Solved Redirecting from search and other sites

[j30rider]

Just recently I have been getting redirected from the pages when I click on hyperlinks. I have done as requested and here are the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4344

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

7/25/2010 12:35:24 PM
mbam-log-2010-07-25 (12-35-24).txt

Scan type: Quick scan
Objects scanned: 130391
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-25 13:05:31
Windows 6.1.7600
Running: kqz3e94m.exe; Driver: C:\Users\Windows7\AppData\Local\Temp\ugtcikow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82217634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82217898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8222FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822301A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E48599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E6CF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Windows\System32\Drivers\ezfydpup.sys A device attached to the system is not functioning. !
.rsrc C:\Windows\System32\drivers\volmgrx.sys entry point in ".rsrc" section [0x8804D014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtProtectVirtualMemory 77C75380 5 Bytes JMP 002C000A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtWriteVirtualMemory 77C75F00 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!KiUserExceptionDispatcher 77C76448 5 Bytes JMP 002B000A
.text C:\Windows\system32\svchost.exe[800] ole32.dll!CoCreateInstance 77B257FC 5 Bytes JMP 003C000A
.text C:\Windows\system32\svchost.exe[800] USER32.dll!GetCursorPos 77D9C198 5 Bytes JMP 0096000A
.text C:\Windows\Explorer.EXE[1760] ntdll.dll!NtProtectVirtualMemory 77C75380 5 Bytes JMP 0028000A
.text C:\Windows\Explorer.EXE[1760] ntdll.dll!NtWriteVirtualMemory 77C75F00 5 Bytes JMP 0029000A
.text C:\Windows\Explorer.EXE[1760] ntdll.dll!KiUserExceptionDispatcher 77C76448 5 Bytes JMP 0027000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84E6B178
Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84B52EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\volmgrx.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

DDS log was too long so it is attached.

Please let me know what is needed of me next. Thanx in advance.

 

[j30rider]

Can someone let me know what's wrong?

Am I posted in the wrong section or something because I'm not getting any replies...

I read some of the other posts and downloaded combofix and attached the file below.

Thanks...

 

[Broni]

1. Be patient. You posted 2 hours ago. We're all volunteers, we don't provide "911" service and we're not here 24/7
2. Any reason, you ran DDS from Safe Mode? Please, run it from normal mode and provide BOTH logs, DDS.txt and Attach.txt
3. Our instructions clearly say not to run anything else (Combofix), but only what we ask for.

 

[j30rider]

DDS file not in safe mode

I ran it in safe mode to protect my computer while attempting to get rid of the issue. I wasn't aware it needed to be in normal mode. I was being patient, I was just making sure I had it posted in the right place. I saw other posts thso I started reading through them trying to diagnose the problem myself.

 

[Broni]

I wasn't aware it needed to be in normal mode.

Our instructions don't say anything about running it in safe mode, do they?

I was being patient

No, you're not, because you're bumping your topic after 2 hours and you're running Combofix, nobody asked you to run.

Just take it easy and we'll help you...

How is redirection right now?

Delete your GMER file, download fresh one and post new log.

 

[j30rider]

I need help not attitude... Do you have to be so rude??? And your instruction don't say NOT to run in safe mode. Not redirecting now just slow.

 

[Broni]

I suggest, you stop personal comments and we go down to business...

Delete your GMER file, download fresh one and post new log.

 

[j30rider]

GMER file

Here is the new gmer file

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-25 16:12:47
Windows 6.1.7600
Running: sfge9lzp.exe; Driver: C:\Users\Windows7\AppData\Local\Temp\ugtcikow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A263F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A0E634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A0E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A261DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A266F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A26F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A271A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A86599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AAAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\ezfydpup.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F22E340, 0x3EE217, 0xE8000020]
.text peauth.sys 9B606C9D 28 Bytes [55, 23, 24, 56, A7, 5B, 58, ...]
.text peauth.sys 9B606CC1 28 Bytes [55, 23, 24, 56, A7, 5B, 58, ...]
? C:\Users\Windows7\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
? C:\Users\Windows7\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85DEBB48

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\ezfydpup@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\ezfydpup@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

 

[Broni]

It looks good now

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

===================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[j30rider]

OTL File and Extras file

Report is too long...

See attached files

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  [2010/07/25 16:36:59 | 000,000,000 | --SD | C] -- C:\ComboFix
  [2010/05/24 00:23:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
  [2010/05/24 00:23:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
  [2010/05/24 00:23:09 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[j30rider]

OTL files

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\ComboFix folder moved successfully.
C:\ProgramData\Symantec folder moved successfully.
C:\ProgramData\Norton folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\06-06-2010-21h29m35s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\06-06-2010-21h29m15s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\06-06-2010-16h37m14s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\05-24-2010-00h24m11s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\05-24-2010-00h24m03s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs\05-24-2010-00h23m09s folder moved successfully.
C:\ProgramData\NortonInstaller\Logs folder moved successfully.
C:\ProgramData\NortonInstaller folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Windows7
->Temp folder emptied: 92249 bytes
->Temporary Internet Files folder emptied: 37294 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 55253274 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1599 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505945 bytes
RecycleBin emptied: 71798 bytes

Total Files Cleaned = 53.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Windows7
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error: Unable to interpret <---------> in the current context!

OTL by OldTimer - Version 3.2.9.1 log created on 07252010_181540

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Looks good

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[j30rider]

Kapersky error

Here is the checkup file but Kapersky was getting an error
I get this one at first when it starts...
Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.
Then it stops with this one...
0 [ERROR: Logical error during update download]

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 9.0
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 18
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

 

[Broni]

You didn't comply with my instructions form post #11, regarding updating Java and running JavaRa to remove old Java versions.
Please, do so and post new SecurityCheck log.

Then, instead of Kaspersky...

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMOPRTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[j30rider]

New checkup file and scan results

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 9.0
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
ESET ESET Online Scanner OnlineScannerApp.exe
ESET ESET Online Scanner OnlineCmdLineScanner.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\volmgrx.sys.vir Win32/Olmarik.ZC trojan

 

[Broni]

Very good

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=======================================================================

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista/7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[j30rider]

Thanx

Seems to be running fine... I will check again tomorrow. Thanks again...

 

[Broni]

Way to go!!

Good luck and stay safe