real bad computer infection

[RayLopez99]

Hello ng, I'm Steve! How are you?

For a few, something disabled AntiVir Guard. Also, the Avira.com homepagewas blocked.

This must be some sort of malware or virus, therefore. Right?

I scanned with Avira AntiVir Personal and Search & Destroy. Avira AntiVirfound two
infections but the probs still persist.

Now I'm scanning with TrendMicro HouseCall. Nor sure what the results will be.

Can someone please help?

Steve

Help with what? Seems you are on the right track. I use the free
Windows firewall and the free Microsoft Security Essentials, and it
seems to get the job done. On some other machines like a laptop I use
Comodo, though I typically do not check the "use Comodo DNS servers"
option, as that option, while sound, might complicate things since I
travel all over the world and don't like to rely on just Comodos DNS
servers. I also use Avira.

These programs are roughly the same, some slightly better than
others. It's like different brands of cigarettes, they all pretty
much get the job done, which is to deliver nicotine into your system.

RL

 

[Dustin]

BartPE is for WindowsXP only.

No it's not. I've used it on windows 7 systems numerous times to do
console/malware hunting. You do have to edit the cmos and change the
way the machine treats the sata drives so you don't get the black
screen of death booting Bart, but it will certainly boot a windows 7
formatted box!

I can send you a torrent iso of my modded bart pe disc sometime if you
need it fred.

 

[FredW]

No it's not.

Well, if I am told so by Macrium Reflect, why would I say otherwise?

"BartPE - Select this option to copy a PE-Builder plug-in for Macrium
Reflect.
For XP or Server 2003 installations only. A Macrium Reflect PE-Builder
plug-in will be copied to your existing PE-Builder installation.
PE-Builder creates a rescue disc from your existing Windows XP system
files and drivers."

I've used it on windows 7 systems numerous times to do
console/malware hunting. You do have to edit the cmos and change the
way the machine treats the sata drives so you don't get the black
screen of death booting Bart,

And why would I want to do all that, when I have a USB "recovery" stick
that functions just the way I expect and restores any back-up I want?

I can send you a torrent iso of my modded bart pe disc sometime if you
need it fred.

I know you mean very well, but I have no desire whatsoever to change my
CMOS or whatever mysterious things you suggest me to do.
I am just an average user (or just a little bit more) and your offer is
way over my head.

Thanks anyway.
;-)

 

[Steve Miller]

Hello,

the prob still persists. Please could someone advise to delete all the cookies?

That would be fun.

Steve

 

[Whoever]

the prob still persists. Please could someone advise to delete all the cookies?

Why? That's of no use whatsoever. In your situation however, you might
consider trying:


Kaspersky's TDSSKiller
http://support.kaspersky.com/faq/?qid=208283363

GMER
http://www.gmer.net/

and Avira's RescueCD:
http://www.avira.com/en/support-download-avira-antivir-rescue-system


Another poster (Tired) also suggested Combofix which is a good idea,
but I would try the above three first.

 

[David H. Lipman]

Hello,

the prob still persists. Please could someone advise to delete all the cookies?

That would be fun.

Steve

Cookies are NOT an issue.

 

[M.L.]

Yeah, MaxBlast doesn't allow the browsing of the image as if it were
just another disk, but the full version of Acronis that it is based on
does. This would allow you to pick and choose what specific file you
want to restore.

Macrium Reflect Free also allows you to retrieve individual files from
its image archive.

 

[Dustin]

Well, if I am told so by Macrium Reflect, why would I say otherwise?

I haven't the foggiest.

I am just an average user (or just a little bit more) and your offer is
way over my head.

Alrighty then.

 

[David H. Lipman]

I haven't the foggiest.


Alrighty then.

Dustin, I am willing to take you up on that .ISO image.

 

[Steve Miller]

Cookies are NOT an issue.

Well, I removed and reinstalled the program by now. The guard is running again.

Steve

 

[Steve Miller]

Well, I removed and reinstalled the program by now. The guard is running again.

Steve

However, the avira.com website still was blocked. I searched regedit for some telling
entries. Seems not to be there. Temp file s I deleted as well?

What else could I try?

Steve

 

[Whoever]

However, the avira.com website still was blocked. I searched regedit for some telling
entries. Seems not to be there. Temp file s I deleted as well?

What else could I try?

Is it just the web site or is it the domain name that is blocked? Try
opening a command line window, do a "ping avira.com" and see if you get
any replies. If you can successfully ping avira.com then your browser
has been tampered with. Go to the Control Panel, Internet Options,
Advanced tab and click on the "Restore advanced settings" and "Reset"
buttons. Then try getting to their web site again.

If you cannot successfully ping avira.com then you probably have a DNS
hijack. Open a command line window, do a "ipconfig /all" and note the
reported DNS servers. Look up their IP addresses and see if they look
like they belong to your ISP.

 

[FromTheRafters]

Is it just the web site or is it the domain name that is blocked? Try
opening a command line window, do a "ping avira.com" and see if you get
any replies. If you can successfully ping avira.com then your browser
has been tampered with. Go to the Control Panel, Internet Options,
Advanced tab and click on the "Restore advanced settings" and "Reset"
buttons. Then try getting to their web site again.

If you cannot successfully ping avira.com then you probably have a DNS
hijack. Open a command line window, do a "ipconfig /all" and note the
reported DNS servers. Look up their IP addresses and see if they look
like they belong to your ISP.

Or, he could check his "hosts" file I suppose.

 

[Whoever]

Or, he could check his "hosts" file I suppose.

It's possible, though I haven't seen too many bugs lately that are
still using that method. Perhaps its just the particular ones that I've
been running into?

 

[Dustin]

It's possible, though I haven't seen too many bugs lately that are
still using that method. Perhaps its just the particular ones that
I've been running into?

Just got back from a sunday call; had a modded hosts. file. Even set
file permissions on the damn thing. Used unlocker to remove the
offensive beastie; They had it redirecting google,yahoo,bing, avast and
a slew of other legit sites to localhost. I removed the offending
rootkit to find the machine still not going to various sites. Found a
13k hosts file, with permissions present. Removed the file, verified
it's not coming back..

 

[Whoever]

Just got back from a sunday call; had a modded hosts. file. Even set
file permissions on the damn thing. Used unlocker to remove the
offensive beastie; They had it redirecting google,yahoo,bing, avast and
a slew of other legit sites to localhost. I removed the offending
rootkit to find the machine still not going to various sites. Found a
13k hosts file, with permissions present. Removed the file, verified
it's not coming back..

Guess it's just the luck of the draw for me then. I just haven't been
seeing many of them lately.