Avast Free help

[essexboy]

Looks like a TDL3 & 4 infection

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[KMT4977]

The log was too many characters to paste so i attached it

[KMT4977]

Here is the OTS log also, no idea why it didn't work before-

[essexboy]

On completion of this run can you let me know what the problems are

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {9D425283-D487-4337-BAB6-AB8354A81457} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {BEAC7DC8-E106-4C6A-931E-5A42E7362883} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "LClock" -> [C:\Program Files\LClock\LClock.exe]
< RunOnce [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "ShowDeskFix" -> [regsvr32 /s /n /i:u shell32]
< RunOnce [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "ShowDeskFix" -> [regsvr32 /s /n /i:u shell32]
< RunOnce [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "ShowDeskFix" -> [regsvr32 /s /n /i:u shell32]
< Run [HKEY_USERS\S-1-5-21-73586283-492894223-854245398-1004\] > -> HKEY_USERS\S-1-5-21-73586283-492894223-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Exetender" -> ["C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Kris\Desktop\EQ UF Beta\EQVoiceService.exe" -> [C:\Documents and Settings\Kris\Desktop\EQ UF Beta\EQVoiceService.exe:*:Enabled:EQVoiceService]
YN -> "C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe" -> [C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Enabled:Soulstorm]
YN -> "C:\Program Files\Ventrilo\Ventrilo.exe" -> [C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe]
YN -> "C:\Program Files\World of Warcraft Trial\Launcher.exe" -> [C:\Program Files\World of Warcraft Trial\Launcher.exe:*:Enabled:Blizzard Launcher]
[Custom Items]
:Files
c:\WINDOWS\msvbdl.dl
c:\downloads\webfettisetup2.3.67.1.zkfox000.exe
c:\downloads\zwinkysetup2.3.67.1.zjfox000.exe
c:\documents and settings\Kris\local settings\Temp\aecxomwsrn.tmp
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[KMT4977]

Here is the log-

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LClock deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\ShowDeskFix deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\ShowDeskFix not found.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\ShowDeskFix deleted successfully.
Registry value HKEY_USERS\S-1-5-21-73586283-492894223-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Exetender deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Kris\Desktop\EQ UF Beta\EQVoiceService.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Ventrilo\Ventrilo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\World of Warcraft Trial\Launcher.exe deleted successfully.
[Custom Items]
========== FILES ==========
File/Folder c:\WINDOWS\msvbdl.dl not found.
File/Folder c:\downloads\webfettisetup2.3.67.1.zkfox000.exe not found.
File/Folder c:\downloads\zwinkysetup2.3.67.1.zjfox000.exe not found.
File/Folder c:\documents and settings\Kris\local settings\Temp\aecxomwsrn.tmp not found.
[Empty Temp Folders]
 
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes
 
User: Kris
->Temp folder emptied: 86958400 bytes
->Temporary Internet Files folder emptied: 8810792 bytes
->Java cache emptied: 488 bytes
->FireFox cache emptied: 77998726 bytes
->Flash cache emptied: 2345 bytes
 
User: LocalService
->Temporary Internet Files folder emptied: 13474285 bytes
->Flash cache emptied: 1078 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 39950102 bytes
->Flash cache emptied: 2458 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2381003 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 169883614 bytes
 
Total Files Cleaned = 383.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Kris
->Flash cache emptied: 0 bytes
 
User: LocalService
->Flash cache emptied: 0 bytes
 
User: NetworkService
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05182011_174339

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[SafeSurf]

Please use the attach feature for posting your logs unless otherwise told.  Thank you. 

[essexboy]

What are your current problems ?

[KMT4977]

After running OTS with that fix the pop-ups have stopped.

[essexboy]

Let it run for a while and if you are happy run OTS and hit the cleanup button

[KMT4977]

I haven't had any pop-ups and my comp isn't bogging down or locking up, I think it is cleared up. Many many thanks Essexboy and Avast staff and users. You're all awesome.

[SafeSurf]

@ KMT4977,

Don't go anywhere yet.  We need to have you run your machine normally to give it a good work out for a good 24 - 48 hours and Essexboy may need to remove some malware-removal tools from your machine.

If you have any problems during this test period, report back immediately.  Otherwise, report back that everything is running fine and Essexboy may give you further instructions for clean up.

While you are testing your machine over the next 1 - 2 days, here are a few suggestions to keep you and your machine safer in the future:

1.   Keep your definitions up to date for both Avast and MBAM. 
2.   Keep all your shields on with Avast.
3.   Update MBAM prior to scanning, then do Quick scans.
4.   Keep your MS/Windows Updates current.
5.   Add security related Add-on’s to your browsers for safer browsing.  See my Signature as an example.
6.   Use common sense when browsing and do not go to risky sites.
7.   When downloading software, read what you are clicking and do not download adware toolbars which are commonly opted in; look before you click or do a Custom install to avoid putting unwanted toolbars on your machine that lead to spyware tracking or adware.
8.   Check to see that your software is up to date with the free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since software is changing all the time.  This site gives you the vendor's direct download link making it easy to upgrade your software.  Many of us here scan our machines weekly.

Let us know if you have any questions.  Thank you.

[KMT4977]

OK thanks again and I'll keep checking back fora few more days.