Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have the google virus or directrdr


  • This topic is locked This topic is locked
14 replies to this topic

#1 Seeingisbelieving

Seeingisbelieving

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 May 2010 - 01:54 AM

Hello my new friends. Please to be helping me with an issue I am having with my computer. I run Windows XP with both IE and Firefox and seem to be having issues with either browser. I get popups that will list a website "directrdr.com" briefly then redirect me to another website. When I click on links in a search engine (google and yahoo) it will redirect me, I usually have to copy and paste the URL. Often times when I try to access a webpage, IE will tell me that "although I seem to be connected to the internet, I may want to reconnect" and I have to refresh several times to get the page to come up. I had this problem a couple months ago, and ended up doing a system recovery. Now I am having the issue again. Is it possible a virus survived the system recovery and was reactivated or do you think I was reinfected? I have done a HiJackThis log and will post it now:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:49:01 PM, on 5/17/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shop.trendmicro.com/tmasy/eol.html?...&HEIGHT=480
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 10101 bytes


I have ran this through an automatic analyzer, if you want to see that here is the link: http://hjt.networktechs.com/parse.php?log=819103

I don't know enough about computers to feel confident deleting what the auto analysis tells me to without a real person telling me it's okay. Any assistance in this matter is greatly appreciated. PS, my antivirus is AVG free and I also run Spybot Search and Destroy. For some reason McAfee offers to scan my computer all the time, I think I downloaded that one accidently when I updated an adobe application.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 18 May 2010 - 06:53 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Seeingisbelieving

Seeingisbelieving
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 May 2010 - 11:50 PM

Hello my new friend,
I apologize that it took me so long to comply with your requests. Although your instructions were clear and easy to follow, the GMER scan took a very long time on my computer. I started it last night and when I went to bed a couple hours later it was still running so I let it run overnight. At some point I believe my computer must have done an automatic restart because when I checked it today there was nothing. I just ran it again, and it took about 4 hours. It is not as long as the one from yesterday, I remember having to scroll down (slightly) to read the entirety of the one from last night in the scanners window, while the one from today fit in the standard box. Other than that I have had no problems. Here are the logs you requested, I also included them as attachments in case that is easier for you.



DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 21:34:16.82 on Tue 05/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.89 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-4 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-4 242896]

=============== Created Last 30 ================


==================== Find3M ====================

2010-05-17 02:57:54 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-16 21:26:47 194 ----a-w- c:\docume~1\compaq~1.you\applic~1\wklnhst.dat
2010-04-04 07:04:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 07:04:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-04 04:59:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-04 01:53:56 1855 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_PX801AA-ABA SR1520NX NA530_YC_0Pres_QCNH524_E53NAheRED2_47_ISalmon_SASUSTek Computer INC._V1.04_B3.12_T050420_WXH2_L409_M384_J160_7AMD_8Sempron_91.81_#090125_N10390900_Z11C1048C_G10396330.MRK
2010-03-04 23:01:09 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-03-04 23:01:09 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-03-04 23:01:09 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2005-09-08 21:34:16 32 --sha-w- c:\windows\sminst\HPCD.SYS
2009-09-18 15:09:09 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-18 15:09:09 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-18 15:09:09 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:36:23.21 ===============





Attach:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/3/2010 5:52:01 PM
System Uptime: 5/18/2010 8:16:55 AM (13 hours ago)

Motherboard: ASUSTek Computer INC. | | Salmon
Processor: AMD Sempron™ Processor 3100+ | Socket 754 | 1808/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 64.653 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 0.365 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/3/2010 7:02:24 PM - Installed HP Deskjet 3840
RP2: 4/3/2010 7:03:11 PM - Installed HP Software Update
RP3: 4/3/2010 8:44:01 PM - Installed Windows Internet Explorer 8.
RP4: 4/3/2010 9:57:15 PM - Installed Java™ 6 Update 19
RP5: 4/3/2010 10:08:25 PM - Configured easy Internet sign-up
RP6: 4/3/2010 10:11:45 PM - Removed Microsoft Office Standard Edition 2003
RP7: 4/3/2010 10:17:00 PM - Removed Microsoft Plus! Dancer LE
RP8: 4/3/2010 10:22:25 PM - Removed Norton Security Center
RP9: 4/4/2010 12:00:25 AM - Installed AVG Free 9.0
RP10: 4/4/2010 9:37:58 AM - Avg Update
RP11: 4/5/2010 9:08:42 AM - Avg Update
RP12: 4/5/2010 9:11:43 AM - Avg Update
RP13: 4/6/2010 9:38:46 AM - System Checkpoint
RP14: 4/7/2010 10:38:45 AM - System Checkpoint
RP15: 4/8/2010 11:04:15 AM - System Checkpoint
RP16: 4/8/2010 7:35:15 PM - Avg Update
RP17: 4/9/2010 11:55:46 PM - System Checkpoint
RP18: 4/11/2010 10:00:42 AM - System Checkpoint
RP19: 4/12/2010 10:16:26 AM - System Checkpoint
RP20: 4/13/2010 10:30:35 AM - System Checkpoint
RP21: 4/15/2010 7:00:52 PM - System Checkpoint
RP22: 4/16/2010 7:09:56 PM - System Checkpoint
RP23: 4/17/2010 8:09:35 PM - System Checkpoint
RP24: 4/18/2010 9:34:54 PM - Installed Yu-Gi-Oh! ONLINE 3.
RP25: 4/19/2010 6:59:19 PM - Installed DirectX
RP26: 4/20/2010 9:04:07 AM - Avg Update
RP27: 4/20/2010 9:05:57 AM - Avg Update
RP28: 4/21/2010 12:06:06 PM - System Checkpoint
RP29: 4/22/2010 11:10:19 PM - Removed Yu-Gi-Oh! ONLINE 3.
RP30: 4/23/2010 11:32:19 PM - Installed Windows Media Format Runtime
RP31: 4/23/2010 11:37:53 PM - Installed Windows XP Wudf01000.
RP32: 4/23/2010 11:54:24 PM - Installed Windows XP KB926239.
RP33: 4/25/2010 2:59:49 AM - System Checkpoint
RP34: 4/26/2010 10:51:19 AM - System Checkpoint
RP35: 4/27/2010 11:17:16 AM - System Checkpoint
RP36: 4/28/2010 12:10:43 PM - System Checkpoint
RP37: 4/29/2010 1:10:48 PM - System Checkpoint
RP38: 5/1/2010 1:37:34 AM - System Checkpoint
RP39: 5/2/2010 2:29:51 AM - System Checkpoint
RP40: 5/3/2010 3:04:50 AM - System Checkpoint
RP41: 5/4/2010 8:18:46 AM - System Checkpoint
RP42: 5/5/2010 6:47:20 PM - Avg Update
RP43: 5/6/2010 6:45:07 PM - Installed Windows Internet Explorer 8.
RP44: 5/6/2010 7:30:33 PM - Restore Operation
RP45: 5/6/2010 8:03:22 PM - Avg Update
RP46: 5/8/2010 10:06:44 AM - System Checkpoint
RP47: 5/9/2010 10:54:54 AM - System Checkpoint
RP48: 5/10/2010 8:16:06 PM - System Checkpoint
RP49: 5/12/2010 7:06:08 PM - System Checkpoint
RP50: 5/13/2010 7:39:05 PM - System Checkpoint
RP51: 5/15/2010 3:38:21 PM - System Checkpoint
RP52: 5/16/2010 3:54:53 PM - System Checkpoint
RP53: 5/16/2010 7:28:52 PM - Restore Operation
RP54: 5/16/2010 7:54:55 PM - Avg Update
RP55: 5/16/2010 7:59:13 PM - Avg Update
RP56: 5/17/2010 9:37:03 PM - Installed HiJackThis

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AVG Free 9.0
Compaq Connections
Compaq Organize
GOM Player
Google Toolbar for Internet Explorer
Help and Support Additions
HiJackThis
HP Boot Optimizer
HP Deskjet 3840
HP Help and Support 4.0
HP Software Update
HpSdpAppCoreApp
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
Java Auto Updater
Java™ 6 Update 19
KBD
LiveUpdate 3.0 (Symantec Corporation)
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
PC-Doctor for Windows
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Remove Adobe Photoshop Album 2.0 Starter Edition installer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Remove WeatherBug installer
SiS VGA Utilities
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Symantec Network Drivers Update
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781

==== Event Viewer Messages From Past Week ========

5/16/2010 8:16:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgcorex.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/16/2010 7:54:50 PM, error: Service Control Manager [7034] - The McAfee Security Scan Component Host Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2010 7:42:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
5/16/2010 7:42:36 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/15/2010 8:34:53 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
5/14/2010 6:33:37 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/14/2010 6:33:37 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/13/2010 10:09:10 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/13/2010 10:09:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
5/13/2010 10:08:30 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
5/11/2010 7:12:38 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0013D4102FED. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

==== End Of File ===========================




GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-19 21:32:45
Windows 5.1.2600 Service Pack 2
Running: tvq4t2ty.exe; Driver: C:\DOCUME~1\COMPAQ~1.YOU\LOCALS~1\Temp\axgdypog.sys


---- System - GMER 1.0.15 ----

SSDT 8288F0C0 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\System32\Drivers\avgldx86.sys entry point in ".rsrc" section [0xB0EFE314]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[136] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0140000A
.text C:\WINDOWS\system32\wuauclt.exe[136] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0141000A
.text C:\WINDOWS\system32\wuauclt.exe[136] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 013F000C
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008E000C
.text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0322000A
.text C:\WINDOWS\System32\svchost.exe[880] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 02FD000A
.text C:\WINDOWS\Explorer.EXE[1792] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[1792] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[1792] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B8000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82597EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\Drivers\avgldx86.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----





Thank you very much for your help in this matter. You must be a very good person to help people you don't know with no reward other than knowing you are helping people

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 19 May 2010 - 11:52 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Seeingisbelieving

Seeingisbelieving
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 21 May 2010 - 01:43 AM

I ran combofix and here is the log, also included as an attachment:


ComboFix 10-05-20.07 - Compaq_Owner 05/20/2010 23:02:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.82 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\tr.c
c:\windows\explorer(2).exe
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\avgldx86.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-18 04:37 . 2010-05-18 04:37 -------- d-----w- c:\program files\Trend Micro
2010-05-17 02:35 . 2010-05-17 02:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-17 02:31 . 2010-05-17 02:32 -------- d--h--w- c:\windows\ie8
2010-05-17 02:29 . 2010-05-17 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 02:43 . 2010-05-17 02:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-05-07 01:43 . 2010-05-17 02:31 -------- dc----w- c:\windows\ie8(2)
2010-05-06 05:30 . 2010-05-06 05:30 -------- d-----w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Local Settings\Application Data\Mozilla
2010-05-06 02:59 . 2010-05-06 02:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-01 03:10 . 2010-05-01 03:10 -------- d-----w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Local Settings\Application Data\Adobe
2010-04-24 06:44 . 2010-04-24 06:45 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-04-24 04:29 . 2010-04-24 04:29 -------- d-----w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 02:57 . 2010-04-04 07:04 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-17 02:33 . 2010-04-20 05:43 -------- d-----w- c:\program files\BYOND
2010-05-16 21:26 . 2010-04-17 17:41 194 ----a-w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\wklnhst.dat
2010-04-18 19:19 . 2010-04-18 19:19 -------- d-----w- c:\program files\Erosgames
2010-04-17 17:41 . 2010-04-17 17:41 -------- d-----w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\Template
2010-04-06 06:17 . 2010-04-06 06:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-04-05 02:39 . 2009-12-12 23:34 -------- d-----w- c:\program files\EV Nova
2010-04-04 16:34 . 2010-04-04 16:34 -------- d-----w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\GRETECH
2010-04-04 07:07 . 2009-06-12 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-04-04 07:04 . 2010-04-04 07:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 07:04 . 2010-04-04 07:04 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-04 07:04 . 2010-04-04 07:03 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-04 07:00 . 2010-04-04 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-04 07:00 . 2009-01-25 22:50 -------- d-----w- c:\program files\AVG
2010-04-04 05:28 . 2005-05-09 18:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-04 05:28 . 2005-05-09 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-04 05:09 . 2005-05-09 17:50 -------- d-----w- c:\program files\Easy Internet signup
2010-04-04 04:59 . 2010-04-04 05:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-04 04:56 . 2010-04-04 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-04 02:51 . 2009-01-25 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-04 02:40 . 2009-01-25 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-04 02:09 . 2005-05-09 18:03 -------- d-----w- c:\program files\Symantec
2010-04-04 02:02 . 2010-04-04 01:53 -------- d-----w- c:\documents and settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\Symantec
2010-04-04 01:53 . 2010-04-04 01:53 1855 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_PX801AA-ABA SR1520NX NA530_YC_0Pres_QCNH524_E53NAheRED2_47_ISalmon_SASUSTek Computer INC._V1.04_B3.12_T050420_WXH2_L409_M384_J160_7AMD_8Sempron_91.81_#090125_N10390900_Z11C1048C_G10396330.MRK
2010-04-01 02:39 . 2010-04-01 02:39 0 ----a-w- c:\windows\nsreg.dat
2010-03-31 16:23 . 2010-03-31 16:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Symantec
2010-03-29 22:52 . 2010-03-29 22:52 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-03-29 22:52 . 2010-03-29 22:52 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-03-29 22:52 . 2010-03-29 22:52 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-03-29 22:52 . 2010-03-29 22:52 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-03-04 23:01 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-03-04 23:01 . 2003-03-18 20:14 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-03-04 23:01 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2005-09-08 21:34 . 2009-01-25 17:12 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 22:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-09 180269]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2005-5-9 45056]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-5-9 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-04 07:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/4/2010 12:04 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/4/2010 12:04 AM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/4/2010 12:02 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/4/2010 12:02 AM 308064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [4/4/2010 12:03 AM 369920]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 23:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-20 23:26:08
ComboFix-quarantined-files.txt 2010-05-21 06:26

Pre-Run: 69,607,391,232 bytes free
Post-Run: 80,505,847,808 bytes free

- - End Of File - - 9E12420615E5ADA0FB445693240090F6






I had no problems downloading and running this. I immediately reactivated my anti-virus programs. I did a search on google just now and was not redirected when I clicked a link. I have not had any popups yet, but those weren't really frequent anyway so it is too early to tell.

Attached Files

  • Attached File  log.txt   10.9KB   3 downloads


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 21 May 2010 - 02:12 AM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 6.0.1
    Remove WeatherBug installer


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts
  • After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Seeingisbelieving

Seeingisbelieving
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 May 2010 - 01:08 AM

Good evening my friend,
Again, you had very easy to follow instructions and I had no problems other than the long time it took my computer to comply. The online scan took some two hours. But I experienced no adverse effects and my computer has been running much faster than it has been recently. I installed the other PDF file reader rather than Adobe, when ever I tried to open a PDF file online with adobe it seemed my computer had issues. The logs you requested:

mbam:

Scan type: Quick scan
Objects scanned: 150273
Time elapsed: 8 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Compaq_Owner\Favorites\Kawasaki Motorcycle Forum.url (Rogue.Link) -> Quarantined and deleted successfully.




ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=031a527172b2544bb783b54ce5796ab1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-05-22 05:39:46
# local_time=2010-05-21 10:39:46 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 3213356 3213356 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=69532
# found=3
# cleaned=0
# scan_time=7388
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\avgldx86.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
D:\I386\Apps\APP15425\src\HPSummer2005.exe a variant of Win32/AdInstaller application 00000000000000000000000000000000 I






For most of the instructions I have been given in regards to changing things on my computer, turning off anti-virus etc, I have gone back and turned them back on when I was finished. The exception to this would be the Defogger program turning of the CD emulation. I don't know what this means or what it does, but I imagine you will tell me when and how to turn it back on?

Attached Files

  • Attached File  log.txt   10.9KB   2 downloads
  • Attached File  log.txt   1.18KB   4 downloads


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 22 May 2010 - 01:18 AM

Greetings

I would like you to run this batch file real quick so we can finish up and I will address all your other questions after

Open Notepad.
Copy this in the Notepad-file:

CODE
@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip"
) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt


Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Seeingisbelieving

Seeingisbelieving
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 May 2010 - 02:30 PM

logfile only contained:


Deleting files
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip" deleted


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 22 May 2010 - 02:53 PM

Hello Seeingisbelieving

YES BUT THAT IS PERFECT

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

The Online scan is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and useing often.

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Seeingisbelieving

Seeingisbelieving
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 May 2010 - 06:36 PM

I did all that you asked with one exception, and maybe you could help me with that as well. I did not turn on automatic updates, even though you suggested it and both those articles you suggested said it was so important, and the reason is this. When automatic updates is turned on my computer downloads and tries to update me to Windows XP service pack 3. Every time I have done this (5-6 times at least) when my computer reboots after installing the updates, it crashes and will only start in Safe Mode. I uninstall service pack 3 in safe mode and my computer returns to normal. I didn't know what else to do except turn off automatic updates and stay with service pack 2.

My computer is running faster and better than it has in months. I am not getting random popups or being redirected when I click on links in search engines. In the future, if I have problems again, can I just run combofix? Or do you recommend returning to this website and starting a new topic?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 22 May 2010 - 07:09 PM

Greetings Seeingisbelieving

if I have problems again, can I just run combofix? - NO here is a great example as to what can happen - this was last night - link - and why you need to do it under supervision, I was able to get his computer back up because I have a better support group if something goes wrong - always if something is amiss come here we will always be around.

QUOTE
I did all that you asked with one exception, and maybe you could help me with that as well. I did not turn on automatic updates, even though you suggested it and both those articles you suggested said it was so important, and the reason is this. When automatic updates is turned on my computer downloads and tries to update me to Windows XP service pack 3. Every time I have done this (5-6 times at least) when my computer reboots after installing the updates, it crashes and will only start in Safe Mode. I uninstall service pack 3 in safe mode and my computer returns to normal. I didn't know what else to do except turn off automatic updates and stay with service pack 2.
now this part I would go over to the windows XP forum and ask about it there.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Seeingisbelieving

Seeingisbelieving
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 May 2010 - 07:24 PM

I will ask about service pack 3 in the windows XP sectionon, thank you very much for your help, I did make a donation to you and feel free to close this topic.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 22 May 2010 - 07:35 PM

Thank you very much and you are welcome


Stay safe

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 AM

Posted 25 May 2010 - 06:57 PM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users