please download the OTM File Mover from 'here'.- Save it to your Desktop.
- Please double-click OTM.exe to run it.
- Copy the lines inside the Code box below to the Clipboard by highlighting all of the content and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes
explorer.exe
Palladium.exe
z.exe
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Palladium"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Palladium Pro"=-
[-HKEY_CURRENT_USER\Software\Palladium Pro]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Palladium Pro"=-
[-HKEY_CURRENT_USER\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}]
:Files
%UserProfile%\Application Data\completescan_pal
%UserProfile%\Application Data\install_pal
%UserProfile%\Application Data\palladium.exe
%UserProfile%\Application Data\uid_pal
%UserProfile%\Desktop\Palladium.lnk
%UserProfile%\Start Menu\Programs\Palladium.lnk
%ProgramFiles%\Palladium Pro
%ProgramFiles%\Startup\Palladium Pro.lnk
%AppData%\Palladium.exe
%AppData%\z.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
- Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
- Click the red MoveIt! button.
- Copy everything in the Results window to the Clipboard by highlighting all of the content and by pressing CTRL + C (or, after highlighting, right-click and choose Copy).
- Paste it in your next reply.
- Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the moving process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad) and click File > Open. In the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present. Copy and paste the contents of that document back here in your next post.
Step #
Problems Encountered: N/A
Link To Requested Logs: OTM Log
I also noticed that I can't seem to see my hosts file in system32. I actually had links in there to uhh *cough* keep certain programs from *cough* contacting servers *cough cough ad-o-be cough* but it isn't showing up for me. I tried to make another hosts file instead but couldn't cause it says there was already a file named "hosts" and I'm not allowed to replace it. Any idea on that? Not THAT big of a deal if you don't know, just an inconvenience to me.
Thanks,
|Z3R0|
Very well. Please follow the instructions below.
- Step 10
Please set Windows 7 to show both hidden and system files and folders so that you can find specific files to delete.
- Click Start and navigate to Control Panel.
- On Appearance and Personalization > Folder Options > Show hidden files and folders.
- On the View tab, uncheck the following:
- Hide file extensions for known file types
- Hide protected operating system files (Recommended)
- Click Yes on the warning message.
- Under Hidden files and folders, check Show hidden files, folders, and drives.
- Click Apply to All Folders.
- Click OK.
Note: I will give you instructions for hiding them again once your system seems clean.
- Step 11
Please open Notepad as Administrator.- Click File > Open....
- On the drop-down menu, set it to view All Files (*.*).
- Navigate to C:\Windows\System32\drivers\etc > HOSTS.
- Make the necessary changes and select File > Save.
Step 10
Problems Encountered: N/A
Step 11
Problems Encountered: N/A
|Z3R0|