Posted by fp4

Hello actual computer technician here, who deals with this kind of thing regularly (this is my secret formula):

1. Download and run TDSSKiller:
http://support.kaspersky.com/downloa...tdsskiller.exe

Before running it click Advanced Options, and check the 'Check for TLDFS Filesystem' checkbox.

2. Download and run a Malwarebytes Anti-Malware Quick Scan (Looks like you've already done this):
http://ninite.com/malwarebytes/

3. If the Virus still persists I recommend that you run ComboFix:
http://www.bleepingcomputer.com/download/combofix/

When downloading ComboFix, click Save and give the file a name like REDDRAGONS (this tends to be enough to fool viruses looking for anti-virus tools).

If it still persists after all that, try running them all while in Safe Mode, if still then we'll have to do a more in-depth check.

Ran it and it found some thing called akamai, so I quarentined it.  

Posted by Rexx

Delete the system32 folder, that should solve your problems.

Technically it would solve the problem...  

@fp4 did the step 3 combo fix thing, now whenever I try to open any program I get the error "Illegal operation attempted on a registry key that has been marked for deletion"... How do I fix this?
oh btw i was wrong when I thought the virus was gone
think I might try a system restore

ok system restore seems to have fixed the problem with programs not working.

not sure if virus is gone...

ran tdss killer and its back -_-  

Run ComboFix one more time, the virus likely hijacked the registry key that's accessed when you open programs.  

since I just did a system restore would I have to run it twice?
should I set up another system restore point?

I have a weird feeling combofix had an error messing with the registry...


I would think the system restore would have brought back the virus.
What stops it from screwing my registry again?  

System Restore just restores your registry, not files. If the virus made registry keys and it was in your registry, it is likely a harmless key pointing to a non-existent virus file.  

seems like combofix is stuck at preparing the log report and its telling me not to open any programs until its done.

edit: oh ran it again, same registry error... guess I gotta do the system restore again...  

Well if it happens when it's doing the log report then it's not a big deal. Sounds like your virus is gone though.  

Posted by Rexx

Delete the system32 folder, that should solve your problems.

Nah. Delete that whole darn Windows folder.  

Posted by fp4

Well if it happens when it's doing the log report then it's not a big deal. Sounds like your virus is gone though.

Nope, I'm still redirecting to a bunch of stupid sites :/  

Posted by Skill

Nope, I'm still redirecting to a bunch of stupid sites :/

Open a cmd prompt and do these commands:

diskpart
list disk
select disk 0
list partition

Take a screenshot and show me the partitions it lists.

Example: http://i.imgur.com/NqE8k.jpg  

here.  

Run the command:

ipconfig /all > connection_info.txt

Then go into your user folder, and paste the contents of connection_info.txt on here.  

Posted by fp4

Run the command:

ipconfig /all > connection_info.txt

Then go into your user folder, and paste the contents of connection_info.txt on here.

did this and nothing happened
did it without the connectioninfo part and got this:

wait my bad misread

PHP Code:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : HomeUser-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 20-CF-30-F0-E9-DE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::788b:6d0b:42d1:ed40%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.0.50(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 237031216
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-BA-53-75-20-CF-30-F0-E9-DE
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{75E551A9-C9B6-48C5-AC82-9EFECB1E6BE2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:2469:1c03:3f57:ffcd(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::2469:1c03:3f57:ffcd%11(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled 


 

and TDSSKiller came up clean? I will have to look more into the virus.

Run HiJackThis:
http://sourceforge.net/projects/hjt/

and post a log.