Search:

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:



RegLockDel::...

Okay let's try combofix again. No need to attach log. Just post in your reply here.

Looks like the TDL rootkit is running. Let's do this...

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop....

AVG does not play nice with combofix. My advice is to completly uninstall it then try combofix again.

Hello atapene and welcome to the forums here at Safer Networking.

:snwelcome:

Sorry for the delay in getting to your post here. It appears the malware has done some significant damage to your...

Yes, we should be all set. I'll leave the thread open a few days in case you have questions or issues.

You're welcome, and good luck.
Dave

Now that you are clean please take some time to read through TonyKlein's So how did I get infected in the first place?

Have you run a full scan with AVG? If not I'd suggest that.

Uninstall OTL and related files/folders

Make sure you have an Internet Connection.
Double-click OTL.exe to run it.
Click on the...

Okay so how's everything running now?

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions...

They can go.

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following


:Files
C:\Windows\SysWow64\drivers\f
C:\Windows\SysWow64\webe

Ya what I figured. Looks like it came in with the safesurf junk. Looks like a bunch of stuff created in folders too. Need to check.


Please download SystemLook from one of the links below and...

That's part of the Safe Surf junk and can be removed.

Did you install something from Skybound Software called Stylelyzer? Some kind off .css editor or something?

Let's run another scanner too....

Interesting that OTL did not find the 3 files in the SysWOW folder.

C:\Windows\SysWOW64\drivers\up.exe
C:\Windows\SysWOW64\Help64.exe
C:\Windows\SysWOW64\webe\Updater3.exe

Can you take a...

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following



:Files
C:\Windows\System32\drivers\up.exe
C:\Windows\System32\Help64.exe ...

It's a time consuming/deep scan, so they can take a while.

It is also known to produce false positives, so post the log and let us review before deleting anything.

Good point. :red: Looks like HJT took care of those startup items anyway, so I think we're good there. Just need to check on the file.

Run HijackThis.Click Do a System Scan Only. Put a Check in the box on the left side on these:


O4 - HKUS\S-1-5-18\..\Run: [YXE7DXCQ37] C:\Windows\TEMP\Stm.exe (User 'SYSTEM')
O4 -...

While we wait for the Kaspersky scanner to run can you do the following please.

Download and install HijackThis from the following link. You can just accept and use all the default settings to...

Delete Temp files

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start...

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following


:OTL
PRC - [2010/09/02 11:55:05 | 000,211,968 | ---- | M] (JetSwap) --...

Hi zoniq and welcome to the forums.

:snwelcome:

Run OTL and post the logs
http://www.geekstogo.com/misc/guide_icons/OTLI.gif OTL - Download or alternative link here and here

Download OTL to...

You're very welcome and glad we were able to help. :bigthumb:

If all is still running well I think we can wrap it up.

Uninstall Combofix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and...

Just need to clean out some leftovers. The items ESET found are the infected backup hosts files that were created when you used OTM to solve your HOSTS issue. They will be cleaned out when we clean...

Okay I will await the results from the ESET scan before we proceed.

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following



:Files
c:\windows\system32\drivers\tsk35.tmp

:Commands

Okay good, please run TDSSKiller one more time and post the log.

Let me know how it's running at this point too please.

Backup Your Registry with ERUNT

* Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
* For version with the Installer:
...

Okay while I'm looking into this and trying to get my head wrapped around it can you run TDSSKiller like you did earlier back here and post the log.

Some more investigating to do before we make any changes. This could be tricky to remove if we need to.

Please download SystemLook from one of the links below and save it to your Desktop....

Before moving on with the fix I would like you to check something.

Start Notepad and copy/paste in the following code:


@echo off
If exist SELECT.txt del /s/q SELECT.txt
If exist peek*.txt...

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:



Folder::
c:\documents and settings\Jonathan\Local Settings\Application Data\hrjamelec
...

Time for combofix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have...

Looks like the log is getting cut off for some reason. But I can see that it did find the rootkit.

How is it running now? Can you get to those sites now?

Okay that is clean.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop...

:bigthumb::bigthumb:

Good enough. Just some final words of "wisdom" then.

Now that you are clean please take some time to read through TonyKlein's So how did I get infected in the first place?

Yes, you can remove 9.


Probably you would use this one:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080828154508EN

Yes, Java is up to date, must be a bug.

The rest do need updating. Let me know if you need help with that.

So you do not have any Norton products on here any more? If so you should probably run...

Uninstall Combofix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The above procedure will:...

Yes, that's a false positive. You shouldn't need to disable anything else. Just Adwatch. I'll get back to you on the items Kaspersky found.

Sorry that is my fault. No need to run as Admin as you're running XP. Thought it was Vista.

Either way now that you've posted I would prefer you run this tool.

Download MBRCheck.exe to your...

Great, and I bet a simple re-install or repair install if available will fix the problem.

Now that you are clean please take some time to read through TonyKlein's So how did I get infected in the...

Looks clean to me and right size now too. So no need to worry there. Sometimes just going through the process of looking for a file like that will trigger the AV that something is wrong. Which looks...

Sorry need to make sure hidden files are showing, my bad.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/hiddenfiles.mspx

Let's make sure it was cleaned. The dllcache folder essentially contains backups of system files, in case something happens to a system file it automatically gets replaced. Hate to have that happen...

Okay no problem. We'll keep the thread open for you.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the...

One more virus scan in order I think. And a security update check.

Go to Kaspersky website and perform an online antivirus scan.


Read through the requirements and privacy statement and click...

Looks like it did what we needed it to.

One more scan in order I think, unless there are any problems.

Go to Kaspersky website and perform an online antivirus scan.


Read through the...