Tidserv virus - redirecting webpages

Solved
By lizmcreations
Apr 8, 2010
Topic Status:
Not open for further replies.
  1. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    I downloaded a brand new gmer and I still can't get it to finish running ... always has a problem and stops working and then the windows "this program has stopped working..." window pops-up.

    Liz
  2. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    I downloaded gmer.exe from a different site to see if I could get it to finish ... still no go. But, this time I noticed that the status on the bottom (in case it makes a difference or tells you something)...

    It was scanning:
    \Device\HarddiskVolumeShadowCopy2

    Like I said, that might mean nothing .. but it might also tell you why the program (gmer.exe) is failing.

    Liz
  3. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    I just got home, so I'll be slow with replying (tons of other topics).

    If we're dealing with this new type of TDSS rootkit ( and it looks like we do), we'll have to make GMER running. As of now, it's the only tool, which actually detects this new type of TDSS.

    Run rKill first.
    When you start GMER, UN-check "Devices" in right pane and try to run it.

    If still a problem, restart in Safe Mode and try from there.

    From OTL log I can see, that the infection is still there.
    Don't worry about Extras. It's not important at all at this moment.
  4. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    ok, ran rkill and then gmer without the "devices" checked ... got farther in the process but I got the "blue screen of death" while it was searching files. So I booted back-up in safe mode and re-ran gmer. Has run fine so far, still running for just aout 12 hours at this point. Just giving a quick update in case you login ... I will post the log as soon as it stops running, which I think will be soon.

    Thanks,

    Liz
  5. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    Ok, after more than 12 hours (I have a lot of files) the gmer scan has finally finished ... Here is the log:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-14 11:44:28
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\Liz\AppData\Local\Temp\pwloakow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\Windows\system32\drivers\msahci.sys entry point in ".rsrc" section [0x807C9014]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtProtectVirtualMemory 77454D34 5 Bytes JMP 001E000A
    .text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory 77455674 5 Bytes JMP 001F000A
    .text C:\Windows\system32\svchost.exe[868] ntdll.dll!KiUserExceptionDispatcher 77455DC8 5 Bytes JMP 001D000A
    .text C:\Windows\Explorer.EXE[1176] ntdll.dll!NtProtectVirtualMemory 77454D34 5 Bytes JMP 007D000A
    .text C:\Windows\Explorer.EXE[1176] ntdll.dll!NtWriteVirtualMemory 77455674 5 Bytes JMP 007E000A
    .text C:\Windows\Explorer.EXE[1176] ntdll.dll!KiUserExceptionDispatcher 77455DC8 5 Bytes JMP 007C000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EE7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F3A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EEBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EDF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EE75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EDE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F18395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EEDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EDFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EDFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73ED71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F6CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F0C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EDD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73ED6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73ED687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EE2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\msahci.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    Hopefully, that gave you the information you need and we can get my laptop back to functioning at 100% now :) --- thank you again for all the help you've given me.

    Liz
  6. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Excellent!
    I'm very glad to see GMER log and I'm sorry for all your 12+ hours trouble :)

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      msahci.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  7. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    I don't mind the 12+ hour search ... I started it before I went to bed and I was just glad to see that it was still running/hadn't crashed when I woke up! :) It is well worth it as long as it showed where the problem was hiding and we can fix it now :)

    Ok, here is the result of the systemlook scan:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 20:47 on 14/04/2010 by Liz (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "msahci.sys"
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\msahci.sys --a--- 27112 bytes [12:09 15/12/2009] [06:32 11/04/2009] 5457DCFA7C0DA43522F4D9D4049C1472
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\msahci.sys --a--- 23144 bytes [10:25 02/11/2006] [09:49 02/11/2006] 742AED7939E734C36B7E8D6228CE26B7
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\msahci.sys --a--- 28728 bytes [02:23 21/01/2008] [02:23 21/01/2008] 28023E86F17001F7CD9B15A5BC9AE07D
    C:\Windows\System32\drivers\msahci.sys --a--- 27112 bytes [12:09 15/12/2009] [23:32 12/04/2010] 5457DCFA7C0DA43522F4D9D4049C1472
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\msahci.sys --a--- 28728 bytes [02:23 21/01/2008] [02:23 21/01/2008] 28023E86F17001F7CD9B15A5BC9AE07D
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\msahci.sys --a--- 27112 bytes [12:09 15/12/2009] [06:32 11/04/2009] 5457DCFA7C0DA43522F4D9D4049C1472

    -=End Of File=-



    Liz
  8. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Using OTM...

    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\Windows\System32\drivers\msahci.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\msahci.sys /replace
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Check for redirection and post fresh SystemLook log (same script as in my reply #81)
  9. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    Ok, all done!

    After OTM process and reboot, I had to boot to my Windows Vista Installation CD because of an issue with the msahci.sys file ... not a huge problem ....

    I did a few searches, and so far everything seems to be working perfectly - and I think for good this time!! :)

    I have attached the OTM log as well as the systemlook log. Hopefully, everything looks the way it should.

    I cannot thank you enough!! I really appreciate your time and assistance with this.

    Liz

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    I'm glad to hear it :)
    Actually, I'm relieved :)
    I assume, you too....hehehe

    Let me go through our topic to see what final steps we need to perform.
  11. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ======================================================================

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Start scan button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View log.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.

    Post fresh HijackThis log as well.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    BTW, I'll be slow, because my Stanley Cup game is coming :)
  13. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    yes, I am relieved too! :)

    I will run the clean up tasks tomorrow and post the hijackthis log in the morning.

    Thank you again.

    Liz
  14. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    No problem :)
    Have a good night sleep tonight...LOL :)
  15. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    ok ... very good news ... STILL no redirects!! Yay!!! :grinthumb

    Hijackthis and bitdefender logs attached. Bitdefender found 4 things, but I reinstalled my norton last night so maybe a full scan with norton will get rid of them. But, again, I'm back to functioning normally and I can search without getting redirects ... if there was a "dancing" smilie I'd use it right now :)

    Thank you again!!

    Liz

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Very good, very good :)

    Don't bother with Norton and those files.
    We can easily remove them, but I suspect, they may be false positive.

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:

    C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\subformset1dataa12731.exe
    C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe
    C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe
    C:\program files\common files\adobe\color\settings\extrasettings\generaleurope3229.exe

    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
    If the result says 0/42, you don't have to post logs.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Totally awesome! A long trip and a lot of work well done! My congrats to you both.:grinthumb
  18. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Thank you :)
  19. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    ok, not sure what it means but this is the only response I keep getting from virustool.com ....

    Exception

    Please report failure as: ErrorTime= "Apr 16 03:30:31"

    Not a huge problem .... maybe I'll try in the morning?

    Liz
  20. Broni

    Broni Malware Annihilator Posts: 46,127   +251

  21. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    ok, attached is a "log" made of the scan results ...

    it did find something for each one ...

    but, none of them seem to be affecting the computer right now ... the biggest issue being the redirects has been resolved .... :)

    Liz

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    I know, I know, but we have to make sure no leftovers are lurking behind the scenes.

    Judging from your latest scan, we better remove those files.

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\subformset1dataa12731.exe
    C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe
    C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe
    C:\program files\common files\adobe\color\settings\extrasettings\generaleurope3229.exe
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  23. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    sorry, that came out wrong ... I didn't mean I wanted to leave the possible problems, simply meant that they aren't as much of a priority/issue so if you had other people to help, whose issues are more serious than the final "tweaks" on my computer ... I would understand ... probably still not explaining it well ...

    anyway, I ran OTM again and here is the log ... I'm going to run in the bitdefender scan again since that is the one that found them to make sure they are gone ...

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\program files\adobe\acrobat 8.0\designer 8.0\en\samples\subformset\outputs\SubformSet1DataA12731.exe moved successfully.
    C:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresxtipresx.exe moved successfully.
    C:\Program Files\Java\jre6\bin\new_plugin\ToolkitJavaTM.exe moved successfully.
    C:\program files\common files\adobe\color\settings\extrasettings\GeneralEurope3229.exe moved successfully.
    ========== COMMANDS ==========
    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Liz
    ->Temp folder emptied: 11578754 bytes
    ->Temporary Internet Files folder emptied: 13902250 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 36684257 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 1935 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 784848 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 711702 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 11873339 bytes

    Total Files Cleaned = 72.00 mb


    OTM by OldTimer - Version 3.1.10.1 log created on 04152010_224535

    Files moved on Reboot...
    File move failed. C:\Windows\temp\WebEx\Log\415\atashost.log scheduled to be moved on reboot.
    C:\Windows\temp\00000BO90004.CDX moved successfully.
    C:\Windows\temp\00000BO90005.CDX moved successfully.
    C:\Windows\temp\00000BO90006.CDX moved successfully.

    Registry entries deleted on Reboot...


    Liz
  24. lizmcreations

    lizmcreations Newcomer, in training Topic Starter Posts: 60

    ok, bitdefender scan clear too!!! :)
  25. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Very good :)

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.


    Please, give me fresh HJT log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.