Find your solution!

dleach · 22-Oct-2009, 03:58 PM #1

Hello,
I have been having some trouble lately especially with Internet Explorer. I am able to use the internet, but often times I am redirected to sites, especially when using google. I use AVG free edition, but it says both my anti-virus and anti-spyware databases are outdated. When i try to update, I get a message saying, "The connection with the update server has failed." It says to go to avg.com, but this is impossible because I can't go to any anti-virus site. If I try to go to an antivirus site, I get a message saying that I can't connect to the internet with a button that says diagnose connection problems. Or I am taken to a google search of what I just entered in the address bar.

Here are some of the sites I am being redirected to: www.ave99.com, www.everydayhealth.com, www.amspec-05.com

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:15 PM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\sySTEM32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\windows\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: TBSB00982 - {DA3D342F-FF20-4E31-9E82-22334155730C} - C:\Program Files\Antbar\Ant.com Toolbar\tbcore3.dll
O3 - Toolbar: Ant.com Toolbar - {6CD56C02-CB4D-41B5-A0FE-B479061CCB41} - C:\Program Files\Antbar\Ant.com Toolbar\tbcore3.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PromoReg] C:\windows\Temp\_ex-08.exe
O4 - HKLM\..\Run: [11142184] C:\Documents and Settings\All Users\Application Data\11142184\11142184.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CaddieSyncLauncher] C:\Program Files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe
O4 - HKLM\..\Run: [Internet Connection Wizard Setup Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe
O4 - HKLM\..\Run: [13617826] C:\DOCUME~1\ALLUSE~1\APPLIC~1\13617826\13617826.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: ikowin32.exe
O4 - Global Startup: icwsetup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PUFLITE - http://deniseleach.point2agent.com/O...ol/PUFLITE.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com...reqlab_srl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD39/JS...ws-i586-jc.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://www.yougamers.com/systeminfo/FMSI.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\windows\SYSTEM32\avgrsstx.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IY - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IY.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 7979 bytes

NeonFx · 23-Oct-2009, 09:19 PM #2

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Mediafire and post the sharing link.

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

dleach · 26-Oct-2009, 07:16 PM #3

In the rootrepeal report it said something about a boot sector error but it still gave me the report

NeonFx · 26-Oct-2009, 07:31 PM #4

ComboFix should never be used without supervision by someone trained in its use. It does a whole lot more than just scan and remove files and can very easily cripple a system.

But seeing as you already ran it, could you please attach C:\ComboFix.txt to your next reply so that I can see what it removed?

Also, please go to C:\QooBox and attach any ComboFix#.txt along with Combofix-quarantined-files.txt

Also, please do the following:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the following

Code:

[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (ddnsfilter) ddnsfilter [Win32_Shared | Auto | Start_Pending] -> C:\Program Files\DDnsFilter\DDnsFilter.dll
YY -> (IY) IY [Win32_Own | On_Demand | Stopped] -> 
[Driver Services - Safe List]
YY -> (d1f4ce5b) d1f4ce5b [Kernel | System | Stopped] -> C:\windows\System32\drivers\d1f4ce5b.sys
YY -> (filter) filter [Kernel | System | Running] -> C:\windows\System32\drivers\Filter.sys
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "11142184" -> C:\Documents and Settings\All Users\Application Data\11142184\11142184.exe [C:\Documents and Settings\All Users\Application Data\11142184\11142184.exe]
YN -> "13617826" -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\13617826\13617826.exe [C:\DOCUME~1\ALLUSE~1\APPLIC~1\13617826\13617826.exe]
YY -> "PromoReg" -> C:\windows\Temp\_ex-08.exe [C:\windows\Temp\_ex-08.exe]
< Run [HKEY_USERS\S-1-5-21-3594272691-42644781-3159205762-1009\] > -> HKEY_USERS\S-1-5-21-3594272691-42644781-3159205762-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "lphcvrrj0e17v" -> C:\windows\System32\lphcvrrj0e17v.exe [C:\WINDOWS\system32\lphcvrrj0e17v.exe]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {1E54D648-B804-468d-BC78-4AFFED8E262E} [HKLM] -> http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab [System Requirements Lab Class]
YN -> {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} [HKLM] -> http://www.yougamers.com/systeminfo/FMSI.cab [Futuremark SystemInfo]
YN -> PUFLITE [HKLM] -> http://deniseleach.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\WINDOWS\Temp\_ex-08.exe" -> C:\WINDOWS\Temp\_ex-08.exe [C:\WINDOWS\Temp\_ex-08.exe:*:Enabled:Promo]
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

STEP 2

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

dleach · 28-Oct-2009, 08:40 PM #5

I can't get the combofix file because i uninstalled the program. But, AVG updated so I guess that is a good sign. AVG detected about 25 threats upon opening and most of them were under C:\Program Files\Internet Explorer. I'm going to wait before I use AVG. I attached the quick scan as OTS.txt

Here is what I got after the restart:
All Processes Killed
[Win32 Services - Safe List]
Unable to stop service ddnsfilter!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddnsfilter deleted successfully.
DllUnregisterServer procedure not found in C:\Program Files\DDnsFilter\DDnsFilter.dll
C:\Program Files\DDnsFilter\DDnsFilter.dll NOT unregistered.
C:\Program Files\DDnsFilter\DDnsFilter.dll moved successfully.
Service IY stopped successfully!
Service IY deleted successfully!
File not found.
[Driver Services - Safe List]
Service d1f4ce5b stopped successfully!
Service d1f4ce5b deleted successfully!
C:\windows\System32\drivers\d1f4ce5b.sys moved successfully.
Unable to stop service filter!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\filter deleted successfully.
C:\windows\System32\drivers\Filter.sys moved successfully.
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\11142184 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\13617826 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PromoReg deleted successfully.
C:\windows\Temp\_ex-08.exe moved successfully.
Registry key HKEY_USERS\S-1-5-21-3594272691-42644781-3159205762-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run not found.
Starting removal of ActiveX control {1E54D648-B804-468d-BC78-4AFFED8E262E}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1E54D648-B804-468d-BC78-4AFFED8E262E}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E54D648-B804-468d-BC78-4AFFED8E262E}\ deleted successfully.
Starting removal of ActiveX control {D1E7CBDA-E60E-4970-A01C-37301EF7BF98}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D1E7CBDA-E60E-4970-A01C-37301EF7BF98}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\FMSI.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D1E7CBDA-E60E-4970-A01C-37301EF7BF98}\ deleted successfully.
Starting removal of ActiveX control PUFLITE
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\PUFLITE\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\PUFLITE\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\Te mp\_ex-08.exe deleted successfully.
File C:\WINDOWS\Temp\_ex-08.exe not found.
[Empty Temp Folders]

User: All Users

User: Davis
->Temp folder emptied: 219478626 bytes
->Temporary Internet Files folder emptied: 276536738 bytes
->FireFox cache emptied: 34097728 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 229376 bytes
->Java cache emptied: 4042 bytes

User: Denise
->Temp folder emptied: 17664144 bytes
->Temporary Internet Files folder emptied: 129148212 bytes
->Java cache emptied: 1842431 bytes
->FireFox cache emptied: 68787070 bytes

User: Griffin
->Temp folder emptied: 89973515 bytes
->Temporary Internet Files folder emptied: 448831414 bytes
->Java cache emptied: 2993059 bytes
->FireFox cache emptied: 4211491 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 10080038 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6104140 bytes

User: TEMP
->Temp folder emptied: 573843 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\windows\E4D153288C89484BB9AAF5BE9EA6D01C.TMP folder deleted successfully.
C:\windows\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 155648 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 173636 bytes
RecycleBin emptied: 7507184 bytes

Total Files Cleaned = 1257.32 mb

< End of fix log >
OTS by OldTimer - Version 3.0.23.1 fix logfile created on 10282009_194403
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

NeonFx · 28-Oct-2009, 10:14 PM #6

Alright, let's run a couple scanners to make sure we got everything.

STEP 1

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

STEP 2

I also want to run an online scanner. This will take a while but it's well worth it as it will often find stuff that all other scanners will miss.

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

STEP 3

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

dleach · 31-Oct-2009, 12:14 AM #7

I used Malwarebytes and I got a log but after the reboot it wasn't there. So I ran it again after the reboot the second log didn't have anything on it. Then I ran the online scanner and there were no threats found.

NeonFx · 31-Oct-2009, 12:48 AM #8

You can find the logs for MalwareBytes by clicking on the "Logs" tab. Could you post the one that has detected items on it for me? I want to see what it found so that I may determine if there is anything else we need to do.

Also, hows the computer running?

dleach · 31-Oct-2009, 10:34 AM #9

Ok I got it. And I think the computer is running normally now.

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3
10/30/2009 7:27:49 PM
mbam-log-2009-10-30 (19-27-49).txt
Scan type: Quick Scan
Objects scanned: 115268
Time elapsed: 3 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{191 27ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43b f8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494 e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\syst emsecurity2009 (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgMgr (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SfX (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\DDnsFilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise\Start Menu\Programs\Total Security (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Denise\Start Menu\Programs\Total Security\Total Security 2009.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146120114.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464949.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465653.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully.

NeonFx · 31-Oct-2009, 02:00 PM **#10**

Alright. Before I give you my closing speech please do the following:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the following

Code:

[Unregister Dlls]
[Custom Items]
:clearrestorepoints
:end
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste the contents of that file here.

dleach · 03-Nov-2009, 09:28 PM **#11**

All Processes Killed
[Custom Items]
:clearrestorepoints
Restorepoints cleared and new one set!
[Empty Temp Folders]

User: All Users

User: Davis
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes

User: Denise
->Temp folder emptied: 88508524 bytes
->Temporary Internet Files folder emptied: 36150439 bytes
->Java cache emptied: 25626594 bytes
->FireFox cache emptied: 0 bytes

User: Griffin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: TEMP
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 29795853 bytes
RecycleBin emptied: 2812312 bytes

Total Files Cleaned = 174.52 mb

< End of fix log >
OTS by OldTimer - Version 3.0.23.1 fix logfile created on 11032009_212428
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

NeonFx · 04-Nov-2009, 12:52 AM **#12**

Excellent. Let's cleanup.

STEP 1

To clean up OldTimer's tools, along with a few others, do the following:

Run OTS.exe by double clicking on it
Click on the "CleanUp" button on the top.
You will be asked if you wish to reboot your system, select "Yes"

STEP 2

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (Programs and Features in Vista/7)

All Clean

Congratulations!,

, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlockList Pro's HOSTS Manager HERE

Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
Click Disable DNS Service. This is important
In the Left Pane, click Download
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

Read further information HERE on how to prevent Malware infections and keep yourself clean.

Feel free to mark this thread as "Solved" by clicking on the button at the top of this page. If you need anything else let me know.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: