Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Removal of Win32/Olmarik.TDL4 Trojan

Started by podo87 , Jan 16 2013 10:29 PM

This topic is locked

#1
podo87

Posted 16 January 2013 - 10:29 PM

New Member

Member
3 posts

Just a heads up to whoever helps. I made the mistake of reading the rules after I posted. I apologize that cobofix has already been run. I would edit my post to show the log from OTL but whenever I run it, it pauses under scanning firefox settings so I am unable to finish it. Hope that helps some and look forward to a reply. Thanks!

My computer was infected with this virus and I can't figure out how to remove it. I downloaded combofix and ran it in safe mode. When it was done I downloaded malwarebytes latest version and ran, it detected nothing malicious. Shut down computer and tried to update ESET but ran into the same warning of the virus. I don't know a ton about computers but I am going to post the notes combofix provided and pray someone can walk me through step by step what to do next. Any information provided would be greatly appreciated.

ComboFix 13-01-16.01 - podoloff 01/16/2013 20:17:02.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4055.3456 [GMT -6:00]
Running from: c:\users\podoloff\Desktop\ComboFix.exe
AV: ESET Endpoint Antivirus 5.0 *Disabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Endpoint Antivirus 5.0 *Disabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\podoloff\AppData\Local\assembly\tmp
c:\users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\bing-zugo.xml
c:\users\podoloff\Documents\~WRL0004.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-12-17 to 2013-01-17 )))))))))))))))))))))))))))))))
.
.
2013-01-17 02:50 . 2013-01-17 02:50 -------- d-----w- c:\users\TEMP.Pohdi\AppData\Local\temp
2013-01-17 02:50 . 2013-01-17 02:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-01-17 02:50 . 2013-01-17 02:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-16 17:44 . 2013-01-16 17:44 -------- d-----w- c:\program files (x86)\7-Zip
2013-01-16 17:44 . 2013-01-16 17:44 -------- d-----w- c:\programdata\APN
2013-01-16 15:41 . 2013-01-16 15:41 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e3e3551b1cdf3ff22\MeshBetaRemover.exe
2013-01-16 15:40 . 2013-01-16 15:40 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d18f4ebe1cdf3ff1a\DXSETUP.exe
2013-01-16 15:40 . 2013-01-16 15:40 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d18f4ebe1cdf3ff1a\dsetup32.dll
2013-01-16 15:40 . 2013-01-16 15:40 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d18f4ebe1cdf3ff1a\DSETUP.dll
2013-01-16 15:40 . 2013-01-16 15:40 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cf51a31c1cdf3ff19\DXSETUP.exe
2013-01-16 15:40 . 2013-01-16 15:40 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cf51a31c1cdf3ff19\dsetup32.dll
2013-01-16 15:40 . 2013-01-16 15:40 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cf51a31c1cdf3ff19\DSETUP.dll
2013-01-16 15:38 . 2013-01-16 15:38 -------- d-----w- c:\users\podoloff\AppData\Local\Windows Live
2013-01-16 15:34 . 2013-01-16 15:34 -------- d-----w- c:\users\podoloff\AppData\Local\Programs
2013-01-14 23:33 . 2013-01-04 18:51 9376256 ----a-w- c:\windows\system32\mshtml.dll
2013-01-09 06:56 . 2012-11-23 03:45 3147264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 20:33 . 2013-01-02 20:34 -------- d-----w- c:\users\podoloff\AppData\Local\Zimbra
2013-01-02 20:32 . 2013-01-02 20:32 -------- d-----w- c:\program files (x86)\Zimbra
2013-01-02 16:48 . 2013-01-02 16:48 -------- d-----w- c:\program files\ESET
2013-01-02 16:24 . 2012-03-14 11:00 385024 ----a-w- c:\windows\system32\CNMLMA9.DLL
2012-12-21 07:10 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 07:10 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-21 07:10 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 07:10 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-11 16:05 . 2012-05-07 12:54 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-11 16:05 . 2011-10-05 18:45 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-11 15:40 . 2012-06-23 16:40 15739912 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-01-09 19:56 . 2009-11-09 14:41 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-11-30 04:56 . 2013-01-09 06:56 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-09 05:34 . 2012-12-13 06:08 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:49 . 2012-12-13 06:08 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-08 14:37 . 2012-11-08 14:37 800824 ----a-w- c:\users\Default\AppData\Roaming\DPInst.exe
2012-11-08 14:37 . 2012-11-08 14:37 36352 ----a-w- c:\users\Default\AppData\Roaming\PnPutil.exe
2012-11-08 14:37 . 2012-11-08 14:37 106496 ----a-w- c:\users\Default\AppData\Roaming\gacutil.exe
2012-11-02 05:27 . 2012-12-13 06:08 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 04:48 . 2012-12-13 06:08 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-10-27 05:36 . 2012-12-13 06:08 1501696 ----a-w- c:\windows\system32\urlmon.dll
2012-10-27 05:36 . 2012-12-13 06:08 1197568 ----a-w- c:\windows\system32\wininet.dll
2012-10-27 05:36 . 2012-12-13 06:08 134144 ----a-w- c:\windows\system32\url.dll
2012-10-27 05:36 . 2012-12-13 06:08 1026560 ----a-w- c:\windows\system32\mstime.dll
2012-10-27 05:36 . 2012-12-13 06:08 97792 ----a-w- c:\windows\system32\mshtmled.dll
2012-10-27 05:36 . 2012-12-13 06:08 736256 ----a-w- c:\windows\system32\msfeeds.dll
2012-10-27 05:36 . 2012-12-13 06:08 82944 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-10-27 05:36 . 2012-12-13 06:08 57856 ----a-w- c:\windows\system32\licmgr10.dll
2012-10-27 05:36 . 2012-12-13 06:08 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-10-27 05:35 . 2012-12-13 06:08 247808 ----a-w- c:\windows\system32\ieui.dll
2012-10-27 05:35 . 2012-12-13 06:08 2458624 ----a-w- c:\windows\system32\iertutil.dll
2012-10-27 05:35 . 2012-12-13 06:08 12404736 ----a-w- c:\windows\system32\ieframe.dll
2012-10-27 05:35 . 2012-12-13 06:08 256000 ----a-w- c:\windows\system32\iepeers.dll
2012-10-27 05:35 . 2012-12-13 06:08 445952 ----a-w- c:\windows\system32\iedkcs32.dll
2012-10-27 05:33 . 2012-12-13 06:08 12288 ----a-w- c:\windows\system32\msfeedssync.exe
2012-10-27 05:00 . 2012-12-13 06:08 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-10-27 04:59 . 2012-12-13 06:08 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-10-27 04:23 . 2012-12-13 06:08 482816 ----a-w- c:\windows\system32\html.iec
2012-10-27 03:52 . 2012-12-13 06:08 386048 ----a-w- c:\windows\SysWow64\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]
2012-02-10 16:28 1307928 ----a-w- c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\podoloff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-07-04 213416]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-29 152136]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [2012-07-04 999704]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-29 140752]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 ESHASRV;ESET SHA Service;c:\program files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [2012-07-04 190208]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 138752]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]
R3 LeapFrog-USBLAN;LeapFrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2009-10-10 40320]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-04 216064]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1255736]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-05-20 55280]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 16:05]
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05 18:55]
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05 18:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"egui"="c:\program files\ESET\ESET Endpoint Antivirus\egui.exe" [2012-07-04 4133072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.ask.com/?l=dis&o=15083
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.180.42.68 208.180.42.100
FF - ProfilePath - c:\users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe
Wow6432Node-HKLM-Run-ROC_roc_dec12 - c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-Conime - c:\windows\system32\conime.exe
Wow6432Node-HKLM-Run-ROC_ROC_JULY_P1 - c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-16 21:12:20
ComboFix-quarantined-files.txt 2013-01-17 03:12
ComboFix2.txt 2011-08-27 22:33
.
Pre-Run: 11,829,645,312 bytes free
Post-Run: 13,118,046,208 bytes free
.
- - End Of File - - CEC0524A0BF2DF64EF9C5FBE77935C9F

Attached Files

ComboFix.txt 18.7KB 74 downloads

Edited by podo87, 16 January 2013 - 11:28 PM.

#2
emeraldnzl

Posted 17 January 2013 - 12:11 AM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello podo87,

Welcome to Geekstogo.

Please download AdwCleaner from here to your desktop

Click on the green downward facing arrow on the right to commence download.
Run AdwCleaner and select Delete

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that.

Next

Download RogueKiller to your desktop

Note: This is a French tool so don't be surprised when you find the page displays with some French.

Quit all running programs
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
Wait until Prescan has finished...
Click on Scan
Wait for the scan to finish.
The report is created on your desktop.
Click on the Delete button
The report is created on your desktop.
Next click on the ShortcutsFix button.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of all the RKreport.txt files from your desktop in your next Reply.

Finally in this post

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download ComboFix from one of this location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Double click on ComboFix.exe & follow the prompts.
Your desktop may go blank. This is normal.
ComboFix may reboot your machine. This is normal too.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

AdwCleaner log
RKreport.txt
ComboFix.txt

#3
podo87

Posted 17 January 2013 - 07:24 AM

New Member

Topic Starter
Member
3 posts

Darn it, apparently I am not good at following directions. I will do all three steps as soon as I get to work so please disregard this reply until I am able to finish all three steps.

Just rebooted and here is what I got from the adware (the trojan is still there according to most recent warning)

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 07:18:20
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : podoloff - POHDI
# Boot Mode : Normal
# Running from : C:\Users\podoloff\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\FCTB

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\bflixtoolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A6BF16AB-42A1-4BC5-965D-5E407E449AAA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15083 --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\prefs.js

C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.DNSCatch", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.FirstLaunchShown", true);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.LastDate", 6);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.customNewTab", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.processAddrBar", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.tb_lang", "en");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.user_id", "46066095");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.disablecuidinject", "1");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.lastcheck", "Tue%20Sep%2006%202011%2007%3A[...]
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.yahooSearch", false);

*************************

AdwCleaner[S1].txt - [3938 octets] - [17/01/2013 07:18:20]

########## EOF - C:\AdwCleaner[S1].txt - [3998 octets] ##########

Not sure if this will help but was able to get OTL to work so here is the log based off of last night:

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 07:18:20
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : podoloff - POHDI
# Boot Mode : Normal
# Running from : C:\Users\podoloff\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\FCTB

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\bflixtoolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A6BF16AB-42A1-4BC5-965D-5E407E449AAA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15083 --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\prefs.js

C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.DNSCatch", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.FirstLaunchShown", true);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.LastDate", 6);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.customNewTab", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.processAddrBar", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.tb_lang", "en");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.user_id", "46066095");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.disablecuidinject", "1");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.lastcheck", "Tue%20Sep%2006%202011%2007%3A[...]
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.yahooSearch", false);

*************************

AdwCleaner[S1].txt - [3938 octets] - [17/01/2013 07:18:20]

########## EOF - C:\AdwCleaner[S1].txt - [3998 octets] ##########

And it also printed out extras:

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 07:18:20
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : podoloff - POHDI
# Boot Mode : Normal
# Running from : C:\Users\podoloff\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\FCTB

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\bflixtoolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A6BF16AB-42A1-4BC5-965D-5E407E449AAA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15083 --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\prefs.js

C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.DNSCatch", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.FirstLaunchShown", true);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.LastDate", 6);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.customNewTab", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.processAddrBar", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.tb_lang", "en");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.user_id", "46066095");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.disablecuidinject", "1");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.lastcheck", "Tue%20Sep%2006%202011%2007%3A[...]
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.yahooSearch", false);

*************************

AdwCleaner[S1].txt - [3938 octets] - [17/01/2013 07:18:20]

########## EOF - C:\AdwCleaner[S1].txt - [3998 octets] ##########

Edited by podo87, 17 January 2013 - 07:27 AM.

#4
podo87

Posted 17 January 2013 - 10:25 AM

New Member

Topic Starter
Member
3 posts

Ok, I ran all programs asked and have attached all work required. As of right now, it still shows that the virus is present. Let me know what to do next.

Thank you!!

Attached Files

AdwCleanerS2.txt 846bytes 68 downloads
RKreport1_S_01172013_02d0906.txt 2.56KB 60 downloads
RKreport2_D_01172013_02d0908.txt 2.57KB 93 downloads
RKreport3_SC_01172013_02d0909.txt 1.24KB 82 downloads
ComboFix.txt 17.72KB 72 downloads

#5
emeraldnzl

Posted 17 January 2013 - 11:54 AM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello podo87,

Note: Unless otherwise instructed always post the logs in the forum.

Now

Please download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on Change parameters in TDSSKiller.
Check all boxes then click OK.
Click the Start Scan button.
The scan should take no longer than 2 minutes.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

#6
emeraldnzl

Posted 13 February 2013 - 01:33 AM

GeekU Instructor

GeekU Moderator
20,051 posts

A slow computer does not mean there is malware present. I don't see anything in your Hijack This log to indicate that your problem is malware related. I will post the following info to get you started in the right direction, but if you need further help with this you will have to post a new topic in the proper Operating System Forum. I'm closing this topic.

Here are some routine maintenance practices that you should do on a regular basis to keep your machine running efficiently:

Disk Cleanup:

http://www.theelderg...nup_utility.htm

Defrag your HD:

http://artsweb.bham....rag-win2kxp.htm

Run chkdsk:

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

Remove unnecessary startups

This should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Go here for info on msconfig:

http://www.pacs-port...artup_index.htm

You can look up the startups at the following links to help determine what is needed and what is not:

http://computercops....tartupList.html

http://www.bleepingc...r.com/startups/

http://www.answersth...es/tasklist.htm

http://www.windowsst...start=50&end=75

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, have followed the steps above, and still suspect you may be infected, please contact a staff member with the address of the thread to have it reopened.

Everyone else please begin a New Topic.