What problems are you experiencing ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  -6_a-X-L.exe -> C:\Windows\System32\-6_a-X-L.exe
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Hi, essexboy…
The problems that I’ve been having are continuous (every 3-5 mins) Avast warnings stating this information
File Name: C:\Windows\Temp\dpyt.tmp\svchost.exe
Malware Name: Win32:Zbot-MOU [Trj]
Malware type: Trojan Horse

the .tmp file name changes every time.

I also have, while on the internet (firefox), new tabs opening which are directed to several different websites, some of which are blocked by Avasts network shield… the others I close as soon as I see them. (can’t remember the websites but one regular domain name is called omega253 or something along those lines)

The log for the fix is as follows:

All Processes Killed
[Files/Folders - Modified Within 30 Days]
C:\Windows\System32-6_a-X-L.exe moved successfully.
[Empty Temp Folders]

User: All Users

User: C White
->Temp folder emptied: 35349 bytes
->Temporary Internet Files folder emptied: 1952487 bytes
->Java cache emptied: 12118713 bytes
->FireFox cache emptied: 31763805 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 210595 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 273690 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 44.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.19.5 fix logfile created on 01282010_213551

Files\Folders moved on Reboot…
File\Folder C:\Windows\temp_avast4_\Webshlock.txt not found!

Registry entries deleted on Reboot…

My NEW OTS Log can be found here: http://www.mediafire.com/?d24wkzjyigm
No problems while running scans.

Magixz - Thanks again for your time & effort.
PS. Sorry for late reply.

Did you set some proxies in firefox ?

I don’t think so, current connection settings in firefox are set to “No Proxy”.

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\C White\AppData\Roaming\Mozilla\FireFox\Profiles\16n28sbh.default\prefs.js
YN -> network.proxy.ftp -> "83.146.112.130"
YN -> network.proxy.ftp_port -> 8081
YN -> network.proxy.gopher -> "83.146.112.130"
YN -> network.proxy.gopher_port -> 8081
YN -> network.proxy.http -> "83.146.112.130"
YN -> network.proxy.http_port -> 8081
YN -> network.proxy.socks -> "83.146.112.130"
YN -> network.proxy.socks_port -> 8081
YN -> network.proxy.ssl -> "83.146.112.130"
YN -> network.proxy.ssl_port -> 8081
< HOSTS File > (862 bytes and 25 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> 208.117.236.69		yt -> 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Log from fix

[Registry - Safe List]
Prefs.js: “83.146.112.130” removed from network.proxy.ftp
Prefs.js: 8081 removed from network.proxy.ftp_port
Prefs.js: “83.146.112.130” removed from network.proxy.gopher
Prefs.js: 8081 removed from network.proxy.gopher_port
Prefs.js: “83.146.112.130” removed from network.proxy.http
Prefs.js: 8081 removed from network.proxy.http_port
Prefs.js: “83.146.112.130” removed from network.proxy.socks
Prefs.js: 8081 removed from network.proxy.socks_port
Prefs.js: “83.146.112.130” removed from network.proxy.ssl
Prefs.js: 8081 removed from network.proxy.ssl_port
User.js: removed from 208.117.236.69 yt
< End of fix log >
OTS by OldTimer - Version 3.1.19.5 fix logfile created on 01282010_223019

OK lets see if there are any orphans

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

MBAM Log:

Malwarebytes’ Anti-Malware 1.44
Database version: 3654
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18813

28/01/2010 22:59:50
mbam-log-2010-01-28 (22-59-50).txt

Scan type: Quick Scan
Objects scanned: 104098
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi essexboy,
Just thanking you for your help as the virus has not been alerted today and I restarted a while ago just to make sure it wasnt a one off. Thanks for your time and effort, much appreciated.

Hi again essexboy, sorry to bring this thread to your attention again… Although the virus warning has gone I still have tabs opening every so often directing me to websites. If there an easy way to solve this?

Thanks again.

Time to get the bigger boy on the job

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ok, the redirection thiing isnt happening often at all at the moment so i can deal with that but I just got another warning. Same as last time. I tried running that fix as instructed before which tells me the exact same log as last time. I’m just about to restart. I’m guessing we havent fully removed it?

Update: Back in full force, every 3-5 mins.