Hi, google is redirecting all my searches to http:// abnow . com
what can i do?
[Edit: Removed hyperlink to a potentially malicious URL to conform with the Participation Guidelines & Terms of Service]
Thank you, i will try this when i get back and check it in the infected computer. I discover this was not the only infection, i post the other on the solved post about the zeroaccess you solved about one week ago,
You can find it here:
Thank you again.
all the files in the other locations appear to be some change in Zeroaccess as I did find a ASWmbr log, using definitions and the other files are also detected as zeroaccess, but as the name Sirefef. Always the way now I can't re find the log.
Quads
Hi, google is redirecting all my searches to http:// abnow . com
what can i do?
[Edit: Removed hyperlink to a potentially malicious URL to conform with the Participation Guidelines & Terms of Service]
Here they are, the logs.
The browser is Internet Explorer.
To others:-
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Stevo11
1. Have TDSSkiller deal with these entries
C:\WINDOWS\system32\DRIVERS\serial.sys - copied to quarantine
14:50:45.0390 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\@ - copied to quarantine
14:50:45.0406 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\L\mbimnlpu - copied to quarantine
14:50:45.0406 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\loader.tlb - copied to quarantine
14:50:45.0406 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@00000001 - copied to quarantine
14:50:45.0562 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@000000c0 - copied to quarantine
14:50:45.0593 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@000000cb - copied to quarantine
14:50:45.0609 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@000000cf - copied to quarantine
14:50:45.0625 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@80000000 - copied to quarantine
14:50:45.0640 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@800000c0 - copied to quarantine
14:50:45.0656 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@800000cb - copied to quarantine
14:50:45.0671 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@800000cf - copied to quarantine
14:50:47.0187 4028 Backup copy found, using it..
14:50:47.0218 4028 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\@ - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\loader.tlb - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\$000000cb - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\$800000cb - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@00000001 - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@000000c0 - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@000000cb - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@000000cf - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@80000000 - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@800000c0 - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@800000cb - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\1774428734\U\@800000cf - will be deleted on reboot
14:50:48.0828 4028 C:\WINDOWS\$NtUninstallKB13314$\2740791305 - will be deleted on reboot
14:50:48.0843 4028 Serial ( Virus.Win32.ZAccess.aml ) - User select action: Cure
Or Run TDSSkiller again to make sure they are gone.
2. Download Combofix to your Desktop from http://www.bleepingcomputer.com/download/anti-virus/combofix
Download the attachment to this post (CFscript.txt) and save it to your desktop also.
Disable Norton and close your Browser(s)
Now drag the CFScript.txt into the ComboFix.exe
Do not do anything else while it is running including moving the mouse cursor inside combofix.
When it is finished it will create a log after, also you may have to restart the PC before you are able to use the Browsers.
Quads
I run the tdsskiller and the only thret that i found is one called sptd.sys at the Drivers folder that is lcoated at the system32 folder. Should i proceed with the combofix?
Yes Please
Quads
Here is the log for combofix. Can i turn on the antivirus again?
Yes you can
Quads
Alright, any new steps to do?
Please download SystemLook and save it to your Desktop. hxxp://jpshortstuff.247fixes.com/SystemLook.exe (change hxxp to http)
Double-click SystemLook.exe to run it.
Copy the content below between the lines into the main textfield:
:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost /s
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Quads
Here it is. What's next?
It's very strange that in the last time all this infections appear, because the activity that i do and the other persons do on this computer has been the same. What do you suggest to avoid this things? windows firewall or something?
Here is the netsvcs XP reg fix attached
Download and remame the file just XP_netsvcs.reg so that means you take the .txt off the end then click to run it.
Quads
I can't do that because even if i save it witouth the .txt my computer saves the file in txt.
Is your PC set up to show know extenstion types?? If yes then download it, Right click it and select "Rename" and then delete the .txt off the end so the end is instead .reg
The other way is to right click the attachment and select "Save Link as" then the dialog box appears and you can take the .txt part off then.
Quads
I made it. Open the file and put OK, what's next?
So the registry added the data??
Quads
It asked me to do it and i clicked yes and it apperently do it.
OK, delete your copy of Combofix and download a new copy, then restart the PC then disable Norton and just run another scan.
Quads