Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirctor virus/malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 DaraLynn

DaraLynn

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 25 May 2009 - 05:05 PM

Hi, I've got the google redirctor like so many others posting here. I'd really appreciate any help getting rid of this thing before I wind up with something really nasty hiding somewhere in the background since this is used for my personal business and company business. NOTE: I'm aware that my ZoneAlarm has expired - problem developed before it expired - but now I'm leery of updating the subscription online until I get this virus or whatever it is off my laptop. When it's clean, I'll renew.

I'm pasting the DDS log and attaching the other log, zipped, so someone can check it out as well. Let me know if there's something I forgot to add.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Lynn at 16:41:57.35 on Mon 05/25/2009
Internet Explorer: 7.0.6000.16764 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1126 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\WLANExt.exe
C:\WINDOWS\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\WINDOWS\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Users\Lynn\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {61114AB8-4C9B-436C-B7A0-C1A4984D2B44} = 85.255.112.39,85.255.112.40
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\lynn\appdata\roaming\mozilla\firefox\profiles\aaie3nhw.default\
FF - prefs.js: browser.search.selectedEngine - Creative Commons
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\lynn\appdata\roaming\mozilla\firefox\profiles\aaie3nhw.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\users\lynn\appdata\roaming\mozilla\firefox\profiles\aaie3nhw.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

S2 gupdate1c99f85362fff3;Google Update Service (gupdate1c99f85362fff3);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]

=============== Created Last 30 ================

2009-05-22 15:06 <DIR> --d----- c:\programdata\Acronis
2009-05-22 14:54 392,320 a------- c:\windows\system32\drivers\timntr.sys
2009-05-22 14:54 32,768 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-05-22 14:54 114,048 a------- c:\windows\system32\drivers\snapman.sys
2009-05-22 13:34 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-25 16:23 31,926,304 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-25 15:28 65,060 a------- c:\programdata\nvModes.dat
2009-05-25 15:28 65,060 a------- c:\progra~2\nvModes.dat
2009-05-25 15:25 354,388 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-05-25 15:22 432,296 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 17:01 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-16 17:01 51,200 a------- c:\windows\inf\infpub.dat
2009-01-16 17:01 86,016 a------- c:\windows\inf\infstor.dat
2009-01-16 16:40 35,166 a------- c:\users\lynn\appdata\roaming\nvModes.dat
2008-12-17 21:17 174 a--sh--- c:\program files\desktop.ini
2008-07-04 15:44 975,890 a------- c:\program files\setup.exe
2008-06-14 10:42 665,600 a------- c:\windows\inf\drvindex.dat
2008-02-11 20:07 779,536 a------- c:\program files\MoveMediaPlayer_07076007.exe
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-02-01 23:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-02-01 23:07 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-02-01 23:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 16:44:12.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 02 June 2009 - 12:14 AM

Hello DaraLynn,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 13
    Java 6 Update 3
    Java 6 Update 5
    Java 6 Update 7
    Java( SE Runtime Environment 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
Since ZoneAlarm Security Suite Antivirus has expired, uninstall it.

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. 8O
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 02 June 2009 - 12:16 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 DaraLynn

DaraLynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 03 June 2009 - 09:00 AM

Thanks for getting back to me. I'll be sure to get the Java cleared up and I've already updated the ZA. Because this laptop is used for the business, I had to take action and do something. Used Malware Bytes and got rid of some spyware, found and deleted the trojans and cleaned out the registry. It seems to be running well now and there's no more redirection on google. Aside from removing the old Java, what do you suggest I do now?

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 03 June 2009 - 10:43 AM

Hi DaraLynn,

Let's make sure there is no lingering malware.


Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.

Edited by SifuMike, 03 June 2009 - 10:44 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 DaraLynn

DaraLynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 03 June 2009 - 05:42 PM

Ok, here's the Kaspersky scan log:


KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 3, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 03, 2009 21:30:38
Records in database: 2303289
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 174782
Threat name: 3
Infected objects: 7
Suspicious objects: 1
Duration of the scan: 02:38:49


File name / Threat name / Threats count
C:\Users\Lynn\AppData\Local\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.Win32.VB.dck 1
C:\Users\Lynn\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\7E87390C-000000B2.eml Infected: Trojan-Downloader.Win32.VB.dck 1
C:\Users\Lynn\AppData\Local\Temp\tmp7E74.tmp Infected: Packed.Win32.Tdss.c 1
C:\Users\Lynn\AppData\Local\Temp\tmp7E84.tmp Suspicious: Trojan.Win32.Patched.dy 1
C:\Users\Lynn\Documents\Documents\Local Folders\Sent Items\7E87390C-000000B2.eml Infected: Trojan-Downloader.Win32.VB.dck 1
C:\WINDOWS\Temp\160225694.tmp Infected: Packed.Win32.Tdss.c 1
C:\WINDOWS\Temp\160244929.tmp Infected: Packed.Win32.Tdss.c 1
D:\RECYCLER\S-6-9-61-100025653-100025539-100013646-6876.com Infected: Packed.Win32.Tdss.c 1

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 03 June 2009 - 06:01 PM

Hi DaraLynn,

C:\Users\Lynn\AppData\Local\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.Win32.VB.dck 1


One of the emails inside this folder in your outlook contains malicious email. Usually they are those that drop infection so beware on opening those email especially the attachments.

Open the folder and one by one delete the email that came from anonymous sender or Emails from friends with suspicious attachment. Then Empty the folder of deleted items.


Make sure you close your Firefox and IE browser before running OTMoveiI3.


Please download OTMoveIt3 by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).


Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C[/b] (or, after highlighting, right-click and choose Copy):
Do not include the word "Code".


:files
C:\Users\Lynn\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\7E87390C-000000B2.eml 
C:\Users\Lynn\AppData\Local\Temp\tmp7E74.tmp 
C:\Users\Lynn\Documents\Documents\Local Folders\Sent Items\7E87390C-000000B2.eml 
C:\WINDOWS\Temp\160225694.tmp 
C:\WINDOWS\Temp\160244929.tmp 
D:\RECYCLER\S-6-9-61-100025653-100025539-100013646-6876.com 
:commands
[emptytemp]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Your system is infected with a Flash Drive infector

Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector.
We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system.
It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to remove the Flash Drive infector


 What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives


Please download  Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 DaraLynn

DaraLynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 03 June 2009 - 07:12 PM

Ok, ran OTMI3 and the Flash fixer, which did it's thing and gave me the "ok". Here's the OtMoveIt3 log:


========== FILES ==========
C:\Users\Lynn\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\7E87390C-000000B2.eml moved successfully.
C:\Users\Lynn\AppData\Local\Temp\tmp7E74.tmp moved successfully.
C:\Users\Lynn\Documents\Documents\Local Folders\Sent Items\7E87390C-000000B2.eml moved successfully.
C:\WINDOWS\Temp\160225694.tmp moved successfully.
C:\WINDOWS\Temp\160244929.tmp moved successfully.
File move failed. D:\RECYCLER\S-6-9-61-100025653-100025539-100013646-6876.com scheduled to be moved on reboot.
========== COMMANDS ==========
File delete failed. C:\Users\Lynn\AppData\Local\Temp\~DFB84D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Lynn\AppData\Local\Temp\~DFBE6D.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Lynn\AppData\Local\Temp\~DFCC21.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Windows\temp\ZLT06a2a.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06032009_183122

Files moved on Reboot...
File D:\RECYCLER\S-6-9-61-100025653-100025539-100013646-6876.com not found!
File C:\Users\Lynn\AppData\Local\Temp\~DFB84D.tmp not found!
File C:\Users\Lynn\AppData\Local\Temp\~DFBE6D.tmp not found!
C:\Users\Lynn\AppData\Local\Temp\~DFCC21.tmp moved successfully.
C:\Windows\temp\ZLT06a2a.TMP moved successfully.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Are we there yet? I feel like I'm 5 again but I am curious if we're getting close to the end of line. Not that I haven't enjoyed your company, of course. :thumbup2:

DaraLynn

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 03 June 2009 - 08:18 PM

Hi DaraLynn,

Are we there yet?

As my partents used to tell me, its just over the next hill. :thumbup2:

How is your computer running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 DaraLynn

DaraLynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 04 June 2009 - 12:23 AM

So far, so good. Everything seems to be running just fine and that's great. It makes me very happy. :thumbup2:

So what's next?

DaraLynn

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 04 June 2009 - 01:09 AM

Hi DaraLynn,

Open OTMoveIt3 and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present.
They are not needed anymore, so OtMoveIt3 will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.


Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet
as well as
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.


Now the part you have been waiting for. :thumbup2:
I think you are good to go.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 DaraLynn

DaraLynn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 04 June 2009 - 09:08 AM

Well all right then, I can do that. Do those instructions for keeping things clean & bug free include keeping kids off the computer? It should probably be the #1 item on the list. Closely followed by No Joke Junk Mail. I appreciate all your help. Now maybe one of us will quit keeping such late, or is that early, hours.

It seems our time together has come to an end. Thanks so much! :thumbup2: *snoopy dance*

DaraLynn

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 04 June 2009 - 10:03 AM

Your very welcome. I hope your computer continues to run smoothly. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:15 PM

Posted 16 June 2009 - 09:54 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users