TechSpot

Redirecting from search and other sites

By j30rider
Jul 25, 2010
  1. Just recently I have been getting redirected from the pages when I click on hyperlinks. I have done as requested and here are the logs.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4344

    Windows 6.1.7600 (Safe Mode)
    Internet Explorer 8.0.7600.16385

    7/25/2010 12:35:24 PM
    mbam-log-2010-07-25 (12-35-24).txt

    Scan type: Quick scan
    Objects scanned: 130391
    Time elapsed: 6 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-25 13:05:31
    Windows 6.1.7600
    Running: kqz3e94m.exe; Driver: C:\Users\Windows7\AppData\Local\Temp\ugtcikow.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222FAF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F3F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82217634
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82217898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F1DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F6F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222FF2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822301A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E48599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E6CF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? C:\Windows\System32\Drivers\ezfydpup.sys A device attached to the system is not functioning. !
    .rsrc C:\Windows\System32\drivers\volmgrx.sys entry point in ".rsrc" section [0x8804D014]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtProtectVirtualMemory 77C75380 5 Bytes JMP 002C000A
    .text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtWriteVirtualMemory 77C75F00 5 Bytes JMP 002D000A
    .text C:\Windows\system32\svchost.exe[800] ntdll.dll!KiUserExceptionDispatcher 77C76448 5 Bytes JMP 002B000A
    .text C:\Windows\system32\svchost.exe[800] ole32.dll!CoCreateInstance 77B257FC 5 Bytes JMP 003C000A
    .text C:\Windows\system32\svchost.exe[800] USER32.dll!GetCursorPos 77D9C198 5 Bytes JMP 0096000A
    .text C:\Windows\Explorer.EXE[1760] ntdll.dll!NtProtectVirtualMemory 77C75380 5 Bytes JMP 0028000A
    .text C:\Windows\Explorer.EXE[1760] ntdll.dll!NtWriteVirtualMemory 77C75F00 5 Bytes JMP 0029000A
    .text C:\Windows\Explorer.EXE[1760] ntdll.dll!KiUserExceptionDispatcher 77C76448 5 Bytes JMP 0027000A

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 84E6B178
    Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 84B52EC5

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Start 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Type 1
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Start 0
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Group Boot Bus Extender

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\System32\drivers\volmgrx.sys suspicious modification
    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    DDS log was too long so it is attached.

    Please let me know what is needed of me next. Thanx in advance.
     

    Attached Files:

    • DDS.txt
      File size:
      18.4 KB
      Views:
      2
  2. j30rider

    j30rider TS Rookie Topic Starter

    Can someone let me know what's wrong?

    Am I posted in the wrong section or something because I'm not getting any replies...

    I read some of the other posts and downloaded combofix and attached the file below.

    Thanks...
     

    Attached Files:

  3. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    1. Be patient. You posted 2 hours ago. We're all volunteers, we don't provide "911" service and we're not here 24/7
    2. Any reason, you ran DDS from Safe Mode? Please, run it from normal mode and provide BOTH logs, DDS.txt and Attach.txt
    3. Our instructions clearly say not to run anything else (Combofix), but only what we ask for.
     
  4. j30rider

    j30rider TS Rookie Topic Starter

    DDS file not in safe mode

    I ran it in safe mode to protect my computer while attempting to get rid of the issue. I wasn't aware it needed to be in normal mode. I was being patient, I was just making sure I had it posted in the right place. I saw other posts thso I started reading through them trying to diagnose the problem myself.
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Our instructions don't say anything about running it in safe mode, do they?

    No, you're not, because you're bumping your topic after 2 hours and you're running Combofix, nobody asked you to run.

    Just take it easy and we'll help you...

    How is redirection right now?

    Delete your GMER file, download fresh one and post new log.
     
  6. j30rider

    j30rider TS Rookie Topic Starter

    I need help not attitude... Do you have to be so rude??? And your instruction don't say NOT to run in safe mode. Not redirecting now just slow.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    I suggest, you stop personal comments and we go down to business...

     
  8. j30rider

    j30rider TS Rookie Topic Starter

    GMER file

    Here is the new gmer file

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-25 16:12:47
    Windows 6.1.7600
    Running: sfge9lzp.exe; Driver: C:\Users\Windows7\AppData\Local\Temp\ugtcikow.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A263F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A0E634
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A0E898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A261DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A266F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A271A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A86599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AAAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? System32\Drivers\ezfydpup.sys A device attached to the system is not functioning. !
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F22E340, 0x3EE217, 0xE8000020]
    .text peauth.sys 9B606C9D 28 Bytes [55, 23, 24, 56, A7, 5B, 58, ...]
    .text peauth.sys 9B606CC1 28 Bytes [55, 23, 24, 56, A7, 5B, 58, ...]
    ? C:\Users\Windows7\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
    ? C:\Users\Windows7\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
    ? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 85DEBB48

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Start 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Type 1
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Start 0
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Group Boot Bus Extender

    ---- EOF - GMER 1.0.15 ----
     
  9. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    It looks good now :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. j30rider

    j30rider TS Rookie Topic Starter

    OTL File and Extras file

    Report is too long...

    See attached files
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2010/07/25 16:36:59 | 000,000,000 | --SD | C] -- C:\ComboFix
      [2010/05/24 00:23:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
      [2010/05/24 00:23:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
      [2010/05/24 00:23:09 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  12. j30rider

    j30rider TS Rookie Topic Starter

    OTL files

    All processes killed
    Error: Unable to interpret <Code:> in the current context!
    Error: Unable to interpret <---------> in the current context!
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\ComboFix folder moved successfully.
    C:\ProgramData\Symantec folder moved successfully.
    C:\ProgramData\Norton folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs\06-06-2010-21h29m35s folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs\06-06-2010-21h29m15s folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs\06-06-2010-16h37m14s folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs\05-24-2010-00h24m11s folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs\05-24-2010-00h24m03s folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs\05-24-2010-00h23m09s folder moved successfully.
    C:\ProgramData\NortonInstaller\Logs folder moved successfully.
    C:\ProgramData\NortonInstaller folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Windows7
    ->Temp folder emptied: 92249 bytes
    ->Temporary Internet Files folder emptied: 37294 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 55253274 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 1599 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 505945 bytes
    RecycleBin emptied: 71798 bytes

    Total Files Cleaned = 53.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Windows7
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Error: Unable to interpret <---------> in the current context!

    OTL by OldTimer - Version 3.2.9.1 log created on 07252010_181540

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     

    Attached Files:

    • OTL.Txt
      File size:
      125 KB
      Views:
      2
  13. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Looks good :)

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  14. j30rider

    j30rider TS Rookie Topic Starter

    Kapersky error

    Here is the checkup file but Kapersky was getting an error
    I get this one at first when it starts...
    Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.
    Then it stops with this one...
    0 [ERROR: Logical error during update download]

    Results of screen317's Security Check version 0.99.4
    Windows 7 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG Free 9.0
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 18
    Out of date Java installed!
    Adobe Flash Player 10.1.53.64
    Adobe Reader 9.3.3
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    Unknown. This method cannot test your vulnerability to DNS cache poisoning.

    ``````````End of Log````````````
     
  15. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    You didn't comply with my instructions form post #11, regarding updating Java and running JavaRa to remove old Java versions.
    Please, do so and post new SecurityCheck log.

    Then, instead of Kaspersky...

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • IMOPRTANT! UN-check Remove found threats
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
  16. j30rider

    j30rider TS Rookie Topic Starter

    New checkup file and scan results

    Results of screen317's Security Check version 0.99.4
    Windows 7 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG Free 9.0
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 21
    Out of date Java installed!
    Adobe Flash Player 10.1.53.64
    Adobe Reader 9.3.3
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ESET ESET Online Scanner OnlineScannerApp.exe
    ESET ESET Online Scanner OnlineCmdLineScanner.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    Unknown. This method cannot test your vulnerability to DNS cache poisoning.

    ``````````End of Log````````````

    C:\Qoobox\Quarantine\C\Windows\system32\Drivers\volmgrx.sys.vir Win32/Olmarik.ZC trojan
     
  17. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Very good :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =======================================================================

    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista/7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  18. j30rider

    j30rider TS Rookie Topic Starter

    Thanx

    Seems to be running fine... I will check again tomorrow. Thanks again...
     
  19. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...