1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Problem with malware / dns redirector

Discussion in 'Virus & Other Malware Removal' started by evileyejoe, Sep 18, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    I've had problems getting the log file for GMER but I'll post everything else I've got at the moment. I'll get the other to you if I'm lucky.

    - Hijackthis log -

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:32:16 PM, on 9/16/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\DOCUME~1\MOMORV~1\LOCALS~1\Temp\FlashPlayerUpdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe
    E:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mindspring.net/ie/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MindSpring Internet Services
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (file missing)
    O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (file missing)
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: UPnPService - Unknown owner - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 6418 bytes



    - DDS -


    DDS (Ver_09-09-29.01) - NTFSx86
    Run by mom or vicki at 19:39:44.82 on Thu 09/16/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.394 [GMT -5:00]

    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\mom or vicki\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uWindow Title = Microsoft Internet Explorer provided by MindSpring Internet Services
    uSearch Bar = hxxp://www.mindspring.net/ie/searchbar.html
    mWindow Title = Microsoft Internet Explorer provided by CenturyTel
    uInternet Settings,ProxyOverride = <local>
    mSearchAssistant = hxxp://start.earthlink.net/AL/Search
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
    Trusted Zone: intuit.com\ttlc
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    Notify: AtiExtEvent - Ati2evxx.dll

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-15 165584]
    R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-15 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 40384]
    R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
    R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-9-29 13088]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-29 24652]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-15 40384]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys --> c:\windows\system32\drivers\mfehidk.sys [?]
    S2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\mcshield.exe" --> c:\program files\mcafee\virusscan enterprise\mcshield.exe [?]
    S2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" --> c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [?]
    S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\common\database\bin\fbserver.exe [2007-1-14 1527900]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-7-23 66056]
    S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]
    S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]
    S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2007-1-14 647242]

    =============== Created Last 30 ================

    2010-09-15 22:47 38,848 a------- c:\windows\avastSS.scr
    2010-09-15 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-09-15 22:36 <DIR> --dsh--- c:\documents and settings\mom or vicki\IECompatCache
    2010-09-15 21:26 <DIR> --d----- c:\docume~1\momorv~1\applic~1\Malwarebytes
    2010-09-14 20:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-14 20:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-14 20:39 20,952 a------- c:\windows\system32\drivers\mbam.sys
    2010-09-14 20:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2010-09-14 20:35 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
    2010-09-14 20:35 21,504 a------- c:\windows\system32\hidserv.dll
    2010-09-14 20:34 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
    2010-09-14 20:34 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
    2010-09-14 20:33 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
    2010-09-14 20:33 12,160 a------- c:\windows\system32\drivers\mouhid.sys
    2010-09-14 20:33 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
    2010-09-14 20:33 9,600 a------- c:\windows\system32\drivers\hidusb.sys

    ==================== Find3M ====================

    2009-07-08 23:47 158 a---h--- c:\documents and settings\mom or vicki\hpothb07.dat
    2009-07-08 23:47 362 a---h--- c:\documents and settings\all users\hpothb07.dat

    ============= FINISH: 19:41:03.37 ===============
     

    Attached Files:

  2. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :dir
      c:\program files\mcafee /s
      C:\Program Files\Alwil Software\Avast5\Data\Log
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  3. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    I removed Mcafee when I installed Avast for this computer recently. That folder doesn't exist in Avast... log below.

    SystemLook 04.09.10 by jpshortstuff
    Log created at 12:43 on 18/09/2010 by mom or vicki
    Administrator - Elevation successful

    ========== dir ==========

    c:\program files\mcafee - Unable to find folder.

    c:\program files\alwil software\avast5\data\log - Unable to find folder.

    -= EOF =-
     
  4. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

      Click me

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  5. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    Combo fix log.. :

    ComboFix 10-09-17.04 - mom or vicki 09/18/2010 23:09:57.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.747 [GMT -5:00]
    Running from: c:\documents and settings\mom or vicki\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Whitney\Local Settings\Temporary Internet Files\hpothb07.dat
    c:\documents and settings\Whitney\Local Settings\Temporary Internet Files\hpothb07.tif
    c:\documents and settings\Whitney\Local Settings\Temporary Internet Files\temp.dmf

    Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
    .

    2010-09-16 03:48 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-16 03:48 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-16 03:48 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-16 03:48 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-16 03:47 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-16 03:47 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-16 03:47 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-16 03:47 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-16 03:47 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-16 03:46 . 2010-09-16 03:46 -------- d-----w- c:\program files\Alwil Software
    2010-09-16 03:46 . 2010-09-16 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-09-16 03:36 . 2010-09-16 03:36 -------- d-sh--w- c:\documents and settings\mom or vicki\IECompatCache
    2010-09-16 02:26 . 2010-09-16 02:26 -------- d-----w- c:\documents and settings\mom or vicki\Application Data\Malwarebytes
    2010-09-15 01:39 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-15 01:39 . 2010-09-15 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-15 01:39 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-15 01:39 . 2010-09-16 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-15 01:35 . 2004-08-04 07:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-09-15 01:35 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-09-15 01:34 . 2004-08-04 05:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
    2010-09-15 01:34 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2010-09-15 01:33 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-09-15 01:33 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2010-09-15 01:33 . 2001-08-17 19:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-09-15 01:33 . 2001-08-17 19:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-08-24 05:47 . 2010-08-24 05:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-19 03:23 . 2010-03-01 04:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-16 05:44 . 2007-05-11 22:34 -------- d-----r- c:\program files\Morpheus
    2010-09-06 06:21 . 2010-07-16 07:48 0 ----a-w- c:\windows\Qxaxihikilugoqo.bin
    2010-08-28 02:03 . 2010-07-16 07:48 120 ----a-w- c:\windows\Jsizabivebaxi.dat
    2010-07-30 18:20 . 2007-05-11 22:05 -------- d-----w- c:\program files\Java
    2010-07-28 21:28 . 2010-07-28 21:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-07-22 07:05 . 2007-11-08 08:09 -------- d-----w- c:\program files\Ahead
    2010-07-22 07:05 . 2007-11-08 08:09 -------- d-----w- c:\program files\Common Files\Ahead
    2005-01-07 21:20 . 2005-01-07 21:20 278528 ----a-w- c:\program files\internet explorer\plugins\PanoViewer.dll
    2005-01-07 21:20 . 2005-01-07 21:20 143360 ----a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
    backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Whitney^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    path=c:\documents and settings\Whitney\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    backup=c:\windows\pss\PowerReg Scheduler.exeStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccessRampMonitor]
    1999-08-03 15:13 68096 ------w- c:\program files\AccessRamp\ARMon32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2003-05-23 02:43 88363 ----a-r- c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2003-10-29 03:10 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
    2005-03-05 17:19 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    2002-07-16 21:21 28672 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-11-13 02:16 286720 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2002-10-16 10:24 47104 ----a-w- c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
    2005-06-03 13:16 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "xmlprov"=3 (0x3)
    "WZCSVC"=2 (0x2)
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    "WmiApSrv"=3 (0x3)
    "Wmi"=3 (0x3)
    "WmdmPmSN"=3 (0x3)
    "winmgmt"=2 (0x2)
    "WebClient"=2 (0x2)
    "W32Time"=2 (0x2)
    "VSS"=3 (0x3)
    "Viewpoint Manager Service"=2 (0x2)
    "UPS"=3 (0x3)
    "UPnPService"=3 (0x3)
    "upnphost"=3 (0x3)
    "UleadBurningHelper"=2 (0x2)
    "TrkWks"=2 (0x2)
    "Themes"=2 (0x2)
    "TermService"=3 (0x3)
    "TapiSrv"=3 (0x3)
    "SysmonLog"=3 (0x3)
    "SwPrv"=3 (0x3)
    "stisvc"=2 (0x2)
    "SSScsiSV"=3 (0x3)
    "SSDPSRV"=3 (0x3)
    "srservice"=2 (0x2)
    "SPTISRV"=3 (0x3)
    "Spooler"=2 (0x2)
    "ShellHWDetection"=2 (0x2)
    "SharedAccess"=2 (0x2)
    "SENS"=2 (0x2)
    "seclogon"=2 (0x2)
    "Schedule"=2 (0x2)
    "SCardSvr"=3 (0x3)
    "SamSs"=2 (0x2)
    "RSVP"=3 (0x3)
    "RemoteRegistry"=2 (0x2)
    "RDSessMgr"=3 (0x3)
    "RasMan"=3 (0x3)
    "RasAuto"=3 (0x3)
    "ProtectedStorage"=2 (0x2)
    "PolicyAgent"=2 (0x2)
    "PlugPlay"=2 (0x2)
    "PACSPTISVR"=3 (0x3)
    "ose"=3 (0x3)
    "NtmsSvc"=3 (0x3)
    "NtLmSsp"=3 (0x3)
    "Nla"=3 (0x3)
    "Netman"=3 (0x3)
    "Netlogon"=3 (0x3)
    "MSIServer"=3 (0x3)
    "MSDTC"=3 (0x3)
    "MSCSPTISRV"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "McTaskManager"=2 (0x2)
    "McShield"=2 (0x2)
    "McAfeeFramework"=2 (0x2)
    "LmHosts"=2 (0x2)
    "lanmanworkstation"=2 (0x2)
    "lanmanserver"=2 (0x2)
    "IntuitUpdateService"=2 (0x2)
    "ImapiService"=3 (0x3)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "HTTPFilter"=3 (0x3)
    "HidServ"=2 (0x2)
    "helpsvc"=2 (0x2)
    "getPlus(R) Helper"=3 (0x3)
    "FontCache3.0.0.0"=3 (0x3)
    "FirebirdServerMAGIXInstance"=3 (0x3)
    "FastUserSwitchingCompatibility"=3 (0x3)
    "EventSystem"=3 (0x3)
    "Eventlog"=2 (0x2)
    "ERSvc"=2 (0x2)
    "EarthLinkMonitor"=2 (0x2)
    "Dnscache"=2 (0x2)
    "dmserver"=2 (0x2)
    "dmadmin"=3 (0x3)
    "Dhcp"=2 (0x2)
    "CryptSvc"=2 (0x2)
    "COMSysApp"=3 (0x3)
    "clr_optimization_v2.0.50727_32"=3 (0x3)
    "CiSvc"=3 (0x3)
    "Browser"=2 (0x2)
    "BITS"=2 (0x2)
    "AudioSrv"=2 (0x2)
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)
    "aspnet_state"=3 (0x3)
    "AppMgmt"=3 (0x3)
    "ALG"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\StubInstaller.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/15/2010 10:48 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/15/2010 10:48 PM 17744]
    R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 12:47 PM 65604]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/29/2007 11:00 PM 24652]
    S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 3:16 PM 17536]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\Common\Database\bin\fbserver.exe [1/14/2007 1:17 AM 1527900]
    S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [1/14/2007 1:15 AM 647242]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mWindow Title = Microsoft Internet Explorer provided by CenturyTel
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
    Trusted Zone: intuit.com\ttlc
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-ahrsjksl - c:\documents and settings\Admin\Local Settings\Application Data\hakasehar\ogwkwqstssd.exe
    MSConfigStartUp-dqayxwfn - c:\documents and settings\NetworkService\Local Settings\Application Data\ewaijwqxn\fxphgaotssd.exe
    MSConfigStartUp-evwadymo - c:\documents and settings\LocalService\Local Settings\Application Data\mvpklsbbq\mchlgnytssd.exe
    MSConfigStartUp-hlpgxbvh - c:\documents and settings\Admin\Local Settings\Application Data\lwhukfxcn\iqkijkiuqiw.exe
    MSConfigStartUp-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
    MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
    MSConfigStartUp-ProfileWatcher - c:\program files\ProfileWatcher\profilewatcher.exe
    MSConfigStartUp-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    MSConfigStartUp-trspiptf - c:\documents and settings\NetworkService\Local Settings\Application Data\oxgkhxyey\pdcxlnvtssd.exe
    MSConfigStartUp-tvjlxuvs - c:\documents and settings\NetworkService\Local Settings\Application Data\hjxdnpseq\khnccoitssd.exe
    MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-18 23:24
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(544)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'lsass.exe'(600)
    c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
    .
    Completion time: 2010-09-18 23:27:54
    ComboFix-quarantined-files.txt 2010-09-19 04:27

    Pre-Run: 41,613,242,368 bytes free
    Post-Run: 43,367,333,888 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - C4EA3A027EB92BFF775D78ECB1B043BF
     
  6. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Please download OTM
    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      
      :Services
      
      :Reg
      
      :Files
      ipconfig /flushdns /c
      c:\windows\Qxaxihikilugoqo.bin
      c:\windows\Jsizabivebaxi.dat
      
      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [CREATERESTOREPOINT]
      [EMPTYFLASH]
      [Reboot]
      
    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  7. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    Here is the log file from the OTM. Kaspersky is currently running.

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\mom or vicki\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\mom or vicki\Desktop\cmd.txt deleted successfully.
    c:\windows\Qxaxihikilugoqo.bin moved successfully.
    c:\windows\Jsizabivebaxi.dat moved successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Admin
    ->Temp folder emptied: 367055805 bytes
    ->Temporary Internet Files folder emptied: 778315471 bytes
    ->Java cache emptied: 2231550 bytes
    ->FireFox cache emptied: 66482800 bytes
    ->Flash cache emptied: 27126 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 5210246 bytes
    ->Flash cache emptied: 43629 bytes

    User: mom or vicki
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1171318 bytes
    ->Java cache emptied: 1313128 bytes
    ->FireFox cache emptied: 6032288 bytes
    ->Flash cache emptied: 19655 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 39130 bytes

    User: Whitney
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1159555 bytes
    ->Java cache emptied: 10362123 bytes
    ->FireFox cache emptied: 3030105 bytes
    ->Flash cache emptied: 24003 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 1119318 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 266089 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,186.00 mb

    Restore point Set: OTM Restore Point (0)

    OTM by OldTimer - Version 3.1.16.1 log created on 09192010_083852

    Files moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  8. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    Here is what Kas found.

    C:\System Volume Information\_restore{B48DE0BB-B0EC-4B43-94E3-FF6CDE29A273}\RP1\A0000055.sys Infected: Virus.Win32.TDSS.b
    C:\System Volume Information\_restore{B48DE0BB-B0EC-4B43-94E3-FF6CDE29A273}\RP1\A0000124.exe Infected: Trojan.Win32.FraudPack.bjto
     
  9. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    got the mbam log ?
     
  10. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    There was nothing there.. sorry.

    The system seems to be running good. I'm not being redirected any longer and I was able to do windows updates and update to XP sp3 as well.
     
  11. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Your logs are clean


    Follow these steps to uninstall Combofix and tools used in the removal of malware

    Uninstall ComboFix

    Remove Combofix now that we're done with it.
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


    • Download OTC to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.


    • Please read my guide on how to prevent malware and about safe computing here
    Thank you for your patience, and performing all of the procedures requested.
     
  12. evileyejoe

    evileyejoe Thread Starter

    Joined:
    Oct 1, 2007
    Messages:
    17
    Thanks for the help.
     
  13. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    no problem
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/950820