TechSpot

Another Google redirect virus problem

By thejoggler
Jun 28, 2010
  1. So somehow I contracted a Google re-direct virus (or whatever it is). I followed the 8-step procedure and am posting the required data here.

    It seems to have taken over my anti-virus programs too. I can't update any of the anti-virus programs (Avira or Spyware Doctor). This is quite troubling. Can you help.

    Attached are the logs as required.

    GMR Log-:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-28 16:42:47
    Windows 5.1.2600 Service Pack 3
    Running: 7wm14dxe.exe; Driver: C:\DOCUME~1\FLASH4~1\LOCALS~1\Temp\kfrcipog.sys


    ---- System - GMER 1.0.15 ----

    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF778E112]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF776D2D6]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF776D4C8]
    SSDT F7F3E84C ZwCreateThread
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF778E900]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF778EBB4]
    SSDT F7F3E86A ZwLoadKey
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF778CE12]
    SSDT F7F3E838 ZwOpenProcess
    SSDT F7F3E83D ZwOpenThread
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF778F020]
    SSDT F7F3E874 ZwReplaceKey
    SSDT F7F3E86F ZwRestoreKey
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF778E3D2]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF776CF44]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 120 804E278C 4 Bytes CALL 668C1F84
    .text ntoskrnl.exe!_abnormal_termination + 148 804E27B4 4 Bytes JMP 26761F31
    .text ntoskrnl.exe!_abnormal_termination + 1D4 804E2840 4 Bytes CALL 6D072038
    .text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 4 Bytes CALL 611C2098
    .text ntoskrnl.exe!_abnormal_termination + 24C 804E28B8 4 Bytes CALL 5BB920B0
    .text ...
    PAGENDSM NDIS.sys!NdisMIndicateStatus F76969EF 6 Bytes JMP EE807AC0 \SystemRoot\System32\Drivers\fwdrv.sys

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[1452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\WINDOWS\system32\spoolsv.exe[1696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00F5000A

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\ipsec.sys[ntoskrnl.exe!ZwLoadDriver] [EE807928] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!ZwLoadDriver] [EE807928] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys
    AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- EOF - GMER 1.0.15 ----

    Malware Logs...

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3930

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    6/28/2010 12:35:13 PM
    mbam-log-2010-06-28 (12-35-13).txt

    Scan type: Quick scan
    Objects scanned: 117517
    Time elapsed: 17 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.52,93.188.161.182 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{000d0d4b-7e4e-4a96-8218-986861d2243d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.52,93.188.161.182 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please, never zip any logs.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  3. thejoggler

    thejoggler TS Rookie Topic Starter

    Here is the combofix log
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    How is redirection issue?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    C:\AVGTemp
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  5. thejoggler

    thejoggler TS Rookie Topic Starter

    Here is the log.

    When I run the Combofix program it gives me a warning that I should close some Antivirus software but I'm not running any antivirus software at the moment.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I can see some signs of Avira.
    You can't use computer without any AV program.
    Please, reinstall Avira, but first...

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Restart computer.

    You didn't say how is redirection issue.
     
  7. thejoggler

    thejoggler TS Rookie Topic Starter

    The re-direct problem seems solved. Thanks!!

    The Avira was hijacked by the virus so I uninstalled it figuring to re-install it when the machine was virus free. I just re-installed it and it seems to be working now.

    Anything left to do?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I'm happy to see good news :)
    Couple more steps to make sure, all crap is gone.

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. thejoggler

    thejoggler TS Rookie Topic Starter

    This commenting system doesn't allow me to cut and paste as the message is too long. I've attached the text files.

    Thanks for all your help.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ===================================================================

    You're running low on hard drive free space:
    ===================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager]  File not found
      O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe File not found
      O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe File not found
      O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
      [2010/04/30 08:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Flash 44\Local Settings\Application Data\nsnnygxbt
      [2003/12/18 15:28:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      @Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
      @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  11. thejoggler

    thejoggler TS Rookie Topic Starter

    Here's the results...

    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Uninstall Adobe Download Manager not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    C:\Documents and Settings\Flash 44\Local Settings\Application Data\nsnnygxbt folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome\BH00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56504 bytes

    User: Flash 44
    ->Temp folder emptied: 5808801 bytes
    ->Temporary Internet Files folder emptied: 124713916 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 134495736 bytes
    ->Flash cache emptied: 456242 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->FireFox cache emptied: 4823349 bytes
    ->Flash cache emptied: 589 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 65670 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 298297 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 630542 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 110772 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 259.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Flash 44
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 06302010_200639

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    You missed one step:
     
  13. thejoggler

    thejoggler TS Rookie Topic Starter

    So sorry, I missed that step. Here's the results.
     

    Attached Files:

    • OTL.Txt
      File size:
      104.3 KB
      Views:
      1
  14. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Looks good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  15. thejoggler

    thejoggler TS Rookie Topic Starter

    Been trying to use this site to scan my system but it is taking a really long time. (e.g. Three and a half hours to scan 6% of my system). Then, I've had to re-start a couple times because my browser crashed unexpectedly.

    Is this to be expected or is something wrong?

    From what I saw, there was 1 detection of an infected item with ~25% of the system scanned.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Kaspersky takes time, but it's a very good scanner.
    Be patient.
     
  17. thejoggler

    thejoggler TS Rookie Topic Starter

    Thanks. I just wanted to make sure it was actually working. After three starts and stops it seems to be moving along ok (31% done in 2 hrs 20 min). Unfortunately, this time I did the 'scan critical areas only' so I may have to re-do it after this scan is done.

    It has found 1 infected file already
     
  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    No problem :)
    Take your time :)
     
  19. thejoggler

    thejoggler TS Rookie Topic Starter

    It took about 11 hours but looks like it scanned everything. ~30 viruses found? wow.

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, July 2, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Thursday, July 01, 2010 14:36:26
    Records in database: 4262494
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    G:\

    Scan statistics:
    Objects scanned: 282497
    Threats found: 25
    Infected objects found: 30
    Suspicious objects found: 0
    Scan duration: 15:03:30


    File name / Threat / Threats count
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
    G:\My Documents bu\My Software\Sound Forge\Sonic Foundry SoundForge v7.0 build 214\keygen.exe Infected: Trojan-GameThief.Win32.Nilage.hik 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\DivXPro501GAINBundle.exe Infected: not-a-virus:AdWare.Win32.Gator.3102 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\klitekpp210e.exe Infected: Trojan-Downloader.Win32.VB.kxl 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.Cydoor 2
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 2
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.Altnet.a 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: Trojan.Win32.Genome.alet 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: Trojan.Win32.Krepper.y 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.i 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a 1
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b 1
    G:\Old laptop\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 1
    G:\Old laptop\WINDOWS\system32\d18.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bf 1
    G:\old comp bk\Program Files\KaZaA Lite\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o 1
    G:\old comp bk\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
    G:\old comp bk\WINDOWS\lupdtr.exe Infected: Trojan-Downloader.NSIS.Agent.a 1
    G:\old comp bk\WINDOWS\Temporary Internet Files\Content.IE5\Q1K3W5UX\archive[1].jar Infected: Trojan.Java.ClassLoader.d 2
    G:\old comp bk\WINDOWS\Temporary Internet Files\Content.IE5\Q1K3W5UX\archive[1].jar Infected: Trojan.Java.ClassLoader.Dummy.a 1
    G:\old comp bk\WINDOWS\Temporary Internet Files\Content.IE5\Q1K3W5UX\archive[1].jar Infected: Trojan.Java.Shinwow 1
    G:\old comp bk2\My Documents bu\Software\kazaalite_202_b1.zip Infected: not-a-virus:AdWare.Win32.Altnet.o 1
    G:\old comp bk2\My Documents bu\Software\first stage\kazaa_lite_202_english.exe Infected: not-a-virus:AdWare.Win32.Altnet.o 1

    Selected area has been scanned.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      G:\My Documents bu\My Software\Sound Forge\Sonic Foundry SoundForge v7.0 build 214\keygen.exe 
      G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\DivXPro501GAINBundle.exe 
      G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\klitekpp210e.exe 
      G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe 
      G:\Old laptop\WINDOWS\system32\d18.dll 
      G:\old comp bk\Program Files\KaZaA Lite\TopSearch.dll 
      G:\old comp bk\Program Files\Common Files\Real\Toolbar\RealBar.dll 
      G:\old comp bk\WINDOWS\lupdtr.exe 
      G:\old comp bk\WINDOWS\Temporary Internet Files\Content.IE5\Q1K3W5UX\archive[1].jar 
      G:\old comp bk2\My Documents bu\Software\kazaalite_202_b1.zip 
      G:\old comp bk2\My Documents bu\Software\first stage\kazaa_lite_202_english.exe
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  21. thejoggler

    thejoggler TS Rookie Topic Starter

    Run fix...

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    G:\My Documents bu\My Software\Sound Forge\Sonic Foundry SoundForge v7.0 build 214\keygen.exe moved successfully.
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\DivXPro501GAINBundle.exe moved successfully.
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\klitekpp210e.exe moved successfully.
    G:\Old laptop\Documents and Settings\hjdf\My Documents\Software\Installed\KazaaUpdate15.exe moved successfully.
    G:\Old laptop\WINDOWS\system32\d18.dll moved successfully.
    File move failed. G:\old comp bk\Program Files\KaZaA Lite\TopSearch.dll scheduled to be moved on reboot.
    G:\old comp bk\Program Files\Common Files\Real\Toolbar\RealBar.dll moved successfully.
    G:\old comp bk\WINDOWS\lupdtr.exe moved successfully.
    G:\old comp bk\WINDOWS\Temporary Internet Files\Content.IE5\Q1K3W5UX\archive[1].jar moved successfully.
    G:\old comp bk2\My Documents bu\Software\kazaalite_202_b1.zip moved successfully.
    G:\old comp bk2\My Documents bu\Software\first stage\kazaa_lite_202_english.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Flash 44
    ->Temp folder emptied: 110569526 bytes
    ->Temporary Internet Files folder emptied: 143042 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 99169313 bytes
    ->Flash cache emptied: 2252 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 385624 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 331336 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 1105808 bytes

    Total Files Cleaned = 202.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Flash 44
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 07032010_071900

    Files\Folders moved on Reboot...
    File\Folder G:\old comp bk\Program Files\KaZaA Lite\TopSearch.dll not found!

    Registry entries deleted on Reboot...
     
  22. thejoggler

    thejoggler TS Rookie Topic Starter

    and the quick scan...
     

    Attached Files:

    • OTL.Txt
      File size:
      105.9 KB
      Views:
      1
  23. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  24. thejoggler

    thejoggler TS Rookie Topic Starter

    Thanks so much for your help! Everything seems to be working fine. For some reason there are about a half dozen Windows update that aren't updating but otherwise, everything works.

    I was considering reformating my hard drive now that the system is cleaned. My system is pretty slow and I haven't updated in 5 years or so. Do you recommend this? Do you think it would help speed my system?

    Thanks again for all your help.
     
  25. thejoggler

    thejoggler TS Rookie Topic Starter

    Here are the updates that my system isn't able to install. Any idea why?

    Security Update for Microsoft Office InfoPath 2003 (KB980923)
    Security Update for Microsoft Office PowerPoint 2003 (KB982157)
    Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909)
    Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168)
    Security Update for Microsoft Office 2003 (KB972580)
    Update for Microsoft Office 2003 (KB978551)
    Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524)
    Update for Microsoft Office Outlook 2003 Junk Email Filter (KB983503)
    Security Update for Microsoft Office Word 2003 (KB982134)
    Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86
    Security Update for Microsoft Office Publisher 2003 (KB982122)
    Security Update for Microsoft Office Web Components (KB947319)
    Security Update for Microsoft Office 2003 (KB974554)
    Security Update for Microsoft Office 2003 (KB975051)
    Update for Microsoft Office Outlook 2003 Junk Email Filter (KB979771)
    Security Update for Microsoft Office Outlook 2003 (KB973705)
    Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417)
    Security Update for Microsoft Office 2003 (KB982311)
    Security Update for Microsoft Office 2003 (KB976382)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...