My log files

Status
Not open for further replies.
Before anything can be done, you need to turn off Spybot Tea Timer. Step 3o hte Virus and Malware Removal instructed temporarily disabling Real Time Protection. That's what Tea Timer is:

Disable Teatimer
  • Right click the Image
    icon_spybot.jpg
    (Spybot -SD Resident Icon) located in your system tray.
  • This will bring up the Spybot options menu, uncheck Resident Protection
    rightclickspybot.png
  • Launch Spybot S&D Program
  • Click on Mode at the top and make sure that Advanced is checked
    MHoTT001.gif
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
    MHoTT003.gif
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close Spybot
    MHoTT004.gif
You are running an outdated version of AVG. v7 no longer gets automatic updates. You either need to update to v8, or for better coverage, install Avira:
https://www.techspot.com/downloads/41-antivir-personal-edition.html

Once you have stopped TeaTimer and updated or changed the AV, run a full system scan with the AV program. Follow that with a new HijackThis scan.

Right now, Spybot is deleting in the background and your AV isn't current.

Please attach both logs in your next reply.
 
new logs

here are the results of the new scans
 

Attachments

  • AVSCAN-20090515-092637-49A729F9.LOG
    16.1 KB · Views: 5
The system is heavily infected. Please UPDATE and run Malwarebytes again.
Follow that with Combofix:
avatar62338_9.gif
Combofix
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
Link 3
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Credits to Blind Dragon for Combofix instructions.

Rescan with HijackThis and attach new log, along with Mbam log and Combofix report:

Order to follow:
1. Malwarebytes (update first)
2. Combofix
3. HijackThis

Attach all logs and reports.
 
Malwarebytes shows No action taken.
This means that you did not check this:
* Make sure that everything is checked, and click Remove Selected.

Please UPDATE Mbam, put the checkmarks in and rescan.
The original run showed LESS malware and it was removed!

You now have malware in the System Restore points. We will remove them at the end of cleaning. In the meantime DON'T use System Restore- you will reinfect the system.

You have Avira running now, but you still have AVG v7. That needs to be removed.

You also still have Norton Security Scan. Please use the Norton Removal Tool to remove:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Chkdsk is set to run every time you startup. That will be very time consuming. Suggest you take off of Startup, run manually with your regular computer maintenance.

Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll (file missing)
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] c:\windows\pp06.exe
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1242158252.exe work (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1242158252.exe work (User 'Default user')
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.
O16 - DPF: {CCBDF033-DD85-45FD-AE68-FBC4A7C7C154} (BravaClientXView Class) - http://viewer.network.construction.com/IGC/BravaClientX.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://maxwellsystems.webex.com/client/T26L/support/ieatgpc.cab

Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

FYI:
The following threats are known to be associated with the file "bandobjs.dll":
Threat Alias Number of Incidents
Adware.AdMedia [PC Tools] 72
Adware.IEhlpr [Symantec] 72
Adware-DoDoor [McAfee] 72
not-a-virus:AdWare.Win32.AdMedia.g [Kaspersky Lab]

Please attach the new Malwarebytes log in your next reply. Also rescan with HijackThis and include the log.
 
Looks Good! Lets run one more programs to make sure there aren't any entries lurking:

Download and Install SDFix HERE and save it to your desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
  • Boot into Safe Mode:
    [o] Restart your computer and start pressing the F8 key on your keyboard.
    [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  • Run SDFix
    [o] Open the extracted SDFix folder and double click RunThis.bat to start the script.
    [o] Type Y to begin the cleanup process.
    [o] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
 
Sorry for the delay I have been on vacation. Here is the report you requested in your last post. I appreciate the help. Thank you.
 
I've asked touch to check out an entry in the Combofix log that I don't recognize- back in the AM, OK?
 
Touch was kind enough to prepare this, so give him a big Thanks! I', trying to learn how to set up the code. him!

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::

Snapshot::

File::
c:\windows\system32\drivers\ovfsthxxcduscds.sys
c:\windows\system32\ovfsthxpedrdyuv.dll
c:\windows\system32\ovfsthxlaptlvxr.dat
c:\windows"\system32\ovfsthxqtldctos.dll
c:\windows\system32\ovfsthxhuedlqhq.dll
c:\windowssystem32\ovfsthxsponbmoq.dat
c:\windows\system32\tj.exe
C:\os652192.bin
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\pss\ChkDisk.dll
c:\documents and settings\Bud McGehee\Start Menu\Programs\Startup\ChkDisk.dll
Rootkit::
c:\windows\system32\drivers\ovfsthxxcduscds.sys
c:\windows\system32\ovfsthxpedrdyuv.dll
c:\windows\system32\ovfsthxlaptlvxr.dat
c:\windows"\system32\ovfsthxqtldctos.dll
c:\windows\system32\ovfsthxhuedlqhq.dll
c:\windowssystem32\ovfsthxsponbmoq.dat

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ChkDisk.dll]
path=-
backup=-

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ChkDisk.lnk]
path=-
backup=-

[HKLM\~\startupfolder\C:^Documents and Settings^Bud McGehee^Start Menu^Programs^Startup^ChkDisk.dll]
path=-
backup=-

[HKLM\~\startupfolder\C:^Documents and Settings^Bud McGehee^Start Menu^Programs^Startup^ChkDisk.lnk]
path=-
backup=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthxtvioucin\modules]
"ovfsthx.sys"=-
"ovfsthx.dll"=-
"ovfsthxlog.dat"=-
"ovfsthxwi.dll"=-
"ovfsthxff.dll"=-
"ovfsthx.dat"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthxtvioucin]
"start"=-
"type"=-
"group"=-
"imagepath"=-
"inst"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ovfsthxtvioucin\main]
"ver"=-
"cid"=-
"bid"=-
"aid"="303380"
"sid"="22"
"feed"=-
"cmddelay"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ovfsthxtvioucin\main]
"ver"=
"cid"=
"bid"=
"aid"=-
"sid"=-
"feed"=-
"cmddelay"=-
"logoffset"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ovfsthxtvioucin\modules]
"ovfsthx.sys"=-
"ovfsthx.dll"=-
"ovfsthxlog.dat"=-
"ovfsthxwi.dll"=-
"ovfsthxff.dll"=-
"ovfsthx.dat"=-
CFScriptB-4.gif


Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Technique101, the instructions in this thread are only for the original poster. If you need assistance, please start a new thread, describing your particular problems. Using code written specifically for one system on another can cause a disaster.
 
After my log file was created I had a blue screen come up saying that and error had occurred and that it was dumping physical memory to a disk. Was this supposed to happen?
 
Check the event Viewer and find the Error(s) that corresponds with the memory dump message:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:

  • [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

Errors are time coded.

It will be after around yesterday, 6/10/2009 and before 06/11/2009 9:20.4

Are you still having the redirects?
Do you have any other system problems at this point?
 
Here are the error logs, I copied and pasted them into a notepad, I think I might have gotten some in there past 9:20 today sorry about that I was focusing on the date and forgot about the time. The redirects are still happening every now and then, I have had some today but only on google where as before it really didn't matter what website I was on. As far as any other system problems I have not noticed any as of yet. Thank you for your time and help.
 
You have a permissions issue, the Workgroup isn't set up correctly and the SQL Server has conflicts! Some of the Errors overlap in that fixing one SQL error may also fix another. This is not my forte but I did a lot of searching:

If I understand correctly, QUEST2 is an add-on module for the SQL Server and interestingly enough, the searches has to be for MSSQUL or SQL, not for MSSQL$QUEST2. If this id correct, I would first suggest disabling the QUEST2 add-on. Check the system. See if it makes any difference. If not:

Resolve these:
17204:
SQL Server was unable to open the specified file due to the specified error.
This problem occurs because the user account that you use to log on to Microsoft Dynamics CRM 3.0 does not have the Microsoft Dynamics CRM System Administrator role.
See FIX here: http://support.microsoft.com/default.aspx?scid=kb;en-us;946542
User Action
Diagnose and correct the operating system, then retry the operation.

17049:
A process outside of SQL Server may be preventing SQL Server from reading the files. As a result, errorlog entries may be lost and it may not be possible to view some SQL Server errorlogs. Make sure no other processes have locked the file with write-only access."
NOTE: possible print server conflict

7024.
The SQL error log may contain additional information about this problem
The 3417 message is an error recovering the master database so the instance can not start.

3409:
TO FIX: (should also handle Error 8313.)
1. Reinstall sqlctr.ini for this instance and ensure that the instance login account has correct registry permissions.

7034 Date: 6/11/2009 Time: 9:20:21 AM
Description: The MSSQL$QUEST service terminated unexpectedly.
FIX: A stack overflow exception may occur, and SQL Server 2000 may unexpectedly close when you submit a query that uses the UNION ALL operator more than 255 times
Hotfix download is available> http://support.microsoft.com/default.aspx?scid=kb;en-us;892141

7031
The Print Spooler service terminated unexpectedly
TO FIX:
Method 1: Remove the registry entry for the Xerox language monitor in Registry Editor
OR
Method 2: Disable the language monitor entry in the Printer.inf file of the printer
HERE: http://support.microsoft.com/default.aspx?scid=kb;en-us;888206

1003
Description:Error code 00000093
0x00000093 is "Invalid Kernel Handle" This is a relatively rare error condition. Most documentation points to a driver problem - so check all hardware drivers starting with the most obvious, the video driver.
Start> Run type "sigverif.exe" without quotes and hit OK. What
drivers are listed as unsigned? Disregard those which are not checked.
http://aumha.org/a/stop.htm


Credits to EventID.net, Microsoft, Ahuma

Get started on this. I have a bit more but need to take a break. Your problem doesn't appear to be malware related, but rather permissions and configurations. You can also view the SQL Error log itself and possibly have more information.
 
Thanks, I will try to resolve these problems, if I am reading it right my problems are with some software we have here at work that for right now is not working on my computer properly but hopefully I will have it working soon, and hopefully that will resolve some of my problems. Does it appear that the trojans and worms are gone for now? Again, thank you for all your help!
 
if I am reading it right my problems are with some software we have here at work that for right now is not working on my computer properly

In a word, yes. If it is a work environment, there should be an IT person there to help you. There are too many variables with a work environment to try and fix the problem on a board. As far as the malware, that also will be influenced. Are you trying to make "your" computer work at work. Or are you trying to make your work computer work? Either way, there should be someone on site to help.

Run a full AV scan again-be sure latest update is in-and post log if anything is found. I'm going to have you clean up the tools we used and remove the infected restore points:

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer and Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.
 
Status
Not open for further replies.
Back