Infected.

[ken545]

Hi,

Combofix didn't find or remove anything. As far as all the script you posted, I am not a web designer and have no idea what that all means.

All the scans are coming up clean


Copy and paste these lines into Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.





Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper left corner.
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply .

[venus_n]

When i ran the HostsXpert.exe from its location, it says "your hosts file is marked as a system file, and cannot be manipuated. Click continue to remove this attribute or press cancel to exit".

So i pressed cancel. What do i do? Should i continue. I haven't run the kaspersky yet. I wanted to go in sequence to avoid any clashes.

I have not made changes to hosts file on my own but i think spybot S&D could be making to prevent browser redirects. (My default IP is i think 127.0.0.2).

[ken545]

Yes go ahead and change it, all were doing is setting the hosts file back to default. I am on a computer right now that does not have Spybot so I cant see where to change it but there is an option to unblock Spybot from locking the hosts file, try to find it and uncheck it, also disable the Teatimer

[venus_n]

I ran flush.bat and have now recovered the microsoft's host file through HostsXpert .

I dont know if my localhost or default IP is 127.0.0.1 or 127.0.0.2 or what, but the host file it recovered to wrote 127.0.0.1 in front of the localhost.

But the Kaspersky link you gave me had the accept button greyed out, it said
"Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later. "

So now..

[ken545]

OK, try this one

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[venus_n]

I did the ESET online scan and took a screenshot of the report before clicking finish.

Later after clicking finish, i went to see.
I dont have any such folder C:\Program Files\EsetOnlineScanner
So i checked C:\Program Files\ESET\ESET Online Scanner .

There is no file called log.txt or any report or log in C:\Program Files\ESET\ESET Online Scanner.

The screenshot of the report (must be just a overview what they must be showing there) is attached.

[venus_n]

To be safe meanwhile, Can i / Should i re-lock the hosts file through spybot S&D?(since i have restored the microsoft's hosts file).
Should i not enable tea-timer currently?

Can i request to have the 3 posts on the source code of the yahoo-on-signin page, removed (if its not in use here).

[ken545]

All your posts for the source code have been removed as per your request.

Yes, I would lock the hosts file and turn the TeaTimer back on.

How are things running now ?

[venus_n]

Some problems which i listed in the first post (post to start thread) are still there. Here's below a list of the diffrences that has come in the situation of each point.

1. I still have loads of keys in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\ and in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ , but could be less because when i made a search on the word "hack" under folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , it brought 4 sites, whearas earlier it was bringing 8 sites in this folder.

2. Internet explorer stiall hangs up sometimes.

3. All yahoo problems still exist.

4. Computer is still alerting me of virtual memory too low when i just dont have much load on RAM. Infact today i left my computer idle with the internet connection on, because of sudden guests, and when i returned, there was an alert of virtual memory too low.

5. Dont know how my antivirus is functioning. Haven't scanned with it since 10 days.

6. Scans are still coming clean (like you told me)

7. The firewall alert when i switch on the computer, is not always there. I notice its there when my antivirus shield/ gaurd is not enabled. When my computer starts, my antivirus usualy starts immediatey, but the gaurd takes a while to start. The alert dissapears when the gaurd comes on. This was always the case.

8. Rare pop-ups are still there on firefox. I see them come when i click a button for a process to run the process, then the ad popsup alongside. For example, on raaga.com, when clicking on play button to play music. This could be even normal but im doubtful.

9. Ads still reaching my cell, of the pages i visit.

10. Hooked items in root repeal logs, i cant say now because i haven't tried running rootrepeal without your permission.

11. I cant say if this is virus, sometimes, when i search on google, and click search, or some other sites some buttons, it says "You are sending information over an unencrypted connection,do you want to continue?" I hit continue. Few more issues.


Since i have run the scans, internet explorer shows the ad for google chrome at the top right. Is it normal. I dont get it in firefox.

[venus_n]

Is it that i should'nt immunise in spybot S&D. It may be adding sites to 127.0.0.1 and the recover microsoft's hosts file thing which we did is to clean that.