Antivirus Soft Removal

There are possibly some residual files that are still corrupted because MalwareBytes said it wasn't able to fix everything. I used this removal guide: http://www.bleepingcomputer.com/virus-remo...-antivirus-soft

Malwarebytes' Anti-Malware 1.44
Database version: 3765
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/20/2010 1:17:19 AM
mbam-log-2010-02-20 (01-17-19).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 650780
Time elapsed: 1 hour(s), 52 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 10
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\oe07ekk.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zodejuhaj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remote system protection (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lihacbhp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lihacbhp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uishf9wuifwuh387fh3wufinhjfdwefe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.230,93.188.166.78 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80ef2465-3208-4041-aee8-2ce1f2b24d62}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.230,93.188.166.78 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80ef2465-3208-4041-aee8-2ce1f2b24d62}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,93.188.164.230,93.188.166.78 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f22214f4-d0b2-40fa-baf9-171321e0f57d}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,192.168.1.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oe07ekk.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Jeff\Local Settings\temp\nexdmia9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\Ylx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\000050e0 (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\1565779764.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\1607629330.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\1763548666.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\1885598080.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\234a6c0c.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\2768494152.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\3014457108.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\492654764.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\avp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\debug.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\eventcreatexp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\gv5uthsk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\msinits.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\oxhyanxq.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\qikaoi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\services.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\vjwmmsku.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\vwwixjz.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\Ylw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\07HJT9T5\mqlselg[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\07HJT9T5\msdostr[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\07HJT9T5\vzgomuf[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\70I0G4PT\hyxrmxs[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\70I0G4PT\mdyfelge[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\BJ642SOU\bfzhfdywe[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\BJ642SOU\ycpxe[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\P7O9C2J9\ysautnmg[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\12052008_000318\windows\system32\drivers\zonc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
H:\Asus Backup Clone\_OTMoveIt\MovedFiles\12052008_000318\windows\system32\drivers\zonc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\All Users.WINDOWS\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Jeff\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.

• I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
• Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
• Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
• I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
• Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
• After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand.

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

***************************************************

Please download gmer.zip and save to your desktop.

• Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
• Click on this link to see a list of programs that should be disabled.
• Double-click on gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• You may be prompted to scan immediately if GMER detects rootkit activity.
• If you are prompted to scan your system click "Yes" to begin the scan.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as gmer.log and copy/paste the contents in your next reply.
• Exit GMER and re-enable all active protection when done.

~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt
GMER.log

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade