Hi,

my wifes laptop has progressively got slower and recently when clicking on any results from search engines it redirects to all kinds of places.

The other issue (possibly related or not) is that my wifes yahoo and facebook accounts passwords keep getting changed by someone every few weeks, and i'm positive its no-one we know as each time she changes it, there's no way anyone could know know what it was, unless perhaps her computer is bein watched.

i think ive attached what i need, please be gentle, but if i can find a way of fixing this without having to do a clean windows install i'll be a happy man.



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Martin at 14:24:39 on 2011-12-06
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1037 [GMT 0:00]
.
AV: BullGuard Antivirus *Enabled/Updated* {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\SvcHost.exe -k BullGuard_Main
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
svchost.exe
C:\WINDOWS\System32\SvcHost.exe -k BullGuard
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://uk.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://uk.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: BullGuard Safe Browsing: {fc872b94-35e3-4b94-b028-184a2a1c7cce} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {B67FA914-5D1D-4BEA-97F0-87798333AD72} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe" -boot
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\BGLsp.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307762104593
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4CEF7BC5-AF19-4034-B4F0-5CAEF44F7189} : DhcpNameServer = 192.168.0.1
Handler: bglink - {FC872B94-35E3-4B94-B028-184A2A1C7CCE} - c:\program files\bullguard ltd\bullguard\antiphishing\ie\BGAntiphishingIEBHO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: BgGamingMonitor.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
R1 BdSpy;BdSpy;c:\windows\system32\drivers\BdSpy.sys [2011-4-29 64608]
R1 NovaShieldFilterDriver;NovaShieldFilterDriver;c:\windows\system32\drivers\NSKernel.sys [2011-4-29 789448]
R1 NovaShieldTDIDriver;NovaShieldTDIDriver;c:\windows\system32\drivers\NSNetmon.sys [2011-4-29 19272]
R2 BsBhvScan;BullGuard behavioural detection service;c:\program files\bullguard ltd\bullguard\BullGuardBhvScanner.exe [2011-5-18 338264]
R2 BsBrowser;BullGuard antiphishing service;c:\windows\system32\SvcHost.exe -k BullGuard_LowPriv [2008-4-14 14336]
R2 BsFileScan;BullGuard on-access service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-14 14336]
R2 BsFire;BullGuard firewall service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-14 14336]
R2 BsMailProxy;BullGuard e-mail monitoring service;c:\windows\system32\SvcHost.exe -k BullGuard [2008-4-14 14336]
R2 BsMain;BullGuard main service;c:\windows\system32\SvcHost.exe -k BullGuard_Main [2008-4-14 14336]
R2 BsUpdate;BullGuard update service;c:\program files\bullguard ltd\bullguard\BullGuardUpdate.exe [2011-5-18 320344]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-23 366152]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-4-29 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-4-29 267624]
R3 BsScanner;BullGuard scanning service;c:\program files\bullguard ltd\bullguard\BullGuardScanner.exe [2011-5-25 288600]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-23 22216]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2011-9-10 27632]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 136176]
S3 BgRaSvc;BgRaSvc;c:\program files\bullguard ltd\bullguard\support\BgRaSvc.exe [2011-5-18 125784]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-9 136176]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2011-9-10 155344]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-13 15:31:45 82776 ----a-w- c:\windows\system32\BGLsp.dll
2011-10-18 19:14:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-12 13:16:25 69120 --sha-r- c:\windows\system32\msratelcu.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 14:25:50.06 ===============

attached the zip file too

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
----------


GMER

Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

Jeff,

I think ive done as asked and hopefuly attached the file.

thanks for your help.

martin

Hi b16mts,


I think ive done as asked and hopefuly attached the file.:bigthumb:
----------

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view
Choose to "show hidden files and folders,"
Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
Close the window with ok
---------

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click VirusTotal (www.virustotal.com)

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

c:\windows\system32\msratelcu.dll <============

scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------

In your next reply please post the logs created by VirusTotal and aswMBR.exe. :)

Jeff, ive tried the virustotal thing, and it seems to send the file, but i get nothing back that i can attach.

ive done the other one though.

cheers,

Martin

Hi b16mts,

If you could just let me know what it says in the portion shown below after VirusTotal scans that would be just fine. You can just copy/paste it directly from the VirusTotal page when the scans are complete. :)


File name: xxxxxxxxxxxxxxxxxx
Submission date: 2011-12-07 20:46:11 (UTC)
Current status: finished
Result: 0/ 42 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.12.07.00 2011.12.07 -
AntiVir 7.11.19.20 2011.12.07 -
Antiy-AVL 2.0.3.7 2011.12.07 -
Avast 6.0.1289.0 2011.12.07 -
AVG 10.0.0.1190 2011.12.07 -
BitDefender 7.2 2011.12.07 -
ByteHero 1.0.0.1 2011.12.07 -
CAT-QuickHeal 12.00 2011.12.07 -
ClamAV 0.97.3.0 2011.12.07 -
Commtouch 5.3.2.6 2011.12.07 -
Comodo 10874 2011.12.07 -
DrWeb 5.0.2.03300 2011.12.07 -
Emsisoft 5.1.0.11 2011.12.07 -
eSafe 7.0.17.0 2011.12.06 -
eTrust-Vet 37.0.9609 2011.12.07 -
F-Prot 4.6.5.141 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.07 -
Fortinet 4.3.388.0 2011.12.07 -
GData 22.300/22.559 2011.12.07 -
Ikarus T3.1.1.109.0 2011.12.07 -
Jiangmin 13.0.900 2011.12.06 -
K7AntiVirus 9.119.5619 2011.12.07 -
Kaspersky 9.0.0.837 2011.12.07 -
McAfee 5.400.0.1158 2011.12.07 -
McAfee-GW-Edition 2010.1E 2011.12.07 -
Microsoft 1.7903 2011.12.07 -
NOD32 6691 2011.12.07 -
Norman 6.07.13 2011.12.07 -
nProtect 2011-12-07.01 2011.12.07 -
PCTools 8.0.0.5 2011.12.07 -
Prevx 3.0 2011.12.07 -
Rising 23.87.02.01 2011.12.07 -
Sophos 4.71.0 2011.12.07 -
SUPERAntiSpyware 4.40.0.1006 2011.12.07 -
Symantec 20111.2.0.82 2011.12.07 -
TheHacker 6.7.0.1.353 2011.12.07 -
TrendMicro 9.500.0.1008 2011.12.07 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.07 -
VBA32 3.12.16.4 2011.12.07 -
VIPRE 11216 2011.12.07 -
ViRobot 2011.12.7.4813 2011.12.07 -
VirusBuster 14.1.104.0 2011.12.07 -
Additional informationShow all
MD5 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Thank you for the aswMBR log. :bigthumb:

Jeff,

ive tried again and it goes to a window stating the file is uploading, then i get taken back tot he upload screen with no other info than before.

sorry,

Martin

Hi,

Oh no...no need to apologize. :)
-----------

Lets try a different place to check this file out.

I would ask you to please click on the following link and follow my instructions:
Virscan.org (http://virscan.org/)
Once at the web page please:
Press Browse button
Locate c:\windows\system32\msratelcu.dll and double-click
That will put the file in the Browse bar
Now press Upload and let the scan run. This may take several minutes to complete.
Post the scanner results in your next reply please.

Hi,

just tried that and get the error mesage "ERROR:cant find the upload file"

the file itself is faded in the folder, and when i look in properties its read only, and it wont allow me to remove the readonly tick

martin

Hi,

We can come back to that file later. :)
--------------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

Jeff,

think ive done that one successfully.

thanks,

Martin

Hi b16mts,

I see that you have Malwarebytes on your system. Please open Malwarebytes, update it and then run a Quick Scan. Please save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

In your next reply please post the logs created by Malwarebytes and ESET online scanner. :)

hi,

done those two, but cannot upload anything from eset, and it said no threats found and gave me no option to save a log etc.

have attached the malware log though

martin

Yep...if there are no threats found by ESET there won't be a log.

How is your system running? :)

Jeff,

It appears the redirect issue is sorted thank goodness. Computer still seems slow, but can live with that, unless you know of any way of cleabing it up to make it faster?

Thanks again for all your help :-)

Martin

Hi,

Glad to hear that things are running better. Lets see about removing some temp files and this may help with your speed. :) You can keep this tool that I am giving you now to use for later as well. It is good to run about once a week.
--------

Old Timer Temp File Cleaner (OT TFC)

Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Note: Save any unsave work as running TFC will close ALL running application.
Double click on TFC.exe to start the application
Click Start to run the application.
Let it run uninterrupted. It may take from few seconds to few minutes depending on the size of temporary file
Once done, TFC will prompt for a REBOOT.
Click Yes to reboot.
--------

After you have run that please reboot and then run a fresh scan with DDS and post both of the logs into your next reply. :bigthumb:

Jeff,

actually my wife has commented that she's really pleased that the redirect has gone and "its loads faster too", which is a bonus.

even quicker to boot now ive done the above.

attached the logs again.

thanks so much from saving my laptop!

Martin

Glad to hear things are better. :bigthumb:

Stick with me...we are almost done. Let's go back to the file we tried to send to VirusTotal. Let's remove that...

Please go to Start >> Run >> type CMD and press Enter. This will open the command prompt. Copy and paste the following text into the command prompt window and press Enter:

del c:\windows\system32\msratelcu.dll

Reboot your system and then run a fresh scan with DDS and post the new logs into your next reply.

Let me know how things are going now with the computer. :)

Jeff,

tried to delete the file, but it keeps saying the file does not exist. guess there's not alot f point doing the logs as theyll be the same as the last ones i guess

martin

Hi b16mts,


guess there's not alot f point doing the logs as theyll be the same as the last ones i guesshahahahahahaaa!! Yep!! I am not sure why that would still be shown in the logs though?
----------------

Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.

Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



:Processes
explorer.exe

:Files
c:\windows\system32\msratelcu.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]



Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Hi,

Do you still need help? :)

Due to lack of feedback, this topic will now be closed.
If you are the original poster and you still require help, please start a new thread.