[dantheman718]

Dear Mailprog,

I downloaded and installed the latest version of Java RA. After that I ran the OTL program again, with the custome cut and past in you post, and clicked the run fix button. After it finished it rebooted my pc, and then it asked me to run OTL agian, which I didt, and it produced a log, however it was not titled the fix it log. The name of the log was : 02102011_154708.log. Is that the same log you are talking about? that's the only log that was produced after I ran the fixit thing and rebooted by computer. Anyway here is what I copied an pastd form that log, the one i mentioned above"

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{F3FEE66E-E034-436a-86E4-9690573BEE8A} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436a-86E4-9690573BEE8A}\ not found.
File C:\Program Files\YouTube Downloader Toolbar\IE\4.1\youtubedownloaderToolbarIE.dll not found.
Prefs.js: [email protected]:4.1 removed from extensions.enabledItems
Prefs.js: [email protected]:4.1 removed from extensions.enabledItems
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected] not found.
File C:\Program Files\MyWebSearch\bar\2.bin not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3FEE66E-E034-436a-86E4-9690573BEE8A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436a-86E4-9690573BEE8A}\ not found.
File C:\Program Files\YouTube Downloader Toolbar\IE\4.1\youtubedownloaderToolbarIE.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{F3FEE66E-E034-436a-86E4-9690573BEE8A} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436a-86E4-9690573BEE8A}\ not found.
File C:\Program Files\YouTube Downloader Toolbar\IE\4.1\youtubedownloaderToolbarIE.dll not found.
Starting removal of ActiveX control {64CD313F-F079-4D93-959F-4D28B5519449}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{64CD313F-F079-4D93-959F-4D28B5519449}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64CD313F-F079-4D93-959F-4D28B5519449}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{64CD313F-F079-4D93-959F-4D28B5519449}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64CD313F-F079-4D93-959F-4D28B5519449}\ not found.
Starting removal of ActiveX control {8F6E7FB2-E56B-4F66-A4E1-9765D2565280}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8F6E7FB2-E56B-4F66-A4E1-9765D2565280}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F6E7FB2-E56B-4F66-A4E1-9765D2565280}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8F6E7FB2-E56B-4F66-A4E1-9765D2565280}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F6E7FB2-E56B-4F66-A4E1-9765D2565280}\ not found.
Starting removal of ActiveX control {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F}\ not found.
Starting removal of ActiveX control {B6FA2311-5F85-47D3-B885-7055340FC740}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B6FA2311-5F85-47D3-B885-7055340FC740}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6FA2311-5F85-47D3-B885-7055340FC740}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B6FA2311-5F85-47D3-B885-7055340FC740}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6FA2311-5F85-47D3-B885-7055340FC740}\ not found.
Folder C:\Documents and Settings\Owner.ANONYMOUS\Application Data\.purple\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS

User: Custom Settings

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: java

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner.ANONYMOUS
->Temp folder emptied: 418420 bytes
->Temporary Internet Files folder emptied: 3439576 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: OWNER~1~ANO

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 280771 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 4,00 mb


[EMPTYFLASH]

User: All Users

User: All Users.WINDOWS

User: Custom Settings

User: Default User

User: Default User.WINDOWS

User: java

User: LocalService

User: LocalService.NT AUTHORITY

User: NetworkService

User: NetworkService.NT AUTHORITY

User: Owner
->Flash cache emptied: 0 bytes

User: Owner.ANONYMOUS
->Flash cache emptied: 0 bytes

User: OWNER~1~ANO

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.20.6 log created on 02102011_154708

Files\Folders moved on Reboot...
C:\Documents and Settings\Owner.ANONYMOUS\Local Settings\Temporary Internet Files\Content.IE5\UQB5E2E2\295336-intrusion-attack-attmep-alerts-notified-by-norton[1].htm moved successfully.
C:\Documents and Settings\Owner.ANONYMOUS\Local Settings\Temporary Internet Files\Content.IE5\OT3DT5XD\like[1].htm moved successfully.
C:\Documents and Settings\Owner.ANONYMOUS\Local Settings\Temporary Internet Files\Content.IE5\OT3DT5XD\xd_proxy[1].htm moved successfully.
File\Folder C:\WINDOWS\temp\JET2A2.tmp not found!
C:\WINDOWS\temp\Perflib_Perfdata_3d0.dat moved successfully.

Registry entries deleted on Reboot...

[Advertisements]

Hey Mailprog I ran the tdsskiller program and it didnt' find any infected files. The only report it generated was when I cliked the report log button. it was titled TDSSkiller.2.4.17.0_10.02.2011_16.06.18_log.txt, and here is what the contents of that log were:

2011/02/10 16:06:18.0703 4004 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/10 16:06:19.0000 4004 ================================================================================
2011/02/10 16:06:19.0000 4004 SystemInfo:
2011/02/10 16:06:19.0000 4004
2011/02/10 16:06:19.0000 4004 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/10 16:06:19.0000 4004 Product type: Workstation
2011/02/10 16:06:19.0000 4004 ComputerName: ANONYMOUS
2011/02/10 16:06:19.0000 4004 UserName: Owner
2011/02/10 16:06:19.0000 4004 Windows directory: C:\WINDOWS
2011/02/10 16:06:19.0000 4004 System windows directory: C:\WINDOWS
2011/02/10 16:06:19.0000 4004 Processor architecture: Intel x86
2011/02/10 16:06:19.0000 4004 Number of processors: 2
2011/02/10 16:06:19.0000 4004 Page size: 0x1000
2011/02/10 16:06:19.0000 4004 Boot type: Normal boot
2011/02/10 16:06:19.0000 4004 ================================================================================
2011/02/10 16:06:19.0281 4004 Initialize success

[dantheman718]

Hey Mailprog I ran the tdsskiller program and it didnt' find any infected files. The only report it generated was when I cliked the report log button. it was titled TDSSkiller.2.4.17.0_10.02.2011_16.06.18_log.txt, and here is what the contents of that log were:

2011/02/10 16:06:18.0703 4004 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/10 16:06:19.0000 4004 ================================================================================
2011/02/10 16:06:19.0000 4004 SystemInfo:
2011/02/10 16:06:19.0000 4004
2011/02/10 16:06:19.0000 4004 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/10 16:06:19.0000 4004 Product type: Workstation
2011/02/10 16:06:19.0000 4004 ComputerName: ANONYMOUS
2011/02/10 16:06:19.0000 4004 UserName: Owner
2011/02/10 16:06:19.0000 4004 Windows directory: C:\WINDOWS
2011/02/10 16:06:19.0000 4004 System windows directory: C:\WINDOWS
2011/02/10 16:06:19.0000 4004 Processor architecture: Intel x86
2011/02/10 16:06:19.0000 4004 Number of processors: 2
2011/02/10 16:06:19.0000 4004 Page size: 0x1000
2011/02/10 16:06:19.0000 4004 Boot type: Normal boot
2011/02/10 16:06:19.0000 4004 ================================================================================
2011/02/10 16:06:19.0281 4004 Initialize success

[dantheman718]

oops i forgot to read the name of the logs, so i guess i didn't need to repost them. Sorry, anyway that's what i got ok that's what i got , lol.

[maliprog]

Hi dantheman718,

Step 1

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.



Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Step 3

• Run OTL.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

Step 4

Please don't forget to include these items in your reply:

• Malwarebytes log
• AVPTool log
• New OTL scan log

It would be helpful if you could post each log in separate post

[dantheman718]

By the way Mailprog, I noticed that the log on the TDSSkiller doesn't show anything about my D: drive, only my C: drive, is that normal?

Dan,

I will proceed with your next step now.

DAn

[maliprog]

That is normal. Please scan and post log.

[dantheman718]

okie dokie. Thank you Mailprog. your a woderful man ( or woman these days avatars an screen names don't help much,,and I dont want to call a man a woman by mistake. ) But whoever you are thank you , you kind soul,


DAn

[maliprog]

I'm a man . If you click on my name maliprog you can find this information ...

[dantheman718]

Oh OK sorry. Sorry I am too lazy to do these things. which i should. B4 opening my mouth , but any I thought you were a man, Just through through that lil discailmer in there incase I was wrong.. you know how PC women are not personal computer, lol the othe PC. lol. Anyway Thanks for help man, I will proceed with the next steps.

Dan

[dantheman718]

Hey Mailprog, I ran the malwarebytes scan. Here is the log, titled mbam-log-2011 (09-02-50).txt

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5740

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11.02.2011 09:02:50
mbam-log-2011-02-11 (09-02-50).txt

Scan type: Quick scan
Objects scanned: 202009
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\program files\application updater\applicationupdater.exe (PUP.Dealio) -> 276 -> Unloaded process successfully.
c:\program files\common files\Spigot\search settings\searchsettings.exe (PUP.Dealio) -> 1752 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Application Updater (PUP.Dealio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\APPLICATION UPDATER\APPLICATIONUPDATER.EXE (PUP.Dealio) -> Value: APPLICATIONUPDATER.EXE -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchSettings (PUP.Dealio) -> Value: SearchSettings -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\SPIGOT\SEARCH SETTINGS\SEARCHSETTINGS.EXE (PUP.Dealio) -> Value: SEARCHSETTINGS.EXE -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\application updater\applicationupdater.exe (PUP.Dealio) -> Delete on reboot.
c:\WINDOWS\system32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\program files\common files\Spigot\search settings\searchsettings.exe (PUP.Dealio) -> Quarantined and deleted successfully.

[dantheman718]

i'm downloading the AVPtool now. jeesh its 87 mbs. but i almost got it all . i will run it and run the scan as you intstructed and post the log/results.

Dan

[dantheman718]

Hey Mailprog, after I downloaded the AVPtool, I closed my windows browsers, and noticed that the malwarebytes program was still open and had a message that said it couldn't remove all infected files, and then it asked me to reboot my system which I just did. Sorry, I totally missed this and it was in your instructions. but is it safe to proceed now with the AVPtool? I am about to install that and carry on those steps from there on.

Dan

[dantheman718]

Also I forgot to mention, when I rebooted my computer, i got a norton message saying this Bloodhound MailPE thing was blocked.. Is that important?

[dantheman718]

Hey Mailprog, I was running the AVPtool, and when it got to around 89% it said it detected a trojan-downloader.nsis-agent.cm, and asked if i should delete it. I clicked the delte button, then a short while later i got another notifcation about a trojan, ithink the same one but I could be wrong, because i didn't write down the name of the first one, but i clicked to delete that too. Anyway the AVP scan is about 92% complete, so when it is complete i will post the log. Thanks!!!!


DAn

[maliprog]

It's always good to read my instructions at least one time before starting doing it. Remove all what AVP finds and post log at the and.