Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Problem with malware / dns redirector


(!)

evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
18-Sep-2010, 12:57 PM #1
Problem with malware / dns redirector
I've had problems getting the log file for GMER but I'll post everything else I've got at the moment. I'll get the other to you if I'm lucky.

- Hijackthis log -

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:32:16 PM, on 9/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\MOMORV~1\LOCALS~1\Temp\FlashPlayerUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mindspring.net/ie/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MindSpring Internet Services
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPnPService - Unknown owner - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6418 bytes



- DDS -


DDS (Ver_09-09-29.01) - NTFSx86
Run by mom or vicki at 19:39:44.82 on Thu 09/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.394 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\mom or vicki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer provided by MindSpring Internet Services
uSearch Bar = hxxp://www.mindspring.net/ie/searchbar.html
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
Trusted Zone: intuit.com\ttlc
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-15 165584]
R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-15 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 40384]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-9-29 13088]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-29 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 40384]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys --> c:\windows\system32\drivers\mfehidk.sys [?]
S2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\mcshield.exe" --> c:\program files\mcafee\virusscan enterprise\mcshield.exe [?]
S2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" --> c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\common\database\bin\fbserver.exe [2007-1-14 1527900]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-7-23 66056]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2007-1-14 647242]

=============== Created Last 30 ================

2010-09-15 22:47 38,848 a------- c:\windows\avastSS.scr
2010-09-15 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-15 22:36 <DIR> --dsh--- c:\documents and settings\mom or vicki\IECompatCache
2010-09-15 21:26 <DIR> --d----- c:\docume~1\momorv~1\applic~1\Malwarebytes
2010-09-14 20:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 20:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-14 20:39 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-09-14 20:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 20:35 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2010-09-14 20:35 21,504 a------- c:\windows\system32\hidserv.dll
2010-09-14 20:34 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
2010-09-14 20:34 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2010-09-14 20:33 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2010-09-14 20:33 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2010-09-14 20:33 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2010-09-14 20:33 9,600 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-07-08 23:47 158 a---h--- c:\documents and settings\mom or vicki\hpothb07.dat
2009-07-08 23:47 362 a---h--- c:\documents and settings\all users\hpothb07.dat

============= FINISH: 19:41:03.37 ===============
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Rorschach112's Avatar
Senior Member with 2,392 posts.
 
Join Date: Oct 2008
18-Sep-2010, 01:16 PM #2
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :dir
    c:\program files\mcafee /s
    C:\Program Files\Alwil Software\Avast5\Data\Log
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
18-Sep-2010, 01:47 PM #3
I removed Mcafee when I installed Avast for this computer recently. That folder doesn't exist in Avast... log below.

SystemLook 04.09.10 by jpshortstuff
Log created at 12:43 on 18/09/2010 by mom or vicki
Administrator - Elevation successful

========== dir ==========

c:\program files\mcafee - Unable to find folder.

c:\program files\alwil software\avast5\data\log - Unable to find folder.

-= EOF =-
Rorschach112's Avatar
Senior Member with 2,392 posts.
 
Join Date: Oct 2008
18-Sep-2010, 08:25 PM #4
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
19-Sep-2010, 12:49 AM #5
Combo fix log.. :

ComboFix 10-09-17.04 - mom or vicki 09/18/2010 23:09:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.747 [GMT -5:00]
Running from: c:\documents and settings\mom or vicki\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Whitney\Local Settings\Temporary Internet Files\hpothb07.dat
c:\documents and settings\Whitney\Local Settings\Temporary Internet Files\hpothb07.tif
c:\documents and settings\Whitney\Local Settings\Temporary Internet Files\temp.dmf

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-16 03:48 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-16 03:48 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-16 03:48 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-16 03:48 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-16 03:47 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-16 03:47 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-16 03:47 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-16 03:47 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-16 03:47 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-16 03:46 . 2010-09-16 03:46 -------- d-----w- c:\program files\Alwil Software
2010-09-16 03:46 . 2010-09-16 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-16 03:36 . 2010-09-16 03:36 -------- d-sh--w- c:\documents and settings\mom or vicki\IECompatCache
2010-09-16 02:26 . 2010-09-16 02:26 -------- d-----w- c:\documents and settings\mom or vicki\Application Data\Malwarebytes
2010-09-15 01:39 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 01:39 . 2010-09-15 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-15 01:39 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 01:39 . 2010-09-16 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-15 01:35 . 2004-08-04 07:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-15 01:35 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-15 01:34 . 2004-08-04 05:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-09-15 01:34 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-15 01:33 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-09-15 01:33 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-15 01:33 . 2001-08-17 19:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-09-15 01:33 . 2001-08-17 19:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-08-24 05:47 . 2010-08-24 05:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 03:23 . 2010-03-01 04:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-16 05:44 . 2007-05-11 22:34 -------- d-----r- c:\program files\Morpheus
2010-09-06 06:21 . 2010-07-16 07:48 0 ----a-w- c:\windows\Qxaxihikilugoqo.bin
2010-08-28 02:03 . 2010-07-16 07:48 120 ----a-w- c:\windows\Jsizabivebaxi.dat
2010-07-30 18:20 . 2007-05-11 22:05 -------- d-----w- c:\program files\Java
2010-07-28 21:28 . 2010-07-28 21:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-22 07:05 . 2007-11-08 08:09 -------- d-----w- c:\program files\Ahead
2010-07-22 07:05 . 2007-11-08 08:09 -------- d-----w- c:\program files\Common Files\Ahead
2005-01-07 21:20 . 2005-01-07 21:20 278528 ----a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
2005-01-07 21:20 . 2005-01-07 21:20 143360 ----a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Whitney^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Whitney\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccessRampMonitor]
1999-08-03 15:13 68096 ------w- c:\program files\AccessRamp\ARMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-05-23 02:43 88363 ----a-r- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-10-29 03:10 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
2005-03-05 17:19 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 21:21 28672 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-13 02:16 286720 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2002-10-16 10:24 47104 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2005-06-03 13:16 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"UPS"=3 (0x3)
"UPnPService"=3 (0x3)
"upnphost"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SPTISRV"=3 (0x3)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"getPlus(R) Helper"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EarthLinkMonitor"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/15/2010 10:48 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/15/2010 10:48 PM 17744]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 12:47 PM 65604]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/29/2007 11:00 PM 24652]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 3:16 PM 17536]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\Common\Database\bin\fbserver.exe [1/14/2007 1:17 AM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/14/2007 1:15 AM 647242]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
Trusted Zone: intuit.com\ttlc
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ahrsjksl - c:\documents and settings\Admin\Local Settings\Application Data\hakasehar\ogwkwqstssd.exe
MSConfigStartUp-dqayxwfn - c:\documents and settings\NetworkService\Local Settings\Application Data\ewaijwqxn\fxphgaotssd.exe
MSConfigStartUp-evwadymo - c:\documents and settings\LocalService\Local Settings\Application Data\mvpklsbbq\mchlgnytssd.exe
MSConfigStartUp-hlpgxbvh - c:\documents and settings\Admin\Local Settings\Application Data\lwhukfxcn\iqkijkiuqiw.exe
MSConfigStartUp-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-ProfileWatcher - c:\program files\ProfileWatcher\profilewatcher.exe
MSConfigStartUp-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE
MSConfigStartUp-trspiptf - c:\documents and settings\NetworkService\Local Settings\Application Data\oxgkhxyey\pdcxlnvtssd.exe
MSConfigStartUp-tvjlxuvs - c:\documents and settings\NetworkService\Local Settings\Application Data\hjxdnpseq\khnccoitssd.exe
MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 23:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_Ac tiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(600)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2010-09-18 23:27:54
ComboFix-quarantined-files.txt 2010-09-19 04:27

Pre-Run: 41,613,242,368 bytes free
Post-Run: 43,367,333,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C4EA3A027EB92BFF775D78ECB1B043BF
Rorschach112's Avatar
Senior Member with 2,392 posts.
 
Join Date: Oct 2008
19-Sep-2010, 06:58 AM #6
Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    c:\windows\Qxaxihikilugoqo.bin
    c:\windows\Jsizabivebaxi.dat
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
19-Sep-2010, 11:06 AM #7
Here is the log file from the OTM. Kaspersky is currently running.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\mom or vicki\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\mom or vicki\Desktop\cmd.txt deleted successfully.
c:\windows\Qxaxihikilugoqo.bin moved successfully.
c:\windows\Jsizabivebaxi.dat moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 367055805 bytes
->Temporary Internet Files folder emptied: 778315471 bytes
->Java cache emptied: 2231550 bytes
->FireFox cache emptied: 66482800 bytes
->Flash cache emptied: 27126 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5210246 bytes
->Flash cache emptied: 43629 bytes

User: mom or vicki
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1171318 bytes
->Java cache emptied: 1313128 bytes
->FireFox cache emptied: 6032288 bytes
->Flash cache emptied: 19655 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 39130 bytes

User: Whitney
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1159555 bytes
->Java cache emptied: 10362123 bytes
->FireFox cache emptied: 3030105 bytes
->Flash cache emptied: 24003 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119318 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 266089 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,186.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.16.1 log created on 09192010_083852

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
19-Sep-2010, 08:51 PM #8
Here is what Kas found.

C:\System Volume Information\_restore{B48DE0BB-B0EC-4B43-94E3-FF6CDE29A273}\RP1\A0000055.sys Infected: Virus.Win32.TDSS.b
C:\System Volume Information\_restore{B48DE0BB-B0EC-4B43-94E3-FF6CDE29A273}\RP1\A0000124.exe Infected: Trojan.Win32.FraudPack.bjto

Last edited by evileyejoe; 19-Sep-2010 at 09:03 PM..
Rorschach112's Avatar
Senior Member with 2,392 posts.
 
Join Date: Oct 2008
20-Sep-2010, 08:13 AM #9
got the mbam log ?
evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
20-Sep-2010, 08:16 AM #10
There was nothing there.. sorry.

The system seems to be running good. I'm not being redirected any longer and I was able to do windows updates and update to XP sp3 as well.

Last edited by evileyejoe; 20-Sep-2010 at 08:25 AM..
Rorschach112's Avatar
Senior Member with 2,392 posts.
 
Join Date: Oct 2008
20-Sep-2010, 08:27 AM #11
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
evileyejoe's Avatar
evileyejoe evileyejoe is offline
Member with 17 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Advanced
20-Sep-2010, 06:23 PM #12
Thanks for the help.
Rorschach112's Avatar
Senior Member with 2,392 posts.
 
Join Date: Oct 2008
20-Sep-2010, 06:43 PM #13
no problem
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Cannot communicate with primary dns.....vista problem polleyse Windows Vista 1 03-Aug-2010 11:35 PM
Problem with vista nycwiseguy91 All Other Software 2 17-Jul-2009 02:48 AM
Internet problems with Zlob.DNSChanger dodid0 Virus & Other Malware Removal 1 29-Jun-2009 11:12 AM
Solved: Cannot communicate with Primary DNS server (203.97.78.43) trees_b Networking 12 06-Jun-2009 02:46 AM
Problem with n1 vision belkin router & acer laptop unable to access network PFWIN General Security 0 06-Apr-2009 05:33 AM

WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑