Solved Win32/Heur SHeur3.AQRA Win32/Zbot.B Infection detected by AVG free

Status
Not open for further replies.
Eset is done running Avast now.
 

Attachments

  • EST_Remove-Part1of4.txt
    157.2 KB · Views: 1
  • EST_Remove-Part2of4.txt
    157.2 KB · Views: 0
  • EST_Remove-Part3of4.txt
    157.3 KB · Views: 0
  • EST_Remove-Part4of4.txt
    157.1 KB · Views: 0
We better re-run some scans. It looks like you got reinfected.

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.



DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
MBRCheck:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F13000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EF3000 fltMgr.sys
0xB9EE1000 sr.sys
0xB9ECA000 KSecDD.sys
0xB9E3D000 Ntfs.sys
0xB9E10000 NDIS.sys
0xB9DF6000 Mup.sys
0xBA128000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB9B27000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9B13000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB99D8000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB99AD000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9989000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA138000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA148000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA158000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9966000 \SystemRoot\system32\DRIVERS\ks.sys
0xB993E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA168000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB9912000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA178000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB9897000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA410000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA418000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA188000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA590000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA198000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA594000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA598000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA1A8000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xBA6EB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5DE000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA420000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA1B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9880000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA428000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9847000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA430000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA438000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9777000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9719000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DC6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA208000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA218000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA258000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAF467000 \SystemRoot\system32\drivers\sthda.sys
0xAF443000 \SystemRoot\system32\drivers\portcls.sys
0xBA268000 \SystemRoot\system32\drivers\drmk.sys
0xBA5E6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA75A000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA468000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA470000 \SystemRoot\System32\drivers\vga.sys
0xBA5EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA478000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA480000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA56C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAF3E8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAF38F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA278000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAF369000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAF341000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAF31F000 \SystemRoot\System32\drivers\afd.sys
0xBA288000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAF254000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAF1E4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2A8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9878000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA2E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBA308000 \SystemRoot\system32\DRIVERS\tosrfusb.sys
0xB9860000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAE4D5000 \SystemRoot\System32\Drivers\aswSP.SYS
0xBA490000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB9827000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAE4BD000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5FA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAF43B000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA4A8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA726000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF058000 \SystemRoot\System32\ati2cqag.dll
0xBF0C6000 \SystemRoot\System32\atikvmag.dll
0xBF117000 \SystemRoot\System32\atiok3x2.dll
0xBF142000 \SystemRoot\System32\ati3duag.dll
0xBF42F000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA564000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xAC081000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xABE5E000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xABBD9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xABB0A000 \SystemRoot\system32\DRIVERS\srv.sys
0xABC36000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xAB825000 \SystemRoot\system32\drivers\wdmaud.sys
0xABC76000 \SystemRoot\system32\drivers\sysaudio.sys
0xAB4E6000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA340000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xAB24F000 \??\C:\DOCUME~1\Kim\LOCALS~1\Temp\uxtdapow.sys
0xAAF93000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
792 C:\WINDOWS\system32\smss.exe
864 csrss.exe
896 C:\WINDOWS\system32\winlogon.exe
944 C:\WINDOWS\system32\services.exe
956 C:\WINDOWS\system32\lsass.exe
1120 C:\WINDOWS\system32\ati2evxx.exe
1136 C:\WINDOWS\system32\svchost.exe
1208 svchost.exe
1260 C:\WINDOWS\system32\svchost.exe
1384 svchost.exe
1412 svchost.exe
1540 C:\WINDOWS\system32\WLTRYSVC.EXE
1552 C:\WINDOWS\system32\BCMWLTRY.EXE
1640 C:\WINDOWS\system32\ati2evxx.exe
1660 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1980 C:\WINDOWS\system32\spoolsv.exe
208 svchost.exe
312 C:\Program Files\Bonjour\mDNSResponder.exe
348 C:\Program Files\Java\jre6\bin\jqs.exe
368 C:\WINDOWS\explorer.exe
452 C:\Program Files\Microsoft SQL Server\MSSQL$IPLANNERFRAMEWK\Binn\sqlservr.exe
568 C:\WINDOWS\system32\oodag.exe
648 C:\WINDOWS\system32\svchost.exe
2120 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
2128 C:\WINDOWS\system32\WLTRAY.EXE
2136 C:\WINDOWS\system32\oodtray.exe
2164 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
2188 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2292 C:\WINDOWS\system32\ctfmon.exe
2472 alg.exe
2548 C:\WINDOWS\system32\wscntfy.exe
3344 C:\WINDOWS\system32\wuauclt.exe
3100 C:\Program Files\Internet Explorer\iexplore.exe
1248 C:\Program Files\Internet Explorer\iexplore.exe
3876 C:\Program Files\Internet Explorer\iexplore.exe
2352 C:\Documents and Settings\Kim\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-75UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 

Attachments

  • mbam-log-2010-09-14 (22-23-58).txt
    1.4 KB · Views: 3
  • GMER.log
    7.1 KB · Views: 1
Your MBAM log says "No action taken" after each line.
Re-run MBAM, fix all issues and post new log.
 
Sorry that log popped up before immediately after the scan before any action was taken, this is the log taken from the m-bam log list (after repair and reboot)
 

Attachments

  • mbam-log-2010-09-14 (22-25-09).txt
    1.5 KB · Views: 1
Good :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\Yyocohekeva.bin
c:\windows\Nminebeva.dat

Folder::
c:\documents and settings\Kim\Application Data\Xaulwu
c:\documents and settings\Kim\Application Data\Nuexqu


DirLook::
c:\program files\sys32


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-


SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Good :)

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} Reg Error: Value error. (Reg Error: Key error.)
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
    O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    [2010/04/26 10:33:52 | 000,012,692 | -HS- | C] () -- C:\Documents and Settings\Kim\Local Settings\Application Data\53YQ5yXeP
    [2010/04/26 10:33:52 | 000,012,692 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\53YQ5yXeP
    [2010/04/19 21:35:10 | 000,014,958 | -HS- | C] () -- C:\Documents and Settings\Kim\Local Settings\Application Data\yaG3YsQ4geFa
    [2010/04/19 21:35:10 | 000,014,958 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\yaG3YsQ4geFa
    [2010/04/18 20:48:14 | 000,014,020 | -HS- | C] () -- C:\Documents and Settings\Kim\Local Settings\Application Data\t35517xJLuG
    [2010/04/18 20:48:14 | 000,014,020 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\t35517xJLuG
    [2010/04/12 10:23:29 | 000,013,462 | -HS- | C] () -- C:\Documents and Settings\Kim\Local Settings\Application Data\A28k41
    [2010/04/12 10:23:29 | 000,013,462 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\A28k41
    [2010/01/26 23:38:51 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\LPVGVPCG
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

======================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Sorry, missed that bit. Computer running much better. No slowdown and haven't had an alert from Avast for some time. Thank you for all your help. Will run those last checks when I get home, they have got me working a night shift tonight! Thanks again.
 
OTL Log:
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Starting removal of ActiveX control {166B1BCA-3F9C-11CF-8075-444553540000}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Starting removal of ActiveX control {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\linkscanner\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}\ not found.
File {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter\ deleted successfully.
C:\Documents and Settings\Kim\Local Settings\Application Data\53YQ5yXeP moved successfully.
C:\Documents and Settings\All Users\Application Data\53YQ5yXeP moved successfully.
C:\Documents and Settings\Kim\Local Settings\Application Data\yaG3YsQ4geFa moved successfully.
C:\Documents and Settings\All Users\Application Data\yaG3YsQ4geFa moved successfully.
C:\Documents and Settings\Kim\Local Settings\Application Data\t35517xJLuG moved successfully.
C:\Documents and Settings\All Users\Application Data\t35517xJLuG moved successfully.
C:\Documents and Settings\Kim\Local Settings\Application Data\A28k41 moved successfully.
C:\Documents and Settings\All Users\Application Data\A28k41 moved successfully.
C:\Documents and Settings\All Users\Application Data\LPVGVPCG folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kim
->Temp folder emptied: 104320 bytes
->Temporary Internet Files folder emptied: 22883990 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1563 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 22.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Kim
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.1 log created on 09192010_081243

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DF6B5.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DF6D5.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DF7CC.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DF7F0.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DF8DA.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DF8EC.tmp not found!
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\R0URA2GT\ads[1].htm moved successfully.
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\R0URA2GT\sh23[1].html moved successfully.
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\R0URA2GT\topic153098-2[3].html moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
TuneUp Utilities 2008
Java(TM) 6 Update 21
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
 
I've just had to reinstall Java, it was enabled in internet explorer options and it had an icon in the control panel, clicking the icon in the control panel just generated an error sound but no message and kasp. was saying no java was installed.
 
Okay I've been to Java.com and clicked on install Java, it's downloaded and then told me, java is already installed, would you like to reinstall, so I've to it to reinstall. However I'm still getting the message 'Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later.'

Any ideas?
 
Instead of Kaspersky....

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • IMPORTANT! UN-check Remove found threats
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Most of the bad files are in system restore points, which we'll reset in a moment.
We'll remove all other findings though....

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\056c2a28d08aeb7716a888309a8a\i386\filterpipelineprintproc.dll	
    C:\056c2a28d08aeb7716a888309a8a\i386\mxdwdrv.dll	
    C:\056c2a28d08aeb7716a888309a8a\i386\xpssvcs.dll	
    C:\Program Files\Creative\Shared Files\MtpManU.dll	
    C:\Program Files\Creative\Software Update 3\CTIntrfu.dll	
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\OemBtAcpiAPI.dll	
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtLoad.dll	
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngHelp.dll	
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosCpsAPI.dll
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

========================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.
 
Here's the OTL log:

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. C:\056c2a28d08aeb7716a888309a8a\i386\filterpipelineprintproc.dll scheduled to be moved on reboot.
File move failed. C:\056c2a28d08aeb7716a888309a8a\i386\mxdwdrv.dll scheduled to be moved on reboot.
File move failed. C:\056c2a28d08aeb7716a888309a8a\i386\xpssvcs.dll scheduled to be moved on reboot.
C:\Program Files\Creative\Shared Files\MtpManU.dll moved successfully.
C:\Program Files\Creative\Software Update 3\CTIntrfu.dll moved successfully.
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\OemBtAcpiAPI.dll moved successfully.
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtLoad.dll moved successfully.
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngHelp.dll moved successfully.
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosCpsAPI.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kim
->Temp folder emptied: 18677964 bytes
->Temporary Internet Files folder emptied: 6130090 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 35717120 bytes

Total Files Cleaned = 58.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Kim
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.1 log created on 09222010_000156

Files\Folders moved on Reboot...
C:\056c2a28d08aeb7716a888309a8a\i386\filterpipelineprintproc.dll moved successfully.
C:\056c2a28d08aeb7716a888309a8a\i386\mxdwdrv.dll moved successfully.
C:\056c2a28d08aeb7716a888309a8a\i386\xpssvcs.dll moved successfully.
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DFB803.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DFB815.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DFB8A7.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DFB8B9.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DFB8F6.tmp not found!
File\Folder C:\Documents and Settings\Kim\Local Settings\Temp\~DFB908.tmp not found!
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\SSHSVAQ7\ads[5].htm moved successfully.
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\SMTQR7AQ\sh23[1].html moved successfully.
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\3EKGOR9O\ads[5].htm moved successfully.
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\3EKGOR9O\topic153098-3[3].html moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Status
Not open for further replies.
Back