[angichiru]

here are the files

Attached Files

•  OTListIt.Txt   126.55KB   150 downloads
•  Extras.Txt   64.71KB   227 downloads

[Advertisements]

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTLI
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
  
  :files
  C:\Program Files\WebShow
  C:\WINDOWS\bqjovqpu
  C:\Documents and Settings\ttellamsetty.MOBILECANDYDISH\Local Settings\Application Data\.#
  C:\Documents and Settings\All Users\Application Data\Viewpoint
  C:\Program Files\Viewpoint
  
  :Commands
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

[kahdah]

Run OTList2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTLI
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
  
  :files
  C:\Program Files\WebShow
  C:\WINDOWS\bqjovqpu
  C:\Documents and Settings\ttellamsetty.MOBILECANDYDISH\Local Settings\Application Data\.#
  C:\Documents and Settings\All Users\Application Data\Viewpoint
  C:\Program Files\Viewpoint
  
  :Commands
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

[angichiru]

Here is the output file.

Attached Files

•  OTListIt.Txt   108.34KB   170 downloads

Edited by angichiru, 11 February 2009 - 09:27 AM.

[kahdah]

Those files you were questioning are from Combofix and will be removed in a bit.
Your log is clean is everything back to normal?

[angichiru]

Hi Kadah,
Thanks for the help, but i have one quick question for you. Though my system is clean from viruses, whenever i do a google search in firefox&IE i am getting malicious links in the search results. Please see the result's page source below. Does this mean that my browser's got virus?

href="http://www.google.com/" class=l onmousedown="return clk(this.href,'','','res','1','')"><em>Google</em></a></h3><div class="s">Preferences &middot; Language Tools. New! Explore the ocean in <em>Google</em> Earth 5.0 &middot; Advertising Programs - Business Solutions - About <em>Google</em>. ©2009 - Privacy.<br><cite>www.<b>google</b>.com/ - 7k - </cite><span class=gl><a href="http://209.85.173.132/search?q=cache:zhool8dxBV4J:www.google.com/+google+search&amp;hl=te&amp;ct=clnk&amp;cd=1&amp;gl=us&amp;client=firefox-a" onmousedown="return clk(this.href,'','','clnk','1','')">భద్రపరిచినది</a> - <a href="/search?hl=te&amp;client=firefox-a&amp;rls=org.mozilla:en-US:official&amp;hs=AUh&amp;q=related:www.google.com/">పోలిన పేజీలు</a></span></div><!--n--><!--m--><li class=g style="margin-left:3em"><h3 class=r><a href="http://www.google.com/cse" class=l onmousedown="return clk(this.href,'','','res','2','')"><em>Google</em> Custom <em>Search</em> Engine - Site <em>search</em> and more</a></h3><div class="s hc">Have a website or collection of sites you'd like to <em>search</em> over? With Custom <em>Search</em> Engine, you can harness the power of <em>Google</em> to create a <em>search</em> engine <b>...</b><br><cite>www.<b>google</b>.com/cse - 10k - </cite><span class=gl><a href="http://209.85.173.132/search?q=cache:y-o4VhKJn0gJ:www.google.com/cse+google+search&amp;hl=te&amp;ct=clnk&amp;cd=2&amp;gl=us&amp;client=firefox-a" onmousedown="return clk(this.href,'','','clnk','2','')">భద్రపరిచినది</a> - <a href="/search?hl=te&amp;client=firefox-a&amp;rls=org.mozilla:en-US:official&amp;hs=AUh&amp;q=related:www.google.com/cse">పోలిన పేజీలు</a></span><br><a class=fl href="/search?hl=te&client=firefox-a&rls=org.mozilla:en-US:official&hs=AUh&q=+site:www.google.com+google+search">www.google.com నుంచి మరిన్ని ఫలితాలు&nbsp;&raquo;</a></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://www.google.co.uk/" class=l onmousedown="return clk(this.href,'','','res','3','')"><em>Google</em></a></h3><div class="s"><em>Search</em>: the web pages from the UK. New! Explore the ocean in <em>Google</em> Earth 5.0 &middot; Advertising Programmes - Business Solutions - About <em>Google</em> - Go to <em>Google</em>. <b>...</b><br><cite>www.<b>google</b>.co.uk/ - 8k - </cite><span class=gl><a href="http://209.85.173.13...ient=firefox-a" onmousedown="return clk(this.href,'','','clnk','3','')">భద్రపరిచినది</a> - <a href="/search?hl=te&amp;client=firefox-a&amp;rls=org.mozilla:en-US:official&amp;hs=AUh&amp;q=related:www.google.co.uk/">పోలిన పేజీలు</a></span></div><!--n--><!--m--><li class=g><h3 class=r><a href="http://www.google.ca/" class=l onmousedown="return clk(this.href,'','','res','4','')"><em>Google</em></a></h3><div class="s"><em>Search</em>: the web pages from Canada. New! Explore the ocean in <em>Google</em> Earth 5.0. <em>Google</em>.ca offered in: Français &middot; Advertising Programs - Business Solutions <b>...</b><br><cite>www.<b>google</b>.ca/ - 7k - </cite><span class=gl><a href="http://209.85.173.13...ient=firefox-a" onmousedown="return clk(this.href,'','','clnk','4','')">


Every malicious link is starting with http://209.85.173.132, i never observe this behavior before. Please help me in removing this virus

[kahdah]

hmmm well let's dig a little deeper.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

[angichiru]

I didn't get anything in the scan report.

[kahdah]

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach virusinfo_syscheck.htm to your next reply, along with a fresh HijackThis log

[angichiru]

Attached virusInfo_syscheck.htm and virusInfo_syscheck.zip files

Attached Files

•  virusinfo_syscheck.htm   215.87KB   102 downloads
•  virusinfo_syscheck.zip   43.04KB   186 downloads

[kahdah]

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

[angichiru]

My system got crashed while the dr web antivirus is moving/deleting all the files. I am not sure y it removed the spybot files and other registration files.

[kahdah]

DO you have a log?
Can the computer boot up?

[angichiru]

NO kadah. My computer doesn't boot at all. I tried to replace dll's with other OS Key and it worked. Now i am able to boot but unable to connect to network or do anything. My wireless network connection won't connect though it displays all the networks available. Please help me out if there is a way to fix this error or else my last option will be for re-installation

Edited by angichiru, 17 February 2009 - 04:06 PM.

[kahdah]

IS this a laptop?
Do you have drivers installed for the wireless card.
What dll's did you replace?

I need more information please.

[angichiru]

Not sure what dll's i have replaced. I tried to recover through another OS cd, the wireless network got locked and even though i tried to uninstall and add it again it's giving same error