Avast WEBforum

Other => Viruses and worms => Topic started by: parkerka43 on July 10, 2011, 03:27:46 PM

Title: 64.111.211.158 virus going around...
Post by: parkerka43 on July 10, 2011, 03:27:46 PM

Seems like many people are getting this, whether it is under malicious website or under the IP address.  Please see enclosed my OTS report.  Help! 

http://www.mediafire.com/?ociauy3kk19jgix

Thanks,
Kate

Title: Re: 64.111.211.158 virus going around...
Post by: essexboy on July 10, 2011, 04:28:29 PM

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (CLTNetCnService) Symantec Lic NetConnect service [Auto | Stopped] ->
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YY -> HKEY_USERS\.DEFAULT\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YY -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-202665250-604205506-972214574-1000\] > ->
YY -> HKEY_USERS\S-1-5-21-202665250-604205506-972214574-1000\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
YN -> HKEY_USERS\S-1-5-21-202665250-604205506-972214574-1000\: "ProxyServer" -> proxy-u2.uc3m.es:80
< FireFox Settings [Prefs.js] > -> C:\Users\Kate\AppData\Roaming\Mozilla\FireFox\Profiles\wwosniox.default\prefs.js
YN -> network.proxy.http -> "proxy-u2.uc3m.es"
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
YY -> HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71} -> C:\Program Files\AVG\AVG9\Firefox [C:\PROGRAM FILES\AVG\AVG9\FIREFOX]
YY -> HKLM\software\mozilla\Firefox\Extensions\\avg@igeared -> C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [C:\PROGRAM FILES\AVG\AVG9\TOOLBAR\FIREFOX\AVG@IGEARED]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> C:\Program Files\AVG\AVG9\avgssie.dll [AVG Safe Search]
YY -> {A3BC75A2-1F87-4686-AA43-5347D756017C} [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{DE9C389F-3316-41A7-809B-AA305ED9D922}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-202665250-604205506-972214574-1000\] > -> HKEY_USERS\S-1-5-21-202665250-604205506-972214574-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YY -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "AVG9_TRAY" -> C:\Program Files\AVG\AVG9\avgtray.exe [C:\PROGRA~1\AVG\AVG9\avgtray.exe]
YN -> "MSConfig" -> C:\Windows\System32\msconfig.exe ["C:\Windows\system32\msconfig.exe" /auto]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> AVGRSSTX.DLL -> C:\Windows\System32\avgrsstx.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> SDWinLogon ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> Reg Error: Value error.
< File Associations - Select to Repair > -> HKEY_USERS\S-1-5-21-202665250-604205506-972214574-1000\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> Reg Error: Value error.
[Files/Folders - Modified Within 30 Days]
NY ->  ~32235256 -> C:\ProgramData\~32235256
NY ->  ~32235256r -> C:\ProgramData\~32235256r
NY ->  32235256 -> C:\ProgramData\32235256
[Files - No Company Name]
NY ->  ~32235256r -> C:\ProgramData\~32235256r
NY ->  ~32235256 -> C:\ProgramData\~32235256
NY ->  32235256 -> C:\ProgramData\32235256
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Title: Re: 64.111.211.158 virus going around...
Post by: parkerka43 on July 10, 2011, 11:02:52 PM

I cant get my fix to pop up or export - it says click ok to view, but I cannot see it.  Is there another way I can access my fix log?

And also, the problem still exists after running the fix...  :/

Title: Re: 64.111.211.158 virus going around...
Post by: essexboy on July 10, 2011, 11:10:50 PM

OK I would like to try a little test, if this programme fails to run please let me know 

Please read carefully and follow these steps. 

• Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  (http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png)
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  (http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png)
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  (http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png)
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Title: Re: 64.111.211.158 virus going around...
Post by: parkerka43 on July 11, 2011, 12:15:12 AM

I cant get my .exe files to open.  I downloaded and unzipped the program, but whenever I try to open it, it never actually opens.  I tried seeing if i could change the default program that opens .exe files, but I cannot figure out how to add extension .exe to my control panel.  I am also using windows vista.

Title: Re: 64.111.211.158 virus going around...
Post by: essexboy on July 11, 2011, 09:15:46 PM

OK lets try this instead

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 (http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif)
 
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)