Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Removal of Win32/Olmarik.TDL4 Trojan


  • This topic is locked This topic is locked

#1
podo87

podo87

    New Member

  • Member
  • Pip
  • 3 posts
Just a heads up to whoever helps. I made the mistake of reading the rules after I posted. I apologize that cobofix has already been run. I would edit my post to show the log from OTL but whenever I run it, it pauses under scanning firefox settings so I am unable to finish it. Hope that helps some and look forward to a reply. Thanks!

My computer was infected with this virus and I can't figure out how to remove it. I downloaded combofix and ran it in safe mode. When it was done I downloaded malwarebytes latest version and ran, it detected nothing malicious. Shut down computer and tried to update ESET but ran into the same warning of the virus. I don't know a ton about computers but I am going to post the notes combofix provided and pray someone can walk me through step by step what to do next. Any information provided would be greatly appreciated.

ComboFix 13-01-16.01 - podoloff 01/16/2013 20:17:02.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4055.3456 [GMT -6:00]
Running from: c:\users\podoloff\Desktop\ComboFix.exe
AV: ESET Endpoint Antivirus 5.0 *Disabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Endpoint Antivirus 5.0 *Disabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\podoloff\AppData\Local\assembly\tmp
c:\users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\bing-zugo.xml
c:\users\podoloff\Documents\~WRL0004.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-12-17 to 2013-01-17 )))))))))))))))))))))))))))))))
.
.
2013-01-17 02:50 . 2013-01-17 02:50 -------- d-----w- c:\users\TEMP.Pohdi\AppData\Local\temp
2013-01-17 02:50 . 2013-01-17 02:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-01-17 02:50 . 2013-01-17 02:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-16 17:44 . 2013-01-16 17:44 -------- d-----w- c:\program files (x86)\7-Zip
2013-01-16 17:44 . 2013-01-16 17:44 -------- d-----w- c:\programdata\APN
2013-01-16 15:41 . 2013-01-16 15:41 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\e3e3551b1cdf3ff22\MeshBetaRemover.exe
2013-01-16 15:40 . 2013-01-16 15:40 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d18f4ebe1cdf3ff1a\DXSETUP.exe
2013-01-16 15:40 . 2013-01-16 15:40 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d18f4ebe1cdf3ff1a\dsetup32.dll
2013-01-16 15:40 . 2013-01-16 15:40 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d18f4ebe1cdf3ff1a\DSETUP.dll
2013-01-16 15:40 . 2013-01-16 15:40 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cf51a31c1cdf3ff19\DXSETUP.exe
2013-01-16 15:40 . 2013-01-16 15:40 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cf51a31c1cdf3ff19\dsetup32.dll
2013-01-16 15:40 . 2013-01-16 15:40 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cf51a31c1cdf3ff19\DSETUP.dll
2013-01-16 15:38 . 2013-01-16 15:38 -------- d-----w- c:\users\podoloff\AppData\Local\Windows Live
2013-01-16 15:34 . 2013-01-16 15:34 -------- d-----w- c:\users\podoloff\AppData\Local\Programs
2013-01-14 23:33 . 2013-01-04 18:51 9376256 ----a-w- c:\windows\system32\mshtml.dll
2013-01-09 06:56 . 2012-11-23 03:45 3147264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 20:33 . 2013-01-02 20:34 -------- d-----w- c:\users\podoloff\AppData\Local\Zimbra
2013-01-02 20:32 . 2013-01-02 20:32 -------- d-----w- c:\program files (x86)\Zimbra
2013-01-02 16:48 . 2013-01-02 16:48 -------- d-----w- c:\program files\ESET
2013-01-02 16:24 . 2012-03-14 11:00 385024 ----a-w- c:\windows\system32\CNMLMA9.DLL
2012-12-21 07:10 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 07:10 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-21 07:10 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 07:10 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-11 16:05 . 2012-05-07 12:54 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-11 16:05 . 2011-10-05 18:45 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-11 15:40 . 2012-06-23 16:40 15739912 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-01-09 19:56 . 2009-11-09 14:41 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-11-30 04:56 . 2013-01-09 06:56 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-09 05:34 . 2012-12-13 06:08 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:49 . 2012-12-13 06:08 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-08 14:37 . 2012-11-08 14:37 800824 ----a-w- c:\users\Default\AppData\Roaming\DPInst.exe
2012-11-08 14:37 . 2012-11-08 14:37 36352 ----a-w- c:\users\Default\AppData\Roaming\PnPutil.exe
2012-11-08 14:37 . 2012-11-08 14:37 106496 ----a-w- c:\users\Default\AppData\Roaming\gacutil.exe
2012-11-02 05:27 . 2012-12-13 06:08 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 04:48 . 2012-12-13 06:08 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-10-27 05:36 . 2012-12-13 06:08 1501696 ----a-w- c:\windows\system32\urlmon.dll
2012-10-27 05:36 . 2012-12-13 06:08 1197568 ----a-w- c:\windows\system32\wininet.dll
2012-10-27 05:36 . 2012-12-13 06:08 134144 ----a-w- c:\windows\system32\url.dll
2012-10-27 05:36 . 2012-12-13 06:08 1026560 ----a-w- c:\windows\system32\mstime.dll
2012-10-27 05:36 . 2012-12-13 06:08 97792 ----a-w- c:\windows\system32\mshtmled.dll
2012-10-27 05:36 . 2012-12-13 06:08 736256 ----a-w- c:\windows\system32\msfeeds.dll
2012-10-27 05:36 . 2012-12-13 06:08 82944 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-10-27 05:36 . 2012-12-13 06:08 57856 ----a-w- c:\windows\system32\licmgr10.dll
2012-10-27 05:36 . 2012-12-13 06:08 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-10-27 05:35 . 2012-12-13 06:08 247808 ----a-w- c:\windows\system32\ieui.dll
2012-10-27 05:35 . 2012-12-13 06:08 2458624 ----a-w- c:\windows\system32\iertutil.dll
2012-10-27 05:35 . 2012-12-13 06:08 12404736 ----a-w- c:\windows\system32\ieframe.dll
2012-10-27 05:35 . 2012-12-13 06:08 256000 ----a-w- c:\windows\system32\iepeers.dll
2012-10-27 05:35 . 2012-12-13 06:08 445952 ----a-w- c:\windows\system32\iedkcs32.dll
2012-10-27 05:33 . 2012-12-13 06:08 12288 ----a-w- c:\windows\system32\msfeedssync.exe
2012-10-27 05:00 . 2012-12-13 06:08 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-10-27 04:59 . 2012-12-13 06:08 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-10-27 04:23 . 2012-12-13 06:08 482816 ----a-w- c:\windows\system32\html.iec
2012-10-27 03:52 . 2012-12-13 06:08 386048 ----a-w- c:\windows\SysWow64\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]
2012-02-10 16:28 1307928 ----a-w- c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\podoloff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-07-04 213416]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-29 152136]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [2012-07-04 999704]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-29 140752]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 ESHASRV;ESET SHA Service;c:\program files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [2012-07-04 190208]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 138752]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]
R3 LeapFrog-USBLAN;LeapFrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2009-10-10 40320]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-04 216064]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1255736]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-05-20 55280]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 16:05]
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05 18:55]
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05 18:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"egui"="c:\program files\ESET\ESET Endpoint Antivirus\egui.exe" [2012-07-04 4133072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.ask.com/?l=dis&o=15083
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.180.42.68 208.180.42.100
FF - ProfilePath - c:\users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe
Wow6432Node-HKLM-Run-ROC_roc_dec12 - c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-Conime - c:\windows\system32\conime.exe
Wow6432Node-HKLM-Run-ROC_ROC_JULY_P1 - c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-16 21:12:20
ComboFix-quarantined-files.txt 2013-01-17 03:12
ComboFix2.txt 2011-08-27 22:33
.
Pre-Run: 11,829,645,312 bytes free
Post-Run: 13,118,046,208 bytes free
.
- - End Of File - - CEC0524A0BF2DF64EF9C5FBE77935C9F

Attached Files


Edited by podo87, 16 January 2013 - 11:28 PM.

  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
Hello podo87,

Welcome to Geekstogo.

Please download AdwCleaner from here to your desktop
  • Click on the green downward facing arrow on the right to commence download.
  • Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that.

Next

Download RogueKiller to your desktop

Note: This is a French tool so don't be surprised when you find the page displays with some French.

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • Click on Scan

    Posted Image
  • Wait for the scan to finish.
  • The report is created on your desktop.
  • Click on the Delete button

    Posted Image
  • The report is created on your desktop.
  • Next click on the ShortcutsFix button.

    Posted Image
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of all the RKreport.txt files from your desktop in your next Reply.

Finally in this post


Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download ComboFix from one of this location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal.
  • ComboFix may reboot your machine. This is normal too.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • AdwCleaner log
  • RKreport.txt
  • ComboFix.txt

  • 0

#3
podo87

podo87

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Darn it, apparently I am not good at following directions. I will do all three steps as soon as I get to work so please disregard this reply until I am able to finish all three steps. :P

Just rebooted and here is what I got from the adware (the trojan is still there according to most recent warning)

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 07:18:20
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : podoloff - POHDI
# Boot Mode : Normal
# Running from : C:\Users\podoloff\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\FCTB

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\bflixtoolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A6BF16AB-42A1-4BC5-965D-5E407E449AAA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15083 --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\prefs.js

C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.DNSCatch", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.FirstLaunchShown", true);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.LastDate", 6);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.customNewTab", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.processAddrBar", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.tb_lang", "en");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.user_id", "46066095");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.disablecuidinject", "1");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.lastcheck", "Tue%20Sep%2006%202011%2007%3A[...]
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.yahooSearch", false);

*************************

AdwCleaner[S1].txt - [3938 octets] - [17/01/2013 07:18:20]

########## EOF - C:\AdwCleaner[S1].txt - [3998 octets] ##########


Not sure if this will help but was able to get OTL to work so here is the log based off of last night:

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 07:18:20
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : podoloff - POHDI
# Boot Mode : Normal
# Running from : C:\Users\podoloff\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\FCTB

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\bflixtoolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A6BF16AB-42A1-4BC5-965D-5E407E449AAA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15083 --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\prefs.js

C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.DNSCatch", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.FirstLaunchShown", true);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.LastDate", 6);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.customNewTab", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.processAddrBar", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.tb_lang", "en");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.user_id", "46066095");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.disablecuidinject", "1");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.lastcheck", "Tue%20Sep%2006%202011%2007%3A[...]
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.yahooSearch", false);

*************************

AdwCleaner[S1].txt - [3938 octets] - [17/01/2013 07:18:20]

########## EOF - C:\AdwCleaner[S1].txt - [3998 octets] ##########

And it also printed out extras:

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 07:18:20
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : podoloff - POHDI
# Boot Mode : Normal
# Running from : C:\Users\podoloff\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\searchplugins\Askcom.xml
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Premium
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\podoloff\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\FCTB

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\bflixtoolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A6BF16AB-42A1-4BC5-965D-5E407E449AAA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15083 --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\prefs.js

C:\Users\podoloff\AppData\Roaming\Mozilla\Firefox\Profiles\7iyxpxpg.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.DNSCatch", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.FirstLaunchShown", true);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.LastDate", 6);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.customNewTab", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.processAddrBar", false);
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.tb_lang", "en");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.user_id", "46066095");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.disablecuidinject", "1");
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.vars.lastcheck", "Tue%20Sep%2006%202011%2007%3A[...]
Deleted : user_pref("freecause4ac80c6c0a1b4b3aad7e8a6d8f5e6928.yahooSearch", false);

*************************

AdwCleaner[S1].txt - [3938 octets] - [17/01/2013 07:18:20]

########## EOF - C:\AdwCleaner[S1].txt - [3998 octets] ##########

Edited by podo87, 17 January 2013 - 07:27 AM.

  • 0

#4
podo87

podo87

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Ok, I ran all programs asked and have attached all work required. As of right now, it still shows that the virus is present. Let me know what to do next.

Thank you!!

Attached Files


  • 0

#5
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
Hello podo87,

Note: Unless otherwise instructed always post the logs in the forum.

Now

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Put a checkmark beside loaded modules.

    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts
A slow computer does not mean there is malware present. I don't see anything in your Hijack This log to indicate that your problem is malware related. I will post the following info to get you started in the right direction, but if you need further help with this you will have to post a new topic in the proper Operating System Forum. I'm closing this topic.

Here are some routine maintenance practices that you should do on a regular basis to keep your machine running efficiently:

Disk Cleanup:

http://www.theelderg...nup_utility.htm

Defrag your HD:

http://artsweb.bham....rag-win2kxp.htm

Run chkdsk:

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

Remove unnecessary startups

This should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Go here for info on msconfig:

http://www.pacs-port...artup_index.htm

You can look up the startups at the following links to help determine what is needed and what is not:

http://computercops....tartupList.html

http://www.bleepingc...r.com/startups/

http://www.answersth...es/tasklist.htm

http://www.windowsst...start=50&end=75

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, have followed the steps above, and still suspect you may be infected, please contact a staff member with the address of the thread to have it reopened.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP