Malware Removal Help

[jackhmom]

Attached is the log.  I was able to take all of the recommended steps other than updating Java.

We are unable to connect to the internet through our desktop home computer.  We have Zone Alarm on our home computer but it was not updating properly.  In addition, when typing in an internet address, it would sometimes take us to google images instead of the website address I had typed in on the URL.   After a couple of tries, I could get to the website I wanted.  Shortly after the misdirection problem started, the internet stopped working - I would get a "cannot connect/webpage unavailable" message from Internet Explorer.  The computer runs on Windows Vista.  We called our ISP -  they tested the connection and it appeared to be fine (and other computers using the wireless network at home have no trouble connecting).  We also tried installing Firefox thinking there was a problem with Internet Explorer but it didn't help.  Zone Alarm has been unable to help us.  Any suggestions for us? Thank you very much for any help.

[attachment deleted by admin]

[CBMatt]

Out of curiosity, why did you post this as a PDF file and not a text file?  Any chance you can post this as a Notepad file instead?  It would make it MUCH easier to work with.  And how about SAS and MBAM logs?

[jackhmom]

I posted as a PDF because I had to print them from my infected computer, scan them and then email them from a different computer.  I'll see if I can rerun the scans, save to a flash drive, and then cut and paste them into an email or onto a word or notepad file.  Sorry for the inconvenience.

[jackhmom]

Here's the information from the 3 logs.


[attachment deleted by admin]

[CBMatt]

Okay, understood.  It wasn't a huge deal; it's just the first time I've seen someone print out their log and upload it as a PDF.  Heh.  And it makes it a bit harder to work with because it's easier to look up unknown files/entries if we are able to copy and paste.


Anyway...I don't really see any red flags in your logs here.  I don't see evidence of anything overly malicious.  But let's see if we can find out anything else...

1.  Do you know how to enter Safe Mode?  If not, take a look at THIS PAGE.  When you get to the menu with options (Safe Mode, Normal Mode, etc.), choose SAFE MODE WITH NETWORKING.  When your computer starts up, click Yes at the prompt window.  ZoneAlarm should be disabled at this time.  If not, please disable it.  Go ahead and try using the internet for a few minutes.  Is there any change?  Are you able to get into different sites without any trouble?

2. Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.  NOTE: you can download ComboFix with another computer and transfer it via flash drive.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[jackhmom]

Here's a new Hijack This Log and a ComboFix Log.   I tried accessing the internet in Safe Mode and was unable to.  I also noticed in the Control Panel something that said "AC 3" with a fire-type log around on it.  I couldn't remove it through the Remove Programs but I think it is something that shouldn't be there because when I right-click on the icon, a string of Chinese characters comes up?

Please let me know if you have any other suggestions.  Thanks very much for your help.

[attachment deleted by admin]

[CBMatt]

Hi there, sorry for the late response.  Things are a bit busy.  I'm not entirely sure about the AC 3 icon, but it could just be a codec.  I wouldn't worry about it at the moment.  You do still have something in your log, though...

Open HijackThis and scan again.  Place a checkmark next to this entry:

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

Close all other windows/documents and click on Fix Checked.  You should then go into Safe Mode and delete this file:

C:WINDOWS\SMINST\launcher.exe

Reboot back into Normal Mode, scan with HijackThis, and post the new log.  Have you noticed any changes?  Also...when you tried using the internet in Safe Mode, did you choose Safe Mode With Networking?  This is very important because this is the only way to access the internet while in Safe Mode.  If you choose just the standard Safe Mode, internet won't work.

[jackhmom]

Thank you very much.  I appreciate any help, especially considering that you are volunteers.  Yes, I tried connecting using Safe Mode with Networking and was not able to.  Here's the new Hijack This log.  Any other suggestions? Thanks

[attachment deleted by admin]

[CBMatt]

Well, at this point, I don't really see much going on in your log.  I can't quite explain your Google redirects, but the fact that you couldn't get online with Safe Mode With Networking makes me think it might not be a software problem.  And when an infection redirects your browser, it usually goes to a spam site, not Google.  How does this particular computer connect to the internet?  You said you have a wireless network; does this computer connect wirelessly as well?  Or does it use a cable to connect directly to the router (or a modem hooked up to the router)?

If you connect wirelessly, do you have an adapter for the desktop or did it come equipped with a network card?  If there's an adapter, try testing it with a different computer to make sure it works.  If it has a network card, it may not be functioning properly and could need to be replaced or reseating (reseating involves opening the computer and ensuring that a part is properly inserted into its slot).  Also, be sure to try connecting through an ethernet cable.

If you connect through a cable, make sure it is firmly inserted into the appropriate jacks.  Depending on your setup, you may be able to hook up to a different jack on the router.  Another thing you can try is unplugging the router for about five minutes and then plugging it back in.  This doesn't sound like it will fix your problem, but you never know.

Did you recently move your computer?  It's possible that it was moved out of the router's range.  Do you know exactly how long it has been acting up?  We could always try System Restore to roll your settings back and see if it helps at all.  Also, the configuration could be incorrect, but that can be a bit more complicated, so we'll save that for later if needed.

As you can see, there are a lot of possibilities here.  And there's still the chance of an infection causing significant problems.  I don't see anything, but some of them can hide pretty well.  Although I haven't seen evidence, you can check for a certain popular infection...

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
Then search for TDSSserv.sys
Let me know if you find this or not.  Also let me know what other suggestions you have tried, and please answer as many questions as you can.