Help, Please!

[Sk9]

Hello,

I received a message from my ISP that a computer at my location is being used to send spam emails. I use AVG, which shows
C:\Windows\System32\Drivers\adsyvfpw.sys "hidden driver" though this is the first I've enabled rootkits in the scan.





DDS (Ver_09-09-29.01) - NTFSx86
Run by User at 3:48:25.31 on Tue 10/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2558 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~2\AVG\AVG8\avgfws8.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~2\AVG\AVG8\avgam.exe
C:\PROGRA~2\AVG\AVG8\avgrsa.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\alg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\PROGRA~2\AVG\AVG8\avgnsa.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files (x86)\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Aim6] "c:\program files (x86)\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
uRun: [RGSC] c:\program files (x86)\steam\steamapps\common\grand theft auto iv\rgsc\RGSCLauncher.exe /silent
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
mRun: [AVG8_TRAY] c:\progra~2\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - c:\program files (x86)\finepixviewer\QuickDCF2.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {2D43E32C-E1F0-4905-8116-CA53436B5711} = 24.92.226.40,24.92.226.41
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg8\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\q4kinsz3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files (x86)\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files (x86)\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files (x86)\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files (x86)\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files (x86)\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\nptgeqplugin.dll
FF - plugin: c:\program files (x86)\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AvgRkx64;AvgRkx64;c:\windows\system32\drivers\avgrkx64.sys --> c:\windows\system32\drivers\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\pxhlpa64.sys --> c:\windows\system32\drivers\PxHlpa64.sys [?]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6a.sys --> c:\windows\system32\drivers\avgfwd6a.sys [?]
R1 AvgLdx64;AVG AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys --> c:\windows\system32\drivers\avgldx64.sys [?]
R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys --> c:\windows\system32\drivers\avgmfx64.sys [?]
R1 AvgTdiA;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdia.sys --> c:\windows\system32\drivers\avgtdia.sys [?]
R2 avg8wd;AVG8 WatchDog;c:\progra~2\avg\avg8\avgwdsvc.exe [2009-1-7 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~2\avg\avg8\avgfws8.exe [2009-4-24 1370488]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\pen_tablet.exe --> c:\windows\system32\Pen_Tablet.exe [?]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x64.sys --> c:\windows\system32\drivers\l160x64.sys [?]
R3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\lycosa.sys --> c:\windows\system32\drivers\Lycosa.sys [?]
R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\lachesis.sys --> c:\windows\system32\drivers\Lachesis.sys [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2008-4-16 93696]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-4-16 19968]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\usbicp.sys --> c:\windows\system32\drivers\usbicp.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys --> c:\windows\system32\drivers\wacmoumonitor.sys [?]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files (x86)\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]

=============== Created Last 30 ================

2009-10-06 02:43 <DIR> --d----- c:\program files (x86)\Trend Micro
2009-10-04 22:13 <DIR> --d-h--- c:\windows\PIF
2009-10-04 22:13 <DIR> --d----- c:\programdata\Media Center Programs
2009-10-04 22:13 <DIR> --d----- c:\progra~3\Media Center Programs
2009-09-23 12:17 <DIR> --d----- c:\programdata\WEBREG
2009-09-23 12:17 <DIR> --d----- c:\progra~3\WEBREG
2009-09-23 12:15 <DIR> --d----- c:\programdata\HP Product Assistant
2009-09-23 12:12 <DIR> --d----- c:\windows\hpoj6000e609
2009-09-23 11:55 <DIR> --d----- c:\program files (x86)\HP
2009-09-23 11:54 175,994 a------- c:\windows\hpwins24.dat
2009-09-23 11:36 <DIR> --d----- c:\programdata\HP
2009-09-17 21:56 <DIR> --d----- c:\program files (x86)\Paradox Interactive
2009-09-15 22:12 <DIR> --d----- c:\program files (x86)\NVIDIA Corporation
2009-09-15 21:56 <DIR> --d----- c:\users\user\appdata\roaming\Blitware
2009-09-14 11:25 <DIR> --d----- c:\users\user\appdata\roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-09-14 11:09 <DIR> --d----- C:\Riot Games
2009-09-12 12:19 <DIR> --d----- c:\programdata\PMB Files
2009-09-12 12:19 <DIR> --d----- c:\progra~3\PMB Files
2009-09-12 12:19 <DIR> --d----- c:\program files (x86)\Pando Networks
2009-09-09 12:03 <DIR> --d----- c:\users\user\appdata\roaming\Ubisoft
2009-09-07 10:44 <DIR> --d----- c:\users\user\appdata\roaming\AVG8

==================== Find3M ====================

2009-09-23 11:56 51,200 a------- c:\windows\inf\infpub.dat
2009-09-23 11:56 86,016 a------- c:\windows\inf\infstrng.dat
2009-09-23 11:56 86,016 a------- c:\windows\inf\infstor.dat
2009-08-17 00:57 10,858,496 a------- c:\windows\system32\nvoglv32.dll
2009-08-17 00:57 7,569,920 a------- c:\windows\system32\nvd3dum.dll
2009-08-17 00:57 3,298,304 a------- c:\windows\system32\nvwgf2um.dll
2009-08-17 00:57 2,169,376 a------- c:\windows\system32\nvcuvid.dll
2009-08-17 00:57 1,985,536 a------- c:\windows\system32\nvcuda.dll
2009-08-17 00:57 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-08-17 00:57 1,044,992 a------- c:\windows\system32\nvapi.dll
2009-08-14 13:36 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll
2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-08-03 00:21 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-08-03 00:21 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-08-03 00:21 23,320 a------- c:\windows\system32\PhysXDevice.dll
2009-07-18 12:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 05:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-06-15 16:13 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-16 12:52 174 a--sh--- c:\program files (x86)\desktop.ini
2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-16 12:51 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-16 12:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-16 12:51 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 3:48:49.46 ===============


the .zip is attached, however the only checkboxes available are services, registry, files, C:\, and ADS, all checked.

[CatByte]

Hi,

Please do the following:

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Check the box that says 64 bit
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

[Sk9]

Thanks for the reply!


Had to split the log up because of the size, but the format is continuous

Here are the first 2 parts:

[Sk9]

And the last 2:

[CatByte]

Hi,

Please do the following:

Start OTS
Copy/Paste the information inside the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Quote:

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3483358259-3342034048-1127732838-1000\] > ->
YN -> HKEY_USERS\S-1-5-21-3483358259-3342034048-1127732838-1000\: URLSearchHooks\\"*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3483358259-3342034048-1127732838-1000\] > -> HKEY_USERS\S-1-5-21-3483358259-3342034048-1127732838-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[PhotosmartEssentialBase.0x14] | DisplayName=%PhotosmartEssentialDisplayName% %PhotosmartEssentialVersion% | Description=Fotoprogramvare som forenkler måten du viser, organiserer, redigerer, skriver ut, deler og forteller historier med bildene på. | Description2=Viktig! Uten denne programvaren kan det hende at noen av knappene på enheten ikke virker fullt ut. | [PhotosmartEssentialBase.0x15] | DisplayName=%PhotosmartEssentialDisplayName% %PhotosmartEssentialVersion% | Description=Oprogramowanie fotograficzne upraszczaj¹ce przegl¹danie, porz¹dkowanie, edytowanie, drukowanie, udostêpnianie i opowiadanie historii za pomoc¹ zdjêæ. | Description2=Uwaga! Bez tego oprogramowania niektóre przyciski urz¹dzenia nie bêd¹ dzia³a³y. | [PhotosmartEssentialBase.0x16] | DisplayName=%PhotosmartEssentialDisplayName% %PhotosmartEssentialVersion% | Description=Software de fotos que simplifica a forma como você visualiza, organiza, edita, imprime, compartilha e conta histórias com suas fotos. | Description2=Importante! Sem este s
YN -> \{b0aca9c6-2acb-11dd-9123-001e8c81f81c} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0aca9c6-2acb-11dd-9123-001e8c81f81c}\shell ->
YN -> \{b0aca9c6-2acb-11dd-9123-001e8c81f81c}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0aca9c6-2acb-11dd-9123-001e8c81f81c}\shell\AutoRun\command ->
YN -> \{b0aca9c6-2acb-11dd-9123-001e8c81f81c}\shell\AutoRun\command\\"" -> G:\Autorun.exe [G:\Autorun.exe]
YN -> \{b4009f10-0b43-11dd-ab1c-806e6f6e6963} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4009f10-0b43-11dd-ab1c-806e6f6e6963}\shell ->
YN -> \{b4009f10-0b43-11dd-ab1c-806e6f6e6963}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b4009f10-0b43-11dd-ab1c-806e6f6e6963}\shell\AutoRun\command ->
YY -> \{b4009f10-0b43-11dd-ab1c-806e6f6e6963}\shell\AutoRun\command\\"" -> D:\Setup.exe [D:\Setup.exe]
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 123 C:\Users\User\AppData\Local\Temp\*.tmp files -> C:\Users\User\AppData\Local\Temp\*.tmp
[Empty Temp Folders]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.



NEXT

Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[Sk9]

Quote:

Originally Posted by CatByte

Post that log back here in your next reply.

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-3483358259-3342034048-1127732838-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\ not found.
Registry value HKEY_USERS\S-1-5-21-3483358259-3342034048-1127732838-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
[Files/Folders - Created Within 30 Days]
C:\Windows\msdownld.tmp folder deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\Users\User\AppData\Local\Temp\pftD671.tmp folder deleted successfully.
[Empty Temp Folders]


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: User
->Temp folder emptied: 191861308 bytes
File delete failed. C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 217618149 bytes
->Java cache emptied: 22918457 bytes
->FireFox cache emptied: 61210765 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
File delete failed. C:\Windows\temp\03cbcf5c-da1c-432c-9532-fe1d2cf03c3a.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\0bebc18d-2f64-4a9b-ab40-9fda15d2c03b.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\0ce359f4-5ee2-4cea-9b88-30a143e80966.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\0df49bc3-60fd-470d-af4a-26f6ca362ccb.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\131b88a5-50b4-4d69-8d26-b9986630e676.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\15ee6c47-67e0-48fa-a3e7-529ec51cdfaf.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\160c7681-f97a-4ca5-b879-7e051f747c7a.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\305eb20d-2bb0-4464-8d18-562e223cb9d5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\553f0d32-87e8-4743-8984-1af403af13e3.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\5eccc7f6-3484-4773-a2d1-4262d5755c47.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\6d303007-f01b-4816-aedf-8c351def4883.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\6d35aa53-ee4b-48b1-9ab2-e310fadd7e2a.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\709f7f45-b06d-4a49-9b87-49e365228f0d.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\761b3dd3-9284-4078-8d14-1d5a0975b890.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\8034ecfa-1dfd-4e19-926c-7a315b1b8cd7.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\8a4f5477-e9b3-48bb-9ddb-2041828710dd.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\8c453f15-b616-4dc0-9ee3-ebfbc0442d49.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\93cb29f2-1892-41b9-834f-21fbac4b07fb.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\94bf18b0-7140-4097-8db7-86e2e838105e.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\ad6eef0f-f5e1-4522-8af7-76968c1eb7ed.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\adc73332-1d92-41f9-b644-7aaa539a3295.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\b5c08d0c-c71c-4e6b-9c8f-d39e62db96a2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\ccac11ff-50bd-4860-9d49-ce92be7c7138.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\dd733fa2-d70a-4819-94ab-82982fd0ea19.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\ecfa4c54-f2e6-4324-9aec-06f71bb6fc5a.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\f174c6af-06bb-4d67-a644-4bc35e73b1f1.tmp scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\f69ab5be-48a6-481d-9f84-c3b0a1949476.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied: 533010946 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 979.06 mb

< End of fix log >
OTS by OldTimer - Version 3.0.20.3 fix logfile created on 10082009_214927

Files\Folders moved on Reboot...
C:\Windows\temp\03cbcf5c-da1c-432c-9532-fe1d2cf03c3a.tmp moved successfully.
C:\Windows\temp\0bebc18d-2f64-4a9b-ab40-9fda15d2c03b.tmp moved successfully.
C:\Windows\temp\0ce359f4-5ee2-4cea-9b88-30a143e80966.tmp moved successfully.
C:\Windows\temp\0df49bc3-60fd-470d-af4a-26f6ca362ccb.tmp moved successfully.
C:\Windows\temp\131b88a5-50b4-4d69-8d26-b9986630e676.tmp moved successfully.
C:\Windows\temp\15ee6c47-67e0-48fa-a3e7-529ec51cdfaf.tmp moved successfully.
C:\Windows\temp\160c7681-f97a-4ca5-b879-7e051f747c7a.tmp moved successfully.
C:\Windows\temp\305eb20d-2bb0-4464-8d18-562e223cb9d5.tmp moved successfully.
C:\Windows\temp\553f0d32-87e8-4743-8984-1af403af13e3.tmp moved successfully.
C:\Windows\temp\5eccc7f6-3484-4773-a2d1-4262d5755c47.tmp moved successfully.
C:\Windows\temp\6d303007-f01b-4816-aedf-8c351def4883.tmp moved successfully.
C:\Windows\temp\6d35aa53-ee4b-48b1-9ab2-e310fadd7e2a.tmp moved successfully.
C:\Windows\temp\709f7f45-b06d-4a49-9b87-49e365228f0d.tmp moved successfully.
C:\Windows\temp\761b3dd3-9284-4078-8d14-1d5a0975b890.tmp moved successfully.
C:\Windows\temp\8034ecfa-1dfd-4e19-926c-7a315b1b8cd7.tmp moved successfully.
C:\Windows\temp\8a4f5477-e9b3-48bb-9ddb-2041828710dd.tmp moved successfully.
C:\Windows\temp\8c453f15-b616-4dc0-9ee3-ebfbc0442d49.tmp moved successfully.
C:\Windows\temp\93cb29f2-1892-41b9-834f-21fbac4b07fb.tmp moved successfully.
C:\Windows\temp\94bf18b0-7140-4097-8db7-86e2e838105e.tmp moved successfully.
C:\Windows\temp\ad6eef0f-f5e1-4522-8af7-76968c1eb7ed.tmp moved successfully.
C:\Windows\temp\adc73332-1d92-41f9-b644-7aaa539a3295.tmp moved successfully.
C:\Windows\temp\b5c08d0c-c71c-4e6b-9c8f-d39e62db96a2.tmp moved successfully.
C:\Windows\temp\ccac11ff-50bd-4860-9d49-ce92be7c7138.tmp moved successfully.
C:\Windows\temp\dd733fa2-d70a-4819-94ab-82982fd0ea19.tmp moved successfully.
C:\Windows\temp\ecfa4c54-f2e6-4324-9aec-06f71bb6fc5a.tmp moved successfully.
C:\Windows\temp\f174c6af-06bb-4d67-a644-4bc35e73b1f1.tmp moved successfully.
C:\Windows\temp\f69ab5be-48a6-481d-9f84-c3b0a1949476.tmp moved successfully.

Registry entries deleted on Reboot...

Quote:

Originally Posted by CatByte

paste the entire report

Malwarebytes' Anti-Malware 1.41
Database version: 2927
Windows 6.0.6001 Service Pack 1

10/8/2009 10:19:04 PM
mbam-log-2009-10-08 (22-19-04).txt

Scan type: Quick Scan
Objects scanned: 86560
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[CatByte]

Hi,

Please do the following:

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Please advise how your computer is running now and if there are any outstanding ussues

[amateur]

Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Surf Safely, and Think Prevention!