Redirect

Looks like the malware killed sound.

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.



Set the slider to Maximum.



IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.




On the General tab, make sure all of the boxes are checked.




On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.



Click Create Report to run it.


It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

ok

it wont let me post the report

if i copy and paste the report and hit send it just wont go threw

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
  
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  
• This will start the program and scan your system.
  
• The scan will take a while, so be patient and let it run.
  
• Once the scan is complete, click on View scan report
  
• Now, click on the Save Report as button.
  
• Save the file to your desktop.
  
• Copy and paste that information in your next post.

Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.

will do

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 3, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 02, 2010 16:14:05
Records in database: 4203178
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 189398
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 09:28:30


File name / Threat / Threats count
C:\WINDOWS\system32\cryptnet32.dll/C:\WINDOWS\system32\cryptnet32.dll Infected: Trojan.Win32.Delf.aeyp 1
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\12\38eba44c-641eeccd Infected: Trojan-Downloader.Java.Agent.hx 1
C:\System Volume Information\_restore{1820F488-9212-4A2F-9198-DF89AD58E60C}\RP1849\A0361961.exe Infected: Trojan.Win32.FakeAv.phm 1
C:\WINDOWS\system32\cryptnet32.dll Infected: Trojan.Win32.Delf.aeyp 1
C:\WINDOWS\Temp\_52.tmp Infected: Trojan-Dropper.Win32.Delf.gqd 1

Selected area has been scanned.

:sad:

I was on vacation all week. Apparently the other helpers did not see this thread.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
  
• Error messages
  
• Fake antivirus alerts or the icon in the system tray
  
• svchost.exe running at 100%
  
• System crashes or blue screen of death

# Fake antivirus alerts or the icon in the system tray


and firefox keeps crashing

and did kaspersky remove anything?

i see it found stuff but did it remove it?

Clean files with OTM

Please download OTM

• Save it to your desktop.
  
• Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):
  

  
  :files
  C:\WINDOWS\system32\cryptnet32.dll
  C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\12\38eba44c-641eeccd
  C:\System Volume Information\_restore{1820F488-9212-4A2F-9198-DF89AD58E60C}\RP1849\A0361961.exe
  C:\WINDOWS\system32\cryptnet32.dll
  C:\WINDOWS\Temp\_52.tmp
  
  :Commands
  [emptytemp]
  [purity]
  [Reboot]

  
  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
open the newest .log file present, and copy/paste the contents of that document back here in your next post.

All processes killed
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\cryptnet32.dll
C:\WINDOWS\system32\cryptnet32.dll moved successfully.
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\12\38eba44c-641eeccd moved successfully.
C:\System Volume Information\_restore{1820F488-9212-4A2F-9198-DF89AD58E60C}\RP1849\A0361961.exe moved successfully.
File/Folder C:\WINDOWS\system32\cryptnet32.dll not found.
C:\WINDOWS\Temp\_52.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest
->Temp folder emptied: 17402 bytes
->Temporary Internet Files folder emptied: 451934 bytes
->Java cache emptied: 488 bytes
->FireFox cache emptied: 17206651 bytes
->Flash cache emptied: 1113 bytes

User: Joe
->Temp folder emptied: 1821936782 bytes
->Temporary Internet Files folder emptied: 5250115 bytes
->Java cache emptied: 3073529 bytes
->FireFox cache emptied: 108919898 bytes
->Flash cache emptied: 80602 bytes

User: LocalService
->Temp folder emptied: 69832 bytes
->Temporary Internet Files folder emptied: 15357442 bytes
->Flash cache emptied: 33267 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 50418025 bytes
->Java cache emptied: 38 bytes
->Flash cache emptied: 73262 bytes

%systemdrive% .tmp files removed: 16777216 bytes
%systemroot% .tmp files removed: 1460996 bytes
%systemroot%\System32 .tmp files removed: 4182033 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17044036 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 26550860 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 23601860 bytes
RecycleBin emptied: 1147527267 bytes

Total Files Cleaned = 3,109.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 11092010_112424

Files moved on Reboot...

Registry entries deleted on Reboot...




as soon as mozilla opened i got a Fake antivirus alerts

Investigate MBR/Check for TDL4

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

i downloaded GMER ran it then when i tried to get the report quik flash then blue screen of death a think now windows will not start

i tried to start it in all safe modes but no good is it dead?

Why did you download/run GMER? I said to download the Stealth MBR Rootkit/TDL4 Detector.

Do you have a XP cd or the Recovery Console installed?

Xp cd no Recovery Console. Not sure how would I find out from the state its in?

I did run the mbr from the link you posted

Reboot your computer.

Boot from the windows XP CD, press the "R" key in the setup in order to start the Recovery Console.

Select your windows XP installation from the list (usually 1). It will prompt for an administrator password. The password is probably blank, so just hit enter.

Enter the command: fixmbr at the input prompt and confirm the next question with a Y.

It should then reboot the computer. If it does not, then type exit.

Boot back in to the Normal XP.

=================

After that, please do the following:

Please run Stealth MBR Rootkit Detector

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

if i dont have the cd are there any other options?

Yes. Would you rather burn a Recovery disc?

well i have no choice where would i find it?

Download RC.ISO and save it somewhere you can find it.

Download MagicISO and install it.

Start MagicISO. When it asks you to register, just close that window...the
program should remain open. Click on "File" and then on "Open"...navigate to the RC.ISO file you downloaded, select it, and click "Open".

Click "File" on the toolbar and choose "Save As". Name the file RCplus and save it somewhere you can find it.

Put a blank CD-R disk in your CD burner and close the tray...when the AutoPlay window opens, close it.

Click "Tools" on the toolbar and choose "Burn CD/DVD with ISO". In the CD/DVD Image file area, click the little folder, navigate to the newly created
RCplus.iso image file, and click "Open". In the CD/DVD Writing Speed
drop-down menu, choose the top 8X setting. Format should have "Mode 1"
selected...if not, select it. Click on the "Burn It!" button.

Once this disk is burned, put it in the machine you're working on and restart. Boot to the CD and enter the Recovery Console.

When there, do this:

type in "fixmbr" and hit Enter.



Type 'y' if asked to, and allow it to do it's job.

Once it's done that and shows the next bit for another command, type "exit"

This will reboot your machine again, allow it to boot normally this time.

ITS BACK !!! WOOOHOOO

Excellent. Now see if you can run this scan...

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

RUNNING

ok

C:\System Volume Information\_restore{1820F488-9212-4A2F-9198-DF89AD58E60C}\RP1860\A0388227.exe a variant of Win32/Adware.FakeAntiSpy.M application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1820F488-9212-4A2F-9198-DF89AD58E60C}\RP1860\A0388228.dll Win32/Lukicsel.O trojan cleaned by deleting - quarantined

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
  
• Error messages
  
• Fake antivirus alerts or the icon in the system tray
  
• svchost.exe running at 100%
  
• System crashes or blue screen of death

so far so good i will keep you posted thank you

Let me know of any more redirects or fake alerts.

Tell me in two days how it is going. If good, we will clean it all up.

Going good? Time to clean up?