Hello,

Jobeard has referenced me to this site, hopefully you can help me. My computer shuts off automatically at windows startup when Normal Mode is attempted. I am able to start up my computer only in Safe Mode, which limits programs/antivirus that I can install.

The following is a paste from Bobbye...

"Your Host Files have been hijacked- you are being taken to the Ukraine. You will need help removing the malware and resetting your router.

Unfortunately, we are temporarily short of malware helpers here. I would encourage you to try and clean with system with guidance. Please see Virus and Malware Removal HERE if you would like assistance.

Please follow the preliminary removal instructions.

I recommend that you don't install or uninstall security programs until or unless you are directed to do so by your helper."

I was a bit confused on whether or not to follow preliminary removal instructions because there are programs to install, although it was advised not to install/uninstall. If I can get clarifications on this, I would love to get started on cleaning up my computer. Thanks for you time.

I have attached previous MBAM and Hijack Logs. MBAM detected files have been corrected and I have run further logs with zero detections. Avast was also run and found viruses Trojan-gen {Other}, Walivun [Trj], and Kuang2.

thank you!

pirrip777

Attached Files

	mbam-log-2009-08-22 (23-06-05).txt (6.8 KB, 2 views)
	hijackthis.txt (7.8 KB, 3 views)

welcome!!

1) using an admin login

download this file
copy it to \windows\system32\drivers\etc as HOSTS (no extension)
then set R/O property on the new file

if necessary reset the R/O property or allow overwrite on the existing HOSTS file

that will at least stop a lot of bad accesses.

2) you can avoid DNS highjacking by updating your TCP properties

view network connection
find the Local Area Connection -> right-click->properties
scroll to TCP/IP and click Properties button middle right
on the IP address; set Obtain Automatically
on the DNS; Use the following ...

208.67.222.222
208.67.222.220

click ok; click ok

__________________
J. O. Beard; you + tech-101.com => synergism. Secure your system now

Malwarebytes has done some cleanups already did you reboot?

unless you have a printer attached to your router (ie it has an IP address), you do not need

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Bonjour can be uninstalled using the ADD/Remove control panel

you can then also DISABLE the services
a) SSDP and
b) UPnP

this is 'questionable and unnecessary' as it can/does control site access

O2 - BHO: GetGo URL Catcher (dont remove!) - {0315AA2C-10C7-4504-A1C4-F552ABA8A095} - C:\Program Files\GetGo Software\GetGo Download Manager\URLCatch.dll <<TROJAN
O3 - Toolbar: GetGo Toolbar - {075BBE29-FEC0-404a-A459-FF58713616FA} - C:\Program Files\GetGo Software\GetGo Download Manager\GGToolBand.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O9 - Extra button: GetGo - {01A13E40-2F55-4397-B39B-7851BCFB8008} - C:\Program Files\GetGo Software\GetGo Download Manager\GetGoDM.exe
O8 - Extra context menu item: &Down&load &Link& Us&ing Ge&tGo - C:\Program Files\GetGo Software\GetGo Download Manager\GGCatch.htm
O8 - Extra context menu item: &Down&load All &Links& Us&ing Ge&tGo - C:\Program Files\GetGo Software\GetGo Download Manager\GGCatchAll.htm
O8 - Extra context menu item: &GetGo Toolbar Search - res://C:\Program Files\GetGo Software\GetGo Download Manager\GGToolBand.dll/MENUSEARCH.HTM

imo, download managers are totally unnecessary and only add bloat to your system
look for it in ADD/Remove also OR check Spybot S&D for ActiveX, BDO, and LSP entries

__________________
J. O. Beard; you + tech-101.com => synergism. Secure your system now

I have tried to reboot several times to no avail (i.e., shutoff continually occurs) I will attempt to replace the file you suggested to download into system32 (previous post), but can you do this in safe mode?

Bobbye also mentioned reseting my router. Do I do a manual reset? Is there anything I can do to my router settings to prevent this from happening again?

I will remove the unecessaries as you suggested. I appreciate the expedient support! I will let you know as soon as everything is finished.

pirrip777

Hi,

Download avz4.zip from here

1. Unzip it to your desktop to a folder named avz4
2. Double click on AVZ.exe to run it.
3. Run an update by clicking the Auto Update button on the Right of the Log window:
4. Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
3. Click on the “Execute selected scripts”.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.

When restarted

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
3. Click on the "Execute selected scripts".
4. A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

__________________
Infected? Use the Preliminary Removal Instructions then post in the Virus and Malware Removal Forums

Jobeard -

I have replaced the hosts file as requested and changed the TCP/IP accordingly. I also uninstalled Google Toolbar and GetGo to remove the functions that you saw were in Hijackthis. I have attached a txt of the log.


Kritius -

I was able to install AVZ with no problem and start the program. Update was successful, but after that it gets shady. I was able to run the initial start, but I was not able to find "Healing/Quarantine and Advanced System Analysis" as one of the scripts. Is there an alternative to this? I also looked for Healing/Quarantine by itself and could not find it. Advanced System Analysis by itself was found. I was afraid to restart to lose progress... I will await your reply before moving on. I appreciate the support from both you guys!

Do the advanced system analysis then.

__________________
Infected? Use the Preliminary Removal Instructions then post in the Virus and Malware Removal Forums

Ran ASA via AVZ (att as before_restart)
Restarted computer, still autoshuttoff on startup
Restarted computer, F8 to enter Safe Mode with Networking
Ran ASA via AVZ (att as after_restart)

Awaiting further instructions... thanks again for all the help.

Attachments are too big to send, please advise.

Can you upload it to mediafire and post the link?

__________________
Infected? Use the Preliminary Removal Instructions then post in the Virus and Malware Removal Forums

Zip Files Are Here