lysnesgr

I have trojan.redirRdll3.gen, click.gethotresults.com, etc issues.

25 posts in this topic

Hi,

Hello lysnesgr! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

I see where the problem is...

uRun: [Microsoft] rundll32.exe "c:\documents and settings\kelly's\local settings\application data\pchealth\microsoft\kghbvnpki.dll",StartupW

dRun: [Microsoft] rundll32.exe "c:\documents and settings\kelly's\local settings\application data\pchealth\microsoft\kghbvnpki.dll",StartupW

  • Please download a fresh copy of Combofix from here.
  • Save it to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.

Regards,

Georgi

Share this post


Link to post
Share on other sites

How can I view this topic on my other computer, so i can have the directions in front of me at all times?

Share this post


Link to post
Share on other sites

Hey Georgi, is there anything you want ask me? Mbam and tdsskiller had removed a couple files. Maybe AVG Free also, not sure.

Share this post


Link to post
Share on other sites

Hi Jeff,

Sorry for the delay. I had some problems with my internet connection.

Hey Georgi, is there anything you want ask me? Mbam and tdsskiller had removed a couple files. Maybe AVG Free also, not sure.

You are are going down on the danger road by doing things on your own. I didn't ask you to run any another tool at this point.

Some notes before we proceed:

Please don't do more then I ask you to.

Keep calm, removing malware isn't a quick process.

Ok, please attach all of the logs from TDSSKiller, MBAM and AVG in your next reply.

Also,

STEP 1

  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.

STEP 2

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Regards,

Georgi

Share this post


Link to post
Share on other sites

Hi Jeff,

It's ok then.

Please continue with the steps from my previous post when you can.

Take your time! :)

Regards,

Georgi

Share this post


Link to post
Share on other sites

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-09-08 10:28:22

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST916031 rev.0003

Running: vdbim28e.exe; Driver: C:\DOCUME~1\Kelly's\LOCALS~1\Temp\kftdqpod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x97527004]

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x975270D4]

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x97526D76]

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x97526E1E]

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x97526EBA]

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x97526F56]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A5E9E16D

INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A5E9DFC2

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x97224400, 0x87EE2, 0xE8000020]

.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x972C8620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x972C8620]

.protectÿÿÿÿhardlockunknown last code section [0x972C8400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x972C8400, 0x5126, 0xE0000020]

? C:\ComboFix\catchme.sys The system cannot find the path specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

Hi Jeff,

Please re-run RogueKiller.

Wait until Prescan has finished.

Click on Scan.

Now click the Registry tab and locate these

[RUN][bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Wave Systems Corp (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\Zoom_Downloader\Wave Systems Corp\xpuxo.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Citrix (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\LogMeIn\Citrix\jxetn.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Microsoft (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\PCHealth\Microsoft\kghbvnpki.dll",StartupW) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Wave Systems Corp (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\Zoom_Downloader\Wave Systems Corp\xpuxo.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Citrix (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\LogMeIn\Citrix\jxetn.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Microsoft (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\PCHealth\Microsoft\kghbvnpki.dll",StartupW) -> FOUND

Place a checkmark on it, leave the others unchecked.

Now press the Delete button.

If asked to restart the computer, please do so immediately.

When it is finished, there will be a new log on your desktop called: RKreport[2].txt

Post the log in your next reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\drivers\hardlock.sys

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/

Please post the link to the results page rather than the contents of the page itself (its a little easier for me to read).

Regards,

Georgi

Share this post


Link to post
Share on other sites

Hi Georgi,https://www.virustotal.com/file/a9e4d2ee0cde5bd0d2caa784c080146b6edbc78ab6857995dea8d377d9e3cf46/analysis/1347203284/

RKreport2.txt

Share this post


Link to post
Share on other sites

Hi,

STEP 1

You didn't delete the entries in RogueKiller?

[RUN][bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Wave Systems Corp (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\Zoom_Downloader\Wave Systems Corp\xpuxo.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Citrix (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\LogMeIn\Citrix\jxetn.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Microsoft (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\PCHealth\Microsoft\kghbvnpki.dll",StartupW) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Wave Systems Corp (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\Zoom_Downloader\Wave Systems Corp\xpuxo.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Citrix (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\LogMeIn\Citrix\jxetn.dll",CreateInstance) -> FOUND

[RUN][bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Microsoft (rundll32.exe "C:\Documents and Settings\Kelly's\Local Settings\Application Data\PCHealth\Microsoft\kghbvnpki.dll",StartupW) -> FOUND

Please rerun RogueKiller and delete these!

STEP 2

  • Please start the MBAM by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.

STEP 3

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the Run ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    7. Now click on Advanced Settings and select the following:


        • Scan for potentially unwanted applications
        • Scan for potentially unsafe applications
        • Enable Anti-Stealth Technology

      [*]Push the Start button.

      [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

      [*]When the scan completes, push esetListThreats.png

      [*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

      [*]Push the esetBack.png button.

      [*]Push esetFinish.png

STEP 4

  • Download ListParts to your Desktop.
  • Double click ListParts.exe to launch the program.
  • Put check mark on List BCD.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on your Desktop.
  • Please post me the contents of the log.

Regards,

Georgi

Share this post


Link to post
Share on other sites

Hi Jeff,

We are almost done.

Let's do some final things...

Please follow the instructions below:

STEP 1

  1. Please download OTL from the link below:

  • Save it to your desktop/
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.46625204.png
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the customFix.png textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Application Data\*.
    %USERPROFILE%\Local Settings\*.*
    %USERPROFILE%\Local Settings\temp\*.exe
    %USERPROFILE%\Local Settings\Temporary Internet Files\*.exe
    %USERPROFILE%\Local Settings\Application Data\*.*
    %AllUsersProfile%\*.*
    %AllUsersProfile%\Application Data\*.*
    %AllUsersProfile%\Application Data\*.
    %AllUsersProfile%\Application Data\Local Settings\*.*
    %AllUsersProfile%\Application Data\Local Settings\Temp\*.exe
    %ALLUSERSPROFILE%\Documents\My Music\*.exe
    %ALLUSERSPROFILE%\Documents\My Pictures\*.exe
    %ALLUSERSPROFILE%\Documents\My Videos\*.exe
    %ALLUSERSPROFILE%\Documents\*.exe
    %USERPROFILE%\My Documents\*.*
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.*
    %PROGRAMFILES%\*.*
    %PROGRAMFILES%\*.
    %systemroot%\system32\config\systemprofile\*.*
    %systemroot%\system32\config\systemprofile\Application Data\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\Application Data\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\Temp\*.exe
    %systemroot%\system32\config\systemprofile\\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\LocalService\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\temp\*.exe
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\LocalService\Local Settings\*.*
    C:\Documents and Settings\LocalService\*.*
    C:\Documents and Settings\NetworkService\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\temp\*.exe
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\NetworkService\Local Settings\*.*
    C:\Documents and Settings\NetworkService\*.*
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    svchost.exe
    explorer.exe
    userinit.exe
    winlogon.exe
    smss.exe
    lsass.exe
    atapi.sys
    iaStor.sys
    serial.sys
    disk.sys
    volsnap.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    tcpip.sys
    ipsec.sys
    hlp.dat
    str.sys
    crexv.ocx
    /md5stop
  • Push the runscanbutton.png button.
  • One report will open, attach it in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be opened

    STEP 2

    Download the adwCleaner

  • Run the Tool
    Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select the option Run%20as%20admin.png
  • Select the Delete button.
  • When the scan completes, it will open a notepad windows.
  • Please, copy the content of this file in your next reply.

STEP 3

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

STEP 4

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Regards,

Georgi

Share this post


Link to post
Share on other sites

I can't imagine how much time you folks spend reading all those files!

Share this post


Link to post
Share on other sites

Hi Jeff,

Here it is 02.00 am. :)

I have a question for you - Did you purposely install GoToAssist ?

If not I suggest you to uninstall it VIA add or remove programs from the Control Panel as this is some kind of Remote support service.

More information can be found here => http://www.bleepingc....exe-23004.html

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    [2012/04/19 12:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
    :files
    C:\Documents and Settings\Kelly's\Application Data\Sun\Java\Deployment\cache\6.0\2\63d48c42-637e6180
    C:\Documents and Settings\Kelly's\Application Data\Sun\Java\Deployment\cache\6.0\43\402b2b-5c780347
    C:\Documents and Settings\Kelly's\My Documents\Eclipse\kkane\YontooClientSetup.exe
    C:\Program Files\Advantage Software\EclipseNT\Users\kkane\YontooClientSetup.exe
    :commands
    [emptytemp]
  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.

Regards,

Georgi

Share this post


Link to post
Share on other sites

Hi Jeff,

Nicely done !

I have some final words for you.

All Clean !

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

STEP 1 UPDATING TASKS

Upgrading Java:

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

  • Download the latest version of Java SE 6.
  • Click the Java 6 Update 35 "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u35-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java:
    Java 6 Update 22
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

I want you to run this for me

:Run JavaRa

  • Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Close it.

Your adobe flash player is out of date. Older versions are vulnerable to attack and exploitation. Please go to the links below to update it:

Adobe Flash Player 11.4.402.265 Final for (Internet Explorer)

Adobe Flash Player 11.4.402.265 Final for (Firefox, Safari, Opera)

Note: Your browsers should be closed before proceeding with the installation process.

Your Adobe Reader is out of date.

Older versions may have vulnerabilities that malware can use to infect your system.

Please download Adobe Reader 10.1.4 to your PC's desktop.

  • Uninstall Adobe Reader 9 via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.

Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.

mcafee-ssp.jpg

Your Mozilla Thunderbird is out of date!

Download and install the latest version from here - Mozilla Thunderbird 15.0.1 Final EN for Windows

Also you may want to try AVG 2013 - AVG Anti-Virus Free 2013 13.0 Build 2667a5738 x86

Note: First uninstall AVG 2012 and remove all leftovers from it using this tool - AVG Remover(32bit) 2012 (avg_remover_stf_x86_2012_2125.exe)

  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

main.JPG

Visit Microsoft's Windows Update Site Frequently

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

STEP 2 CLEANUP

To remove all of the tools we used and the files and folders they created, please do the following:

Click on Start => Run => now type in ComboFix /Uninstall into the run-box and click OK.

Note the space between the X and the /Uninstall, it needs to be there.

Combofix_uninstall_image.jpg

  • Please reopen otlDesktopIcon.png on your desktop.
  • In the upper right click CleanUp
    35hfp21.jpg
  • This will delete OTL and will clean up after it.

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Feel free to uninstall Eset Online Scanner.

STEP 3 SECURITY ADVICES

Change all your passwords !

Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).

Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.

You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.

If you do Online Banikng!

Online Banking Protection Against Identity Theft

Also make sure you use HTTPS protocol with your banking websites.

Use HTTPS When Login To Social Websites

Keep your antivirus software turned on and up-to-date

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Use Google Chrome or Install Mozilla Firefox with these add-ons - NoScript, Addblock Plus

To prevent further infections, use Google Chrome, which has a sandbox - Google Chrome 21.0.1180.89 Stable

You can download Mozilla Firefox from here - Mozilla Firefox 15.0.1 Final

Mozilla Firefox 15.0.1 Final за Windows на английски

NoScript can be found here.

Addblock Plus can be found here.

Create an image of your system

  • It is always a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorials can be found here.
  • Be sure to read the tutorial first.

Optimize Windows XP for better performance

Especially you need to defragment your C:\ Drive.

Use Disk Cleanup to delete files you no longer need and reclaim storage space on your computer.

Open Disk Cleanup by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.

If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.

Click the Disk Cleanup tab, and then select the check boxes for the files you want to delete.

When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.

Next please Open Disk Defragmenter by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Defragmenter

Select the drive you want to Defragment (the drive where Windows is installed).

Click Defragment Now.

Finally please type msconfig in the start menu, then hit enter.

Go to the startup tab and then uncheck any programs that you don't need to load with Windows.

Click the "Apply" button and click "OK" to close the MSCONFIG window.

Restart your computer to save the changes you made to the Startup.

You might have a popup window when you log on. This is typical. Just click ok. You can also make the popup window not come up anymore by checking the box there.

The programs you removed will no longer automatically launch once Windows starts up.

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing! :)

Regards,

Georgi

Share this post


Link to post
Share on other sites

Hi Georgi, Your the BEST!! I can't thank you enough. Hopefully you guys get paid somehow for all your hard work!

Best Regards, Jeff

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.