Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google links hijacked


  • This topic is locked This topic is locked
44 replies to this topic

#1 miklc

miklc

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 October 2009 - 04:58 AM

Hey guys. I hope someone can help me as this is really bothering everyone here.
I am using a laptop Windows SP3, and when I click on a link from google it will usually take me to some other wepage, like ebay or britannia search or something that mimics a windows page and says the computer is infected with viruses etc. This page resists closing and starts opening tabs like crazy.

I have run AVG and SUPERAntispyware and removed everything there, as well as Malwarebytes' scan. I have installed zonealarm firewall. Nothing helps.

I hope someone can help, I'd really appreciate it.

michael

DDS:


DDS (Ver_09-09-29.01) - NTFSx86
Run by julie colgan at 10:35:34.83 on 05/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.88 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.5.561 [VPS 0518-4] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\julie colgan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.co.uk
uSearch Bar = hxxp://www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.freeserve.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.co.uk
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.4000.1001\en-gb\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0494D0D9-F8E0-41AD-92A3-14154ECE70AC} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BTAgile] c:\program files\bt broadband talk softphone\BTAgile.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [ProgramPath] c:\program files\power manager\PM.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-20 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-9-27 353672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-20 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [2004-12-27 5632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-2-7 86064]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-2-7 233520]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-9-9 14336]

=============== Created Last 30 ================

2009-10-01 23:30 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-10-01 23:29 <DIR> --d----- c:\program files\MSECACHE
2009-09-30 19:41 <DIR> --d----- c:\program files\common files\xing shared
2009-09-29 17:33 <DIR> --d----- c:\program files\Trend Micro
2009-09-29 15:58 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-28 10:38 <DIR> --d----- c:\windows\pss
2009-09-28 10:26 <DIR> --d----- c:\program files\CCleaner
2009-09-27 17:42 <DIR> --d----- c:\program files\common files\ODBC
2009-09-27 07:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-27 07:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-27 07:49 <DIR> --d----- c:\docume~1\juliec~1\applic~1\SUPERAntiSpyware.com
2009-09-27 07:49 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-27 07:48 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-27 07:48 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-09-27 07:48 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-09-27 07:48 <DIR> --d----- c:\program files\Zone Labs
2009-09-27 07:48 350,192 a------- c:\windows\system32\vsconfig.xml
2009-09-27 02:48 14,061 a------- c:\windows\system32\ipewi.reg
2009-09-27 02:48 13,959 a------- c:\windows\tavutor.inf
2009-09-27 02:48 13,239 a------- c:\windows\axokyze.scr
2009-09-27 02:48 13,188 a------- c:\windows\system32\ediponilu.vbs
2009-09-27 02:48 13,173 a------- c:\docume~1\juliec~1\applic~1\mehecesid.dll
2009-09-27 02:48 11,980 a------- c:\windows\ferewuv.vbs
2009-09-27 02:48 17,313 a------- c:\windows\esazywori.lib
2009-09-27 02:48 10,545 a------- c:\windows\system32\vapubi.lib
2009-09-27 02:40 46 a------- C:\p2hhr.bat
2009-09-27 02:37 6,656 a------- C:\hxlqib.exe
2009-09-22 00:25 <DIR> --d----- c:\docume~1\juliec~1\applic~1\Sibelius Software
2009-09-22 00:23 <DIR> --d----- c:\program files\Sibelius Software
2009-09-14 17:41 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-14 17:41 1,409 a------- c:\windows\QTFont.for
2009-09-13 15:17 <DIR> --d----- c:\program files\VideoLAN
2009-09-09 13:36 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-27 02:48 17,087 a------- c:\program files\common files\egutaheso.lib
2009-09-27 02:48 15,048 a------- c:\program files\common files\dijysyc.dl
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSTITL.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSTEXT.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSSTMP.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSSPEC.FOT
2009-08-31 12:53 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-28 22:52 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 11:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 11:35 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 14:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2005-02-24 23:32 299,063 a------- c:\program files\saap.log
2005-02-24 19:01 9,845,717 a------- c:\program files\saap_kyf.dat
2005-02-24 19:01 792,675 a------- c:\program files\saapau.dat
2005-02-22 22:08 1,938 -------- c:\program files\saap_gdf.dat

============= FINISH: 10:40:43.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 05 October 2009 - 08:06 AM

Hello :(

OTMoveIt3
  • Download OTMoveIt3 and save it to your desktop. Then run it.
  • Copy and paste the lines in the code box below into the input field at the bottom left corner:
    :processes
    Explorer.exe
    
    :files
    c:\windows\system32\ipewi.reg
    c:\windows\tavutor.inf
    C:\windows\axokyze.scr
    C:\windows\system32\ediponilu.vbs
    c:\docume~1\juliec~1\applic~1\mehecesid.dll
    c:\windows\ferewuv.vbs
    C:\windows\esazywori.lib
    c:\windows\system32\vapubi.lib
    C:\p2hhr.bat
    C:\hxlqib.exe
    c:\program files\common files\egutaheso.lib
    c:\program files\common files\dijysyc.dl
    c:\program files\saap.log
    C:\program files\saap_kyf.dat
    c:\program files\saapau.dat
    c:\program files\saap_gdf.dat
    C:\WINDOWS\system32\gasfkydksrtlwo.dll
    C:\WINDOWS\system32\gasfkylneijboy.dll
    C:\WINDOWS\system32\gasfkylroypppy.dll
    C:\WINDOWS\system32\gasfkyqynintsi.dat
    C:\WINDOWS\system32\gasfkyxboetqlr.dat
    C:\WINDOWS\Temp\gasfkyimcrecxhvt.tmp
    C:\WINDOWS\Temp\gasfkynmtnemnwbw.tmp
    C:\WINDOWS\system32\drivers\gasfkyotvumyla.sys
    
    :services
    gasfkyotvumyla
    
    :commands
    [Emptytemp]
    [Start explorer]
    [Reboot]
  • Now click the red button that says MoveIt!
  • OTMoveit will reboot your computer.
  • To the right, the results show up. Copy and paste them all into a notepad file and post the notepad file in your next reply.
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Please post OtMoveIt resuls, Mbam results and a fresh DDS reports :(

Edited by Baabiouz, 05 October 2009 - 08:07 AM.

Posted Image

#3 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 October 2009 - 01:03 PM

Update Malwarebytes' might have fixed it. D'oh!

OTMove:

All processes killed
========== PROCESSES ==========
No active process named Explorer.exe was found!
========== FILES ==========
c:\windows\system32\ipewi.reg moved successfully.
c:\windows\tavutor.inf moved successfully.
C:\windows\axokyze.scr moved successfully.
C:\windows\system32\ediponilu.vbs moved successfully.
LoadLibrary failed for c:\docume~1\juliec~1\applic~1\mehecesid.dll
c:\docume~1\juliec~1\applic~1\mehecesid.dll NOT unregistered.
c:\docume~1\juliec~1\applic~1\mehecesid.dll moved successfully.
c:\windows\ferewuv.vbs moved successfully.
C:\windows\esazywori.lib moved successfully.
c:\windows\system32\vapubi.lib moved successfully.
C:\p2hhr.bat moved successfully.
C:\hxlqib.exe moved successfully.
c:\program files\common files\egutaheso.lib moved successfully.
c:\program files\common files\dijysyc.dl moved successfully.
c:\program files\saap.log moved successfully.
C:\program files\saap_kyf.dat moved successfully.
c:\program files\saapau.dat moved successfully.
c:\program files\saap_gdf.dat moved successfully.
File/Folder C:\WINDOWS\system32\gasfkydksrtlwo.dll not found.
File/Folder C:\WINDOWS\system32\gasfkylneijboy.dll not found.
File/Folder C:\WINDOWS\system32\gasfkylroypppy.dll not found.
File/Folder C:\WINDOWS\system32\gasfkyqynintsi.dat not found.
File/Folder C:\WINDOWS\system32\gasfkyxboetqlr.dat not found.
File/Folder C:\WINDOWS\Temp\gasfkyimcrecxhvt.tmp not found.
File/Folder C:\WINDOWS\Temp\gasfkynmtnemnwbw.tmp not found.
File/Folder C:\WINDOWS\system32\drivers\gasfkyotvumyla.sys not found.
========== SERVICES/DRIVERS ==========
Service\Driver gasfkyotvumyla not found.
Service\Driver gasfkyotvumyla not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: ciaran colgan
->Temp folder emptied: 3565498 bytes
->Temporary Internet Files folder emptied: 729451 bytes

User: colette
->Temp folder emptied: 518 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: julie colgan
File delete failed. C:\Documents and Settings\julie colgan\Local Settings\Temp\~DF36B1.tmp scheduled to be deleted on reboot.
->Temp folder emptied: 43596880 bytes
File delete failed. C:\Documents and Settings\julie colgan\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 59532471 bytes
->Java cache emptied: 25775434 bytes
->FireFox cache emptied: 25036838 bytes
->Google Chrome cache emptied: 10706293 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 10075796 bytes

User: michael colgan
->Temp folder emptied: 23933224 bytes
->Temporary Internet Files folder emptied: 1660096 bytes

User: NetworkService
->Temp folder emptied: 82736 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 34702 bytes

C:\fsc.tmp\driver\touchpad\alps_touchpad_v5_5_1401_wxp\Source folder deleted successfully.
C:\fsc.tmp\driver\touchpad\alps_touchpad_v5_5_1401_wxp folder deleted successfully.
C:\fsc.tmp\driver\touchpad folder deleted successfully.
C:\fsc.tmp\driver\pcmcia\ene_cardbus_controller_v5_1_2600_2004_wxp\Source folder deleted successfully.
C:\fsc.tmp\driver\pcmcia\ene_cardbus_controller_v5_1_2600_2004_wxp\CARDBUS\WIN9XME folder deleted successfully.
C:\fsc.tmp\driver\pcmcia\ene_cardbus_controller_v5_1_2600_2004_wxp\CARDBUS\WIN2KXP folder deleted successfully.
C:\fsc.tmp\driver\pcmcia\ene_cardbus_controller_v5_1_2600_2004_wxp\CARDBUS folder deleted successfully.
C:\fsc.tmp\driver\pcmcia\ene_cardbus_controller_v5_1_2600_2004_wxp folder deleted successfully.
C:\fsc.tmp\driver\pcmcia folder deleted successfully.
C:\fsc.tmp\driver\keyboard\ene_keyboard_v1_09_00_wxp\WIN9XME folder deleted successfully.
C:\fsc.tmp\driver\keyboard\ene_keyboard_v1_09_00_wxp\WIN2KXP folder deleted successfully.
C:\fsc.tmp\driver\keyboard\ene_keyboard_v1_09_00_wxp\Source folder deleted successfully.
C:\fsc.tmp\driver\keyboard\ene_keyboard_v1_09_00_wxp folder deleted successfully.
C:\fsc.tmp\driver\keyboard folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\WINXP folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\WINNT folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\WINME folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\WIN9X folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\WIN2K folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\Source folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\SERVER2003 folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\PFD folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\IRQ folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\WINXP folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\WINME folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\WIN98SE folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\WIN98 folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\WIN95 folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\WIN2000 folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF\SERVER2003 folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\INF folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\IDEWINXP folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\IDEWIN2K folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\AGPME folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\AGP95 folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp\AGP folder deleted successfully.
C:\fsc.tmp\driver\chipset\via_chipset_v4_51_wxp folder deleted successfully.
C:\fsc.tmp\driver\chipset folder deleted successfully.
C:\fsc.tmp\driver folder deleted successfully.
C:\fsc.tmp folder deleted successfully.
%systemdrive% .tmp files removed: 10417557 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\ZLT049d5.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied: 18182 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 205.31 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10052009_165820

Files moved on Reboot...
C:\Documents and Settings\julie colgan\Local Settings\Temp\~DF36B1.tmp moved successfully.
File C:\WINDOWS\temp\ZLT049d5.TMP not found!

Registry entries deleted on Reboot...

MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

05/10/2009 18:33:11
mbam-log-2009-10-05 (18-33-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178708
Time elapsed: 1 hour(s), 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\julie colgan\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

DDS2:


DDS (Ver_09-09-29.01) - NTFSx86
Run by julie colgan at 18:57:55.83 on 05/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.73 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.5.561 [VPS 0518-4] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\julie colgan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.co.uk
uSearch Bar = hxxp://www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.freeserve.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.co.uk
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.4000.1001\en-gb\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0494D0D9-F8E0-41AD-92A3-14154ECE70AC} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BTAgile] c:\program files\bt broadband talk softphone\BTAgile.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [ProgramPath] c:\program files\power manager\PM.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-20 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-9-27 353672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-20 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [2004-12-27 5632]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-2-7 86064]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-2-7 233520]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-9-9 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-10-05 16:58 <DIR> --d----- C:\_OTM
2009-10-01 23:30 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-10-01 23:29 <DIR> --d----- c:\program files\MSECACHE
2009-09-30 19:41 <DIR> --d----- c:\program files\common files\xing shared
2009-09-29 17:33 <DIR> --d----- c:\program files\Trend Micro
2009-09-29 15:58 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-28 10:38 <DIR> --d----- c:\windows\pss
2009-09-28 10:26 <DIR> --d----- c:\program files\CCleaner
2009-09-27 17:42 <DIR> --d----- c:\program files\common files\ODBC
2009-09-27 07:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-27 07:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-27 07:49 <DIR> --d----- c:\docume~1\juliec~1\applic~1\SUPERAntiSpyware.com
2009-09-27 07:49 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-27 07:48 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-27 07:48 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-09-27 07:48 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-09-27 07:48 <DIR> --d----- c:\program files\Zone Labs
2009-09-27 07:48 350,192 a------- c:\windows\system32\vsconfig.xml
2009-09-27 02:49 68 a------- c:\windows\system32\gasfkyxboetqlr.dat
2009-09-27 02:42 20,992 a------- c:\windows\system32\gasfkylroypppy.dll
2009-09-27 02:40 48,527 a------- c:\windows\system32\gasfkyqynintsi.dat
2009-09-27 02:40 45,568 a------- c:\windows\system32\gasfkylneijboy.dll
2009-09-27 02:39 72,192 a------- c:\windows\system32\drivers\gasfkyotvumyla.sys
2009-09-22 00:25 <DIR> --d----- c:\docume~1\juliec~1\applic~1\Sibelius Software
2009-09-22 00:23 <DIR> --d----- c:\program files\Sibelius Software
2009-09-14 17:41 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-14 17:41 1,409 a------- c:\windows\QTFont.for
2009-09-13 15:17 <DIR> --d----- c:\program files\VideoLAN
2009-09-09 13:36 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSTITL.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSTEXT.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSSTMP.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSSPEC.FOT
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 12:53 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-28 22:52 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 11:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 11:35 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 14:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

============= FINISH: 19:01:15.43 ===============

Attached Files



#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 05 October 2009 - 11:34 PM

Hello :(

Step #1
OTMoveIt3
  • Open OtMoveIt3
  • Copy and paste the lines in the code box below into the input field at the bottom left corner:
    :files
    c:\windows\system32\gasfkyxboetqlr.dat
    c:\windows\system32\gasfkylroypppy.dll
    c:\windows\system32\gasfkyqynintsi.dat
    c:\windows\system32\gasfkylneijboy.dll
    c:\windows\system32\drivers\gasfkyotvumyla.sys
  • Now click the red button that says MoveIt!
  • To the right, the results show up. Copy and paste them all into a notepad file and post the notepad file in your next reply.

Step #2
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Step #3
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.


Step #4
Please post OtMoveIt results, Eset results and a fresh DDS report.
Posted Image

#5 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 06 October 2009 - 11:46 AM

Hi, thanks for your response. :(

When I try to remove any java component, this happens:

Posted Image

Java then disappears from the add/remove programs list, but when I restart and try to install the new one nothing happens.

OTMove scan:

========== FILES ==========
c:\windows\system32\gasfkyxboetqlr.dat moved successfully.
File/Folder c:\windows\system32\gasfkylroypppy.dll not found.
c:\windows\system32\gasfkyqynintsi.dat moved successfully.
File/Folder c:\windows\system32\gasfkylneijboy.dll not found.
File/Folder c:\windows\system32\drivers\gasfkyotvumyla.sys not found.

OTM by OldTimer - Version 3.0.0.6 log created on 10062009_115139


ESET Scan:

C:\_OTM\MovedFiles\10052009_165820\hxlqib.exe a variant of Win32/Kryptik.APD trojan


DDS Scan


DDS (Ver_09-09-29.01) - NTFSx86
Run by julie colgan at 17:34:37.46 on 06/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.107 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.5.561 [VPS 0518-4] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Power Manager\PM.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\julie colgan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.co.uk
uSearch Bar = hxxp://www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.freeserve.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.co.uk
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.4000.1001\en-gb\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0494D0D9-F8E0-41AD-92A3-14154ECE70AC} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BTAgile] c:\program files\bt broadband talk softphone\BTAgile.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [ProgramPath] c:\program files\power manager\PM.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-06 11:54 <DIR> --d----- c:\program files\ESET
2009-10-05 16:58 <DIR> --d----- C:\_OTM
2009-10-01 23:29 <DIR> --d----- c:\program files\MSECACHE
2009-09-30 19:41 <DIR> --d----- c:\program files\common files\xing shared
2009-09-29 17:33 <DIR> --d----- c:\program files\Trend Micro
2009-09-29 15:58 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-28 10:38 <DIR> --d----- c:\windows\pss
2009-09-28 10:26 <DIR> --d----- c:\program files\CCleaner
2009-09-27 17:42 <DIR> --d----- c:\program files\common files\ODBC
2009-09-27 07:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-27 07:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-27 07:49 <DIR> --d----- c:\docume~1\juliec~1\applic~1\SUPERAntiSpyware.com
2009-09-27 07:49 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-27 07:48 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-27 07:48 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-09-27 07:48 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-09-27 07:48 <DIR> --d----- c:\program files\Zone Labs
2009-09-27 07:48 350,192 a------- c:\windows\system32\vsconfig.xml
2009-09-22 00:25 <DIR> --d----- c:\docume~1\juliec~1\applic~1\Sibelius Software
2009-09-22 00:23 <DIR> --d----- c:\program files\Sibelius Software
2009-09-14 17:41 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-14 17:41 1,409 a------- c:\windows\QTFont.for
2009-09-13 15:17 <DIR> --d----- c:\program files\VideoLAN
2009-09-09 13:36 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSTITL.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSTEXT.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSSTMP.FOT
2009-09-22 00:25 1,409 a------- c:\windows\fonts\RPRSSPEC.FOT
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 12:53 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-28 22:52 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 11:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 11:35 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 14:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

============= FINISH: 17:37:19.91 ===============


I really appreciate you taking time to help me.

Attached Files



#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 06 October 2009 - 12:23 PM

Hello :(

Lets use Javara and see how it works:

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Posted Image

#7 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 06 October 2009 - 02:01 PM

Hey,

Ran JavaRa, worked ok, then when installing the new version when I run the file nothing happens. I've tried running it straight away and saving it to desktop and running.

Also, Java update 15 is still in my add/remove programs list :(

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 07 October 2009 - 06:30 AM

Hmm.. Did you reboot your machine after Javara?

Edited by Baabiouz, 07 October 2009 - 06:31 AM.

Posted Image

#9 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 07 October 2009 - 02:56 PM

Yep, just tried it again and still wont execute when I click it.

#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 07 October 2009 - 11:30 PM

Do you have C:\Program Files\Java folder?
If you have please remove it.

Then open HijackThis. Click Open Misc Tool Section. Click Open Unintall Manager.
Choose your old java version and click Delete this entry.

After all you can close HijackThis.

Download and try install latest Java here.
http://java.sun.com/javase/downloads/index.jsp
Posted Image

#11 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 08 October 2009 - 10:04 AM

When trying to remove the C: Program Files/ Java folder I get the error message

"Cannot delete jqs.exe: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use"

Tried deleting after using JavaRa and deleting using HJT and rebooting but no luck :(

#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 08 October 2009 - 10:16 AM

Hello

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

In safe mode please run Javara and then remove C:\Program Files\Java folder.

Reboot back to normal mode.

Did it help?
Posted Image

#13 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 08 October 2009 - 10:56 AM

Hello,

Managed to remove Java folder in Safe Mode, yay. But still, nothing is happening when I download the JRE thing from that wepage. Zonealarm asks me if I allow it and I hit yes but it never installs.

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:50 AM

Posted 08 October 2009 - 11:24 AM

How about installing in safe mode?
Posted Image

#15 miklc

miklc
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 08 October 2009 - 01:40 PM

Error:

Installer: Wrapper.CreateFile failed with error 32: The process cannot access the file because it is being used by another process


:(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users