TDL4@MBR..the day I upgraded to Avast pro 5

[Asyn]

Please use: Attach...!!!

[dellsux]

Pondus...the OTS results is more than 10,000 characters so I cant post the results...is there a way to post them?

Use the attach function.

OK, I found the attach link...hope it works..here is the OTS results

[essexboy]

The proxy settings were also changed

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  USERNAME123.EXE.exe -> C:\Documents and Settings\lov\Desktop\USERNAME123.EXE.exe
NY ->  bfjz7yhz.exe -> C:\Documents and Settings\lov\Desktop\bfjz7yhz.exe
NY ->  Bkaduyokuyepe.dat -> C:\WINDOWS\Bkaduyokuyepe.dat
[Files - No Company Name]
NY ->  Bkaduyokuyepe.dat -> C:\WINDOWS\Bkaduyokuyepe.dat
NY ->  Ofifowohone.bin -> C:\WINDOWS\Ofifowohone.bin
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[dellsux]

essexboy, here are the results...thanks

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer deleted successfully.
Unable to delete registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable .
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\lov\Desktop\USERNAME123.EXE.exe moved successfully.
C:\Documents and Settings\lov\Desktop\bfjz7yhz.exe moved successfully.
C:\WINDOWS\Bkaduyokuyepe.dat moved successfully.
[Files - No Company Name]
File C:\WINDOWS\Bkaduyokuyepe.dat not found!
C:\WINDOWS\Ofifowohone.bin moved successfully.
[Empty Temp Folders]
 
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 321 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 321 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 524422 bytes
 
User: lov
->Temp folder emptied: 14580123 bytes
->Temporary Internet Files folder emptied: 156481 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 144641984 bytes
->Flash cache emptied: 18273 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5341318 bytes
->Java cache emptied: 2020 bytes
->Flash cache emptied: 53460 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 88 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1015869 bytes
 
Total Files Cleaned = 159.00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: lov
->Flash cache emptied: 0 bytes
 
User: NetworkService
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 03272011_103728

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[essexboy]

OK any problems now ?

[dellsux]

OK any problems now ?

None. I forgot to thank you guys for helping me out: essexboy, magna86, asyn, pondus etc..you guys are swell. Been trying to figure out why my updates are not updating (connecting to server error) but I'll solve that on another thread.

[Felonious]

aswMBR would be a simpler solution

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it


Click the "Scan" button to start scan

aswMBR worked like a charm THANKS essexboy!!

[Felonious]

Can you tell me how the TDL4 can be, loaded on a system, can it be a sleeper that launches at a specific time/date? I hadn't been anywhere but facebook for DAYS and I known better than click "questionable" links. My laptop went BSOD with a memory dump about 2 minutes after I posted in a heated discussion about politics and Ben Ladden the day after the event when I made the comment that ho-mela-nd security were @$$holes, was it fast work on their part or coincidence or...?

[Zyndstoff (aka Steven Gail)]

... was it fast work on their part or coincidence or...?

  ...you don't really believe / mean that, do you?

[Felonious]

Well... do you know what homeland security is capable of? Don't underestimate them, and that's why I asked the question of it's characteristics.

[Gargamel360]

Well... do you know what homeland security is capable of? Don't underestimate them, and that's why I asked the question of it's characteristics.

Whatever they are or are not capable of....I can't picture them sitting around dropping rootkits on users who say anything bad about them.